6 files changed, 68 insertions, 21 deletions
diff --git a/src/DotNetOpenAuth/DotNetOpenAuth.csproj b/src/DotNetOpenAuth/DotNetOpenAuth.csproj
index 7da3a47..4b0a843 100644
--- a/src/DotNetOpenAuth/DotNetOpenAuth.csproj
+++ b/src/DotNetOpenAuth/DotNetOpenAuth.csproj
@@ -397,7 +397,7 @@
     <Compile Include="OpenId\Provider\HostProcessedRequest.cs" />
     <Compile Include="OpenId\Provider\IAnonymousRequest.cs" />
     <Compile Include="OpenId\Provider\IAuthenticationRequest.cs" />
-    <Compile Include="OpenId\Provider\IDirectedIdentityCustomIdentifier.cs" />
+    <Compile Include="OpenId\Provider\IDirectedIdentityIdentifierProvider.cs" />
     <Compile Include="OpenId\Provider\IHostProcessedRequest.cs" />
     <Compile Include="OpenId\Provider\IdentityEndpoint.cs" />
     <Compile Include="OpenId\Provider\IdentityEndpointNormalizationEventArgs.cs" />
diff --git a/src/DotNetOpenAuth/OpenId/Behaviors/PpidGeneration.cs b/src/DotNetOpenAuth/OpenId/Behaviors/PpidGeneration.cs
index 3d2836e..befc138 100644
--- a/src/DotNetOpenAuth/OpenId/Behaviors/PpidGeneration.cs
+++ b/src/DotNetOpenAuth/OpenId/Behaviors/PpidGeneration.cs
@@ -20,7 +20,7 @@ namespace DotNetOpenAuth.OpenId.Behaviors {
 	/// the <see cref="AuthenticationPolicies.PrivatePersonalIdentifier"/> authentication policy.</para>
 	/// <para>The static member <see cref="PpidGeneration.PpidIdentifierProvider"/> MUST
 	/// be set prior to any PPID requests come in.  Typically this should be set in the
-	/// <see cref="HttpApplication.Start"/> event handler in the global.asax.cs file.</para>
+	/// <c>Application_Start</c> method in the global.asax.cs file.</para>
 	/// </remarks>
 	[Serializable]
 	public sealed class PpidGeneration : IProviderBehavior {
@@ -57,13 +57,11 @@ namespace DotNetOpenAuth.OpenId.Behaviors {
 		/// from handling it; <c>false</c> to allow other behaviors to process this request.
 		/// </returns>
 		bool IProviderBehavior.OnOutgoingResponse(IAuthenticationRequest request) {
-						ErrorUtilities.VerifyArgumentNotNull(request, "request");
-
-			bool result = false;
+			ErrorUtilities.VerifyArgumentNotNull(request, "request");
 
 			// Nothing to do for negative assertions.
 			if (!request.IsAuthenticated.Value) {
-				return result;
+				return false;
 			}
 
 			var requestInternal = (Provider.AuthenticationRequest)request;
@@ -72,26 +70,33 @@ namespace DotNetOpenAuth.OpenId.Behaviors {
 			// Only apply our special policies if the RP requested it.
 			var papeRequest = request.GetExtension<PolicyRequest>();
 			if (papeRequest != null) {
-				var papeResponse = responseMessage.Extensions.OfType<PolicyResponse>().SingleOrDefault();
-				if (papeResponse == null) {
-					request.AddResponseExtension(papeResponse = new PolicyResponse());
-				}
-
 				if (papeRequest.PreferredPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
 					ErrorUtilities.VerifyProtocol(request.ClaimedIdentifier == request.LocalIdentifier, OpenIdStrings.DelegatingIdentifiersNotAllowed);
 
+					if (PpidIdentifierProvider == null) {
+						Logger.OpenId.Error(BehaviorStrings.PpidProviderNotGiven);
+						return false;
+					}
+
 					// Mask the user's identity with a PPID.
-					ErrorUtilities.VerifyHost(PpidIdentifierProvider != null, BehaviorStrings.PpidProviderNotGiven);
-					Identifier ppidIdentifier = PpidIdentifierProvider.GetIdentifier(request.LocalIdentifier, request.Realm);
-					requestInternal.ResetClaimedAndLocalIdentifiers(ppidIdentifier);
+					if (PpidIdentifierProvider.IsUserLocalIdentifier(request.LocalIdentifier)) {
+						Identifier ppidIdentifier = PpidIdentifierProvider.GetIdentifier(request.LocalIdentifier, request.Realm);
+						requestInternal.ResetClaimedAndLocalIdentifiers(ppidIdentifier);
+					}
 
 					// Indicate that the RP is receiving a PPID claimed_id
+					var papeResponse = responseMessage.Extensions.OfType<PolicyResponse>().SingleOrDefault();
+					if (papeResponse == null) {
+						request.AddResponseExtension(papeResponse = new PolicyResponse());
+					}
+
 					if (!papeResponse.ActualPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
 						papeResponse.ActualPolicies.Add(AuthenticationPolicies.PrivatePersonalIdentifier);
 					}
 				}
 			}
-			return result;
+
+			return false;
 		}
 
 		#endregion
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
index 5d9903f..27dacfd 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
@@ -70,6 +70,15 @@ namespace DotNetOpenAuth.OpenId {
         }
         
