Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins


A couple of people have pointed me at this new-fangled Clickpass thing. The general impression I get is that no-one is really sure exactly what it is and what it's for.

Clickpass seems to fundamentally be an OpenID Provider. You can sign up to them and then you can sign in to other sites that support OpenID. They'll give users a 1.1-enabled identifier like which will work in any standard OpenID login form.

Where things get interesting is that they want you to add a special button to your site to allow users to log in without entering their OpenID identifier. This is effectively what "directed identity" achieves in OpenID 2.0, but recall that they have only implemented 1.1. This button submits to their site, not yours. They then determine the identity of the user and fake a request as if the user entered their identifier into your login form. In order for this to work, you must have already entered into a business relationship with Clickpass via their website and told them how your login form works. You'll then bounce the user to the provider for the submitted URL as normal, and they'll bounce them back to your normal return_to endpoint as you'd expect.

The other service they provide is that they'll implement a user registration UI for you. If you wish -- and if you create a few proprietary callbacks for their software to talk to -- you can redirect unrecognised OpenID users over to their enrollment form, and they'll pre-fill it with the user's profile information. Once submitted, they'll then send this data over to your callback so you can create the account with the entered profile information. This is essentially a proprietary re-invention of what the Simple Registration Extension achieves. Similarly, they provide a UI for adding an OpenID login to an existing user account, but in the process they ask the user to submit their account credentials for your site to a form on, which they then proxy through to you. Scary stuff.

These two facets of Clickpass seem to be largely separate. You can implement their crazy button to allow their users to log in without entering their identifier while retaining your own enrollment form. You can also use their enrollment form to sign up users with OpenID Identifiers from other providers. You can also, of course, just accept their identifiers as normal without implementing their crazy button, though they don't make much of an effort to educate their users on how to do this.

It seems to me that almost all of these extra Clickpass features are really just needless re-implementations of existing OpenID standards. Yahoo! has a similar custom login button, but they use OpenID 2.0 Directed Identity to make theirs work. The Simple Registration is able to handle the automatic entry of user profile information even in OpenID 1.1. In order to support this functionality with Clickpass users, you must add to your site extra callback code specifically for Clickpass. The form they provide for associating an OpenID with an existing user account at your site is just downright scary: they're encouraging users to give their credentials from your site to a form in their domain. Even if Clickpass is trustworthy and don't abuse this data, it's still teaching users the bad habit of giving out their account credentials willy-nilly.

I strongly encourage Clickpass to implement OpenID 2.0 with directed identity and the simple registration extension. This will make it far easier for sites to support Clickpass users, using the existing infrastructure they have to handle standard OpenID providers. It shouldn't be necessary to get an account with Clickpass just to accept their identifiers in a user-friendly way. They would also benefit from more instructions at their site on how to deal with OpenID forms without a Clickpass-specific login button; right now they've got nowhere near the critical mass for most sites to consider a special case for them as they might for AOL, Yahoo! or LiveJournal.


  • The next evolution for OpenID?

    This morning at IIW Dick Hardt presented his vision for solving the issue whereby a user is dependent on his OpenID provider being up and non-evil.…

  • HTML 5 vs. Yadis

    One of the ways that the Yadis specification allows for the XRDS document location to be declared is via the X-XRDS-Location header embedded via a…

  • On Discoverable Avatars

    Chris Messina has written about a possible new standard for avatar discovery. I agree with many of his premises, but few of his solutions. My…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.