allow to connect accounts

[dcu]

if you pass the email to the find (or create) method I can see if there is a user with that email and connect the accounts

[nbudin]

Doing that is a potential security issue. Essentially, you can't verify that the email really belongs to that user just from the OpenID provider asserting that it does. If I wanted to hijack an account on such an app, I could do so by setting up my own copy of MyOpenID and configuring it to tell other services that my email address was the one of the user I wanted to hijack.

For an in-depth discussion, please see this page:

http://github.com/nbudin/devise_openid_authenticatable/wiki/Using-database_authenticatable-and-openid_authenticatable-together

[dcu]

well only signed in users could connect accounts

[nbudin]

Signed in how? The only thing that calls the find_by_identity_url method is the authentication strategy, which only gets run when a user attempts to sign in. They can't attempt to sign in if they're already signed in.

[dcu]

hmm not sure I don't know the internals very well but devise-twitter can do that.

[nbudin]

After taking a look at devise-twitter, I see how they do it, but I'm not sure the same can be done for OpenID exactly.

One approach, which you can do today, is to follow the instructions on the wiki page I linked to, under "the complex (but better) fix." This explains how to set up two separate authenticatable models, which will allow you to perform an OpenID login on a separate scope with a user already authenticated. With some modification, it can be made to work for your use case, I'm quite sure.

[dcu]

yeah I'll do that, thanks