Replicate the bug disscussed in Sorcery/sorcery#6.

app/assets/javascripts/oauths.coffee

@@ -0,0 +1,3 @@
+# Place all the behaviors and hooks related to the matching controller here.
+# All this logic will automatically be available in application.js.
+# You can use CoffeeScript in this file: http://coffeescript.org/

app/assets/stylesheets/oauths.scss

@@ -0,0 +1,3 @@
+// Place all the styles related to the Oauths controller here.
+// They will automatically be included in application.css.
+// You can use Sass (SCSS) here: http://sass-lang.com/

app/controllers/oauths_controller.rb

@@ -0,0 +1,37 @@
+class OauthsController < ApplicationController
+  skip_before_filter :require_login
+
+  # sends the user on a trip to the provider,
+  # and after authorizing there back to the callback url.
+  def oauth
+    login_at(params[:provider])
+  end
+
+  def callback
+    provider = params[:provider]
+    if @user = login_from(provider)
+      redirect_to root_path, :notice => "Logged in from #{provider.titleize}!"
+    else
+      begin
+        @user = create_from(provider)
+        # NOTE: this is the place to add '@user.activate!' if you are using user_activation submodule
+
+        reset_session # protect from session fixation attack
+        auto_login(@user)
+        redirect_to root_path, :notice => "Logged in from #{provider.titleize}!"
+      rescue
+        redirect_to root_path, :alert => "Failed to login from #{provider.titleize}!"
+      end
+    end
+  end
+
+  #example for Rails 4: add private method below and use "auth_params[:provider]" in place of
+  #"params[:provider] above.
+
+  private
+  def auth_params
+    params.permit(:code, :provider)
+  end
+
+end
+

app/helpers/oauths_helper.rb

@@ -0,0 +1,2 @@
+module OauthsHelper
+end

app/models/authentication.rb

@@ -0,0 +1,3 @@
+class Authentication < ActiveRecord::Base
+  belongs_to :user
+end

app/models/user.rb

@@ -1,5 +1,10 @@
 class User < ActiveRecord::Base
-  authenticates_with_sorcery!
+  authenticates_with_sorcery! do |config|
+    config.authentications_class = Authentication
+  end
+
+  has_many :authentications, :dependent => :destroy
+  accepts_nested_attributes_for :authentications
 
   validates :password, length: { minimum: 3 }, if: -> { new_record? || changes[:crypted_password] }
   validates :password, confirmation: true, if: -> { new_record? || changes[:crypted_password] }

app/views/layouts/application.html.erb

@@ -14,6 +14,7 @@
   <% else %>
       <%= link_to "Register", new_user_path %> |
       <%= link_to "Login", :login %>
+      <%= link_to 'Login with Twitter', auth_at_provider_path(:provider => :twitter) %>
   <% end %>
 </div>
 <div>

app/views/oauths/callback.html.erb

@@ -0,0 +1,2 @@
+<h1>Oauths#callback</h1>
+<p>Find me in app/views/oauths/callback.html.erb</p>

app/views/oauths/oauth.html.erb

@@ -0,0 +1,2 @@
+<h1>Oauths#oauth</h1>
+<p>Find me in app/views/oauths/oauth.html.erb</p>

config/initializers/sorcery.rb

@@ -2,7 +2,7 @@
 # The default is nothing which will include only core features (password encryption, login/logout).
 # Available submodules are: :user_activation, :http_basic_auth, :remember_me,
 # :reset_password, :session_timeout, :brute_force_protection, :activity_logging, :external
-Rails.application.config.sorcery.submodules = []
+Rails.application.config.sorcery.submodules = [:external]
 
 # Here you can configure each submodule's features.
 Rails.application.config.sorcery.configure do |config|
@@ -76,8 +76,7 @@
   # What providers are supported by this app, i.e. [:twitter, :facebook, :github, :linkedin, :xing, :google, :liveid, :salesforce] .
   # Default: `[]`
   #
-  # config.external_providers =
-
+  config.external_providers = [:twitter]
 
