Merge accounts

install checklist your developer tools

Now with: A BLOG!

Developers»
Installing Clickpass»
Merge accounts

URLs required on your site

add_openid_to_user - add OpenID to user by username/password

Why you need to add account merging

Most people installing OpenID already have an existing login system. With the addition of a new one, you want to be careful that there isn't any duplicity.

Let's say that Paul is a new user to your site. He arrives, clicks the Clickpass button which sends you an OpenID and you create him a new account.

Next though comes Peter. Peter has both a Clickpass and an account with your site and he wants to start using Clickpass to access your site. This time you need to be sure that Peter connects to his existing account and doesn't accidentally create a new one

How Clickpass prevents duplicate accounts

Merge new OpenID user with existing account

We ask the user. The first page a user sees at signup asks them whether they've got an existing account or want a new one. We then deal with them accordingly.

The only thing you need to do is provide us with a URL that can be used to merge Clickpass accounts with new existing accounts.

Process

Authenticate the request (using username and password)
Add the OpenID to the list of OpenIDs for that user
If all is well log in user otherwise redirect back to Clickpass with errors

add_openid_to_user

http://yoursite.com/<OpenID directory>/add_openid_to_user/

Description

The purpose of this URL is to check the username and password and registers a new OpenID as belonging to a particular user.

Parameters your URL should accept

Submission method: POST

openid_url- the OpenID to be authenticated
user_id- the primary key (i.e. username / email ) for the user
password- the password for the user
clickpass_merge_callback_url- a URL at the OpenID provider (i.e. Clickpass) to process the outcome of the process

Return behaviour

If authentication of username/password is correct AND openid_url matches previously authenticated OpenID

Attach OpenID to user
Log in the user to their account

ELSE

Redirect to clickpass_merge_callback_url suffixing "userid_authenticated=false" or "openid_authenticated=false"

Example failed authentication redirect: http://clickpass.com/openid_server/process_add_openid_to_user_result?userid_authenticated=false

Pseudo code example

http://yoursite.com/<OpenID directory>/add_openid_to_user/


// define variables
clickpass_merge_callback_url = POST.clickpass_merge_callback_url
user_id                      = POST.user_id
password                     = POST.password
openid_url                   = POST.openid_url
authenticated_openid_url     = SESSION.authenticatedOpenID

// authenticate the username against user_id provided
if ( Database.authenticate( user_id, password ) )
  // Check that OpenID is authenticated
  if ( openid_url == authenticated_openid_url )
      // Connect OpenID to user and log user in
      Database.addOpenidToUser( user_id, openid_url )
      user.completeLogin( )
  else
      // Redirect the user to Clickpass with notice of OpenID authentication failure
      clickpass_merge_callback_url.queryString.addParameter( 'openid_authenticated', 
                                                               'false' )
      redirect_to( clickpass_merge_callback_url )
  end_if

else
  // Redirect the user to Clickpass with notice of user authentication failure
  clickpass_merge_callback_url.queryString.addParameter( 'userid_authenticated', 'false' )
  redirect_to( clickpass_merge_callback_url )
end_if

EXIT

Legend:
local function
OpenID library function
Database query

OAuth

We are not currently supporting OAuth for this feature although we do plan to do so in the future

Security consideration

In order that a user's user_id and password are secure, you are advised to operate this URL on HTTPS.

User contributed notes

Have something to add to the docs or a question you want to ask? Get stuck in.

(We may occasionally prune notes to keep them as useful as possible to our readers)