I'm using OmniAuth with Rails 3.1.4 and I'm trying to allow already authenticated users to associate multiple OpenID providers with their account.
As an unauthenticated user, signing in with OpenID works fine. As an authenticated user, when I try to sign in with a different oid provider, when the callback method is executed, it just looks like I wasn't previously authenticated.
To me it just looks like the controller gets executed before sessions are initialised (or sessions are completely skipped).
What could it be?
Confirming Andrei Serdeliuc's solution, disabling protect_from_forgery worked for me (Ruby 1.8.7, Rails 2.3.11, OmniAuth 0.1.6)
in your CallbackController (AuthenticationsController in the famous screencast)
adding skip_before_filter :verify_authenticity_token or protect_from_forgery :except => :create at the top of the controller work !
As it could be a way for CSRF (Cross-Site Request Forgery) you should verify the identity of the openid server, don't forget to setup the certificate verification (in the initializer):
# First of all get a ca-bundle.crt file (eg : from your open-source browser package)
require "openid/fetchers"
OpenID.fetcher.ca_file = "#{Rails.root}/config/ca-bundle.crt""
it will prevent warnings like :
WARNING: making https request to https://www.google.com/accounts/o8/id without verifying server certificate; no CA path was specified.
Now my sessions are not reseted anymore, and can add several openid authentication to my curren_user.
cheers