Clickpass

1. Developers»
2. Installing Clickpass»
3. Button - connection

The Clickpass Connection Button

This is an entirely optional piece of UI that simply makes it easy for your existing users to link their accounts to Clickpass. You can drop the button onto any page and it will enable the user to connect the two accounts in a single click.

How the button works

1. User logs into your site
2. User clicks on connect button
3. Connection button submits OpenID to your site
4. Your site registers the OpenID with the current user
5. User can use Clickpass to access your site

Enabling the button

In order to enable the connection button you need to create a URL that will add an OpenID to the current user.

This is slightly different the previously described URLs for adding an OpenID to a user in that it operates on the current session and therefore does not need a username and password as the user is already authenticated.

You should still authenticate the OpenID though and will need to process it in a similar way to begin/end_add_openid_to_user.

Creating the button

Go to the developer's section and get going.

Notes on security

Enabling an OpenID to be added to the current user's session must be done using a nonce or your site may be subject to attack from a malicious foreign site.

1. User visits your site and logs in
2. User visits MaliciousSite.com which submits a http://MaliciousSite.com/OpenID to your site
3. Your site adds http://MaliciousSite.com/OpenID to current user
4. MaliciousSite.com now has a backdoor to your user

Nonce-protection

This attack is not unique to OpenID and a normal password-change field can be attacked in the same way. It is easily prevented though by adding a nonce to the variables in the form that submits the OpenID.

In the case of the Clickpass connect button, this nonce can be passed into the button as a parameter and will be submitted along with the user's OpenID when they chose to connect.