As many Rails projects use the OpenID service to authenticate its users, I want to bring some of its security issues to your attention which were announced recently. Gareth Heyes found a cross-site request forgery attack vector with MyOpenID, one of the bigger OpenID providers. MyOpenID reacted promptly, but other providers have the same problem. Here's what he writes:
When developing a OpenID system is very important to include form tokens in order to prevent CSRF attacks. The MyOpenID.com site had included form tokens but the token was stored in the URL of the site.
A more general article about OpenID security issues can be found on GNUCITIZEN.