May 8 at 7:33 am
- Link
"Hi Justindz,
The nonce-protection referred to here is specific to the connect button; this is at stage 3 at the bottom when you are creating the site through clickpass.com/developer.
The nonce is necessary to stop cross site forgery attacks where someone could set the users OpenID at a site without his/her consent.
It is fairly easy to setup, basically you create a user-specific nonce (a random number), store the nonce in the user's session and then pass it to the callback URL that you can see used in the connect button (it is the override_openid_callback_url parameter). When you get a connection request check whether the nonce is correct before proceeding.
Many people opt initially to not show a connect button and add it in later to the user account page. It is very much an additional usability feature.
- Hope that helps, Immad" - Immad Akhund