         /// <summary>
+        ///   Looks up a localized string similar to This is already a PPID Identifier..
+        /// </summary>
+        internal static string ArgumentIsPpidIdentifier {
+            get {
+                return ResourceManager.GetString("ArgumentIsPpidIdentifier", resourceCulture);
+            }
+        }
+        
+        /// <summary>
         ///   Looks up a localized string similar to The requested association type &apos;{0}&apos; with session type &apos;{1}&apos; is unrecognized or not supported by this Provider due to security requirements..
         /// </summary>
         internal static string AssociationOrSessionTypeUnrecognizedOrNotSupported {
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
index c9df6b3..bca813b 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
@@ -331,4 +331,7 @@ Discovered endpoint info:
   <data name="PropertyValueNotSupported" xml:space="preserve">
     <value>This property value is not supported by this control.</value>
   </data>
+  <data name="ArgumentIsPpidIdentifier" xml:space="preserve">
+    <value>This is already a PPID Identifier.</value>
+  </data>
 </root>
 \ No newline at end of file
diff --git a/src/DotNetOpenAuth/OpenId/Provider/IDirectedIdentityCustomIdentifier.cs b/src/DotNetOpenAuth/OpenId/Provider/IDirectedIdentityIdentifierProvider.cs
index 63f9cdf..de24f74 100644
--- a/src/DotNetOpenAuth/OpenId/Provider/IDirectedIdentityCustomIdentifier.cs
+++ b/src/DotNetOpenAuth/OpenId/Provider/IDirectedIdentityIdentifierProvider.cs
@@ -1,5 +1,5 @@
 //-----------------------------------------------------------------------
-// <copyright file="IDirectedIdentityCustomIdentifier.cs" company="Andrew Arnott">
+// <copyright file="IDirectedIdentityIdentifierProvider.cs" company="Andrew Arnott">
 //     Copyright (c) Andrew Arnott. All rights reserved.
 // </copyright>
 //-----------------------------------------------------------------------
@@ -29,6 +29,15 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// openid.claimed_id and openid.local_id parameters.  Must not be null.
 		/// </returns>
 		Uri GetIdentifier(Identifier localIdentifier, Realm relyingPartyRealm);
+
+		/// <summary>
+		/// Determines whether a given identifier is the primary (non-PPID) local identifier for some user.
+		/// </summary>
+		/// <param name="identifier">The identifier in question.</param>
+		/// <returns>
+		/// 	<c>true</c> if the given identifier is the valid, unique identifier for some uesr (and NOT a PPID); otherwise, <c>false</c>.
+		/// </returns>
+		bool IsUserLocalIdentifier(Identifier identifier);
 	}
 
 	/// <summary>
@@ -55,6 +64,19 @@ namespace DotNetOpenAuth.OpenId.Provider {
 			throw new NotImplementedException();
 		}
 
+		/// <summary>
+		/// Determines whether a given identifier is the primary (non-PPID) local identifier for some user.
+		/// </summary>
+		/// <param name="identifier">The identifier in question.</param>
+		/// <returns>
+		/// 	<c>true</c> if the given identifier is the valid, unique identifier for some uesr (and NOT a PPID); otherwise, <c>false</c>.
+		/// </returns>
+		public bool IsUserLocalIdentifier(Identifier identifier) {
+			Contract.Requires(identifier != null);
+
+			throw new NotImplementedException();
+		}
+
 		#endregion
 	}
 }
diff --git a/src/DotNetOpenAuth/OpenId/Provider/PrivatePersonalIdentifierProviderBase.cs b/src/DotNetOpenAuth/OpenId/Provider/PrivatePersonalIdentifierProviderBase.cs
index 43b258c..64d2908 100644
--- a/src/DotNetOpenAuth/OpenId/Provider/PrivatePersonalIdentifierProviderBase.cs
+++ b/src/DotNetOpenAuth/OpenId/Provider/PrivatePersonalIdentifierProviderBase.cs
@@ -122,11 +122,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		public Uri GetIdentifier(Identifier localIdentifier, Realm relyingPartyRealm) {
 			ErrorUtilities.VerifyArgumentNotNull(localIdentifier, "localIdentifier");
 			ErrorUtilities.VerifyArgumentNotNull(relyingPartyRealm, "relyingPartyRealm");
-
-			if (localIdentifier.ToString().StartsWith(this.BaseIdentifier.AbsoluteUri, StringComparison.Ordinal)) {
-				Logger.OpenId.Warn("Trying to generate a PPID from a PPID.  Returning original PPID.");
-				return new Uri(localIdentifier);
-			}
+			ErrorUtilities.VerifyArgumentNamed(this.IsUserLocalIdentifier(localIdentifier), "localIdentifier", OpenIdStrings.ArgumentIsPpidIdentifier);
 
 			byte[] salt = this.GetHashSaltForLocalIdentifier(localIdentifier);
 			string valueToHash = localIdentifier + "#";
@@ -158,6 +154,18 @@ namespace DotNetOpenAuth.OpenId.Provider {
 			return anonymousIdentifier;
 		}
 
+		/// <summary>
+		/// Determines whether a given identifier is the primary (non-PPID) local identifier for some user.
+		/// </summary>
+		/// <param name="identifier">The identifier in question.</param>
+		/// <returns>
+		/// 	<c>true</c> if the given identifier is the valid, unique identifier for some uesr (and NOT a PPID); otherwise, <c>false</c>.
+		/// </returns>
+		public virtual bool IsUserLocalIdentifier(Identifier identifier)
+		{
+			return !identifier.ToString().StartsWith(this.BaseIdentifier.AbsoluteUri, StringComparison.Ordinal);
+		}
+
 		#endregion
 
 		/// <summary>