   # You can change it by your local ca_file. i.e. '/etc/pki/tls/certs/ca-bundle.crt'
   # Path to ca_file. By default use a internal ca-bundle.crt.
@@ -110,11 +109,12 @@
   # Twitter will not accept any requests nor redirect uri containing localhost,
   # make sure you use 0.0.0.0:3000 to access your app in development
   #
-  # config.twitter.key = ""
-  # config.twitter.secret = ""
-  # config.twitter.callback_url = "http://0.0.0.0:3000/oauth/callback?provider=twitter"
   # config.twitter.user_info_mapping = {:email => "screen_name"}
-  #
+  config.twitter.key = ENV['TWITTER_API_KEY']
+  config.twitter.secret = ENV['TWITTER_API_SECRET']
+  config.twitter.callback_url = "http://0.0.0.0:3000/oauth/callback?provider=twitter"
+  config.twitter.user_info_mapping = {:username => "screen_name"}
+
   # config.facebook.key = ""
   # config.facebook.secret = ""
   # config.facebook.callback_url = "http://0.0.0.0:3000/oauth/callback?provider=facebook"
@@ -436,7 +436,7 @@
     # Class which holds the various external provider data for this user.
     # Default: `nil`
     #
-    # user.authentications_class =
+    user.authentications_class = Authentication
 
 
     # User's identifier in authentications class.

config/routes.rb

@@ -1,62 +1,18 @@
 Rails.application.routes.draw do
+  get 'oauths/oauth'
+
+  get 'oauths/callback'
+
   root :to => 'users#index'
   resources :user_sessions
   resources :users
 
   get 'login' => 'user_sessions#new', :as => :login
   post 'logout' => 'user_sessions#destroy', :as => :logout
-  # The priority is based upon order of creation: first created -> highest priority.
-  # See how all your routes lay out with "rake routes".
-
-  # You can have the root of your site routed with "root"
-  # root 'welcome#index'
-
-  # Example of regular route:
-  #   get 'products/:id' => 'catalog#view'
-
-  # Example of named route that can be invoked with purchase_url(id: product.id)
-  #   get 'products/:id/purchase' => 'catalog#purchase', as: :purchase
-
-  # Example resource route (maps HTTP verbs to controller actions automatically):
-  #   resources :products
 
-  # Example resource route with options:
-  #   resources :products do
-  #     member do
-  #       get 'short'
-  #       post 'toggle'
-  #     end
-  #
-  #     collection do
-  #       get 'sold'
-  #     end
-  #   end
-
-  # Example resource route with sub-resources:
-  #   resources :products do
-  #     resources :comments, :sales
-  #     resource :seller
-  #   end
-
-  # Example resource route with more complex sub-resources:
-  #   resources :products do
-  #     resources :comments
-  #     resources :sales do
-  #       get 'recent', on: :collection
-  #     end
-  #   end
-
-  # Example resource route with concerns:
-  #   concern :toggleable do
-  #     post 'toggle'
-  #   end
-  #   resources :posts, concerns: :toggleable
-  #   resources :photos, concerns: :toggleable
-
-  # Example resource route within a namespace:
-  #   namespace :admin do
-  #     # Directs /admin/products/* to Admin::ProductsController
-  #     # (app/controllers/admin/products_controller.rb)
-  #     resources :products
-  #   end
+  # For external login (Now supports only twitter).
+  post "oauth/callback" => "oauths#callback"
+  get "oauth/callback" => "oauths#callback"
+  get "oauth/:provider" => "oauths#oauth", :as => :auth_at_provider
+
 end

db/migrate/20161024081032_sorcery_external.rb

@@ -0,0 +1,12 @@
+class SorceryExternal < ActiveRecord::Migration
+  def change
+    create_table :authentications do |t|
+      t.integer :user_id, :null => false
+      t.string :provider, :uid, :null => false
+
+      t.timestamps
+    end
+
+    add_index :authentications, [:provider, :uid]
+  end
+end

db/schema.rb

@@ -11,7 +11,17 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20161024063842) do
+ActiveRecord::Schema.define(version: 20161024081032) do
+
+  create_table "authentications", force: :cascade do |t|
+    t.integer  "user_id",    limit: 4,   null: false
+    t.string   "provider",   limit: 255, null: false
+    t.string   "uid",        limit: 255, null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  add_index "authentications", ["provider", "uid"], name: "index_authentications_on_provider_and_uid", using: :btree
 
   create_table "users", force: :cascade do |t|
     t.string   "email",            limit: 255, null: false