The purpose of this URL is to check the username and password and registers a new OpenID as belonging to a particular user.
Parameters your URL should accept
Submission method: POST
* openid_url- the OpenID to be authenticated
* user_id- the primary key (i.e. username / email ) for the user
* password- the password for the user
* clickpass_merge_callback_url- a URL at the OpenID provider (i.e. Clickpass) to process the outcome of the process
Is it this sentence that is meant to cover the case?
You may also provide information to Clickpass through third party websites which you log into using the Clickpass Service. Such information shall be stored by Clickpass and handled by Clickpass in accordance with this policy.
Sounds like it's in the right ballpark but why not specifically say 'you may provide us your user names & passwords and we wont use them ever again'? The 'log into using the Clickpass service' could easily be (mis)interpreted as referring to OpenID SSO rather than to the merge process.
They do acknowledge the future relevance of OAuth.
Separately, am I alone in seeing the irony of OpenID deployers, in order to address the perceived 'User Provides URI' barrier, exploring mechanisms that
a) hide the whole complexity of identifiers from the user
b) rely on shared infrastructure to facilitate IDP discovery