I'm proposing a backwards-incompatibly change, but I guess it will not affect anyone (yet improve things for future deployments!).

Following #502 there are several ways for user to sign-up and sign-in to frab

1. frab's own username & password (which is devise database_authenticatable and confirmable)
2. LDAP server
3. Google Account
4. if and after Add OpenID Connect support #693 is merged – an OpenID Connect server

Currently, a user – identified by a unique e-mail address – can login with only one of these options. I.e., if Jane registered to frab by clicking "Sign-Up" and providing a password, then later she is unable to log using "Google account" for the same e-mail address.

Following the proposed change, a user which signed-up/logged in with any of the options enabled, will be able to log in with the other authentication providers as well. If she initially signed-up directly in with frab (database_authenticatable), then the same password will be available after logging in with other authenticator. If she first logs in with omniauth (i.e. everything other than frab sign-up) then a new password is assigned to the user (for log-in via the frab form) but this password is never communicated to the user so it's effectively blocked. However an admin can change that password (using rails console I guess) in case someone needs this for some reason.

So frab operator is responsible to only configure to frab third party authentication servers which are trustworthy (i.e., validate via e-mail) otherwise there is some security risk. At any rate the third-party authentication password is never stored in frab DB.

After this change is implemented, it will be possible to add 3rd party authentications for existing deployments. This note will be deleted from the manual: "It is therefore best to select an authentication strategy before deploying to production."