Adding OpenId to existing users does not work.
Steps to reproduce:
1) Start a vanila Liferay bundle (tested with Tomcat, but should affect others as well)
2) Disable "Allow strangers to create accounts?" in Control panel/Portal Settings/Authentication/General
3) As Administrator create an account with a @gmail.com email address (or any other email that works as OpenId account), e.g. "firstname.lastname@example.org"
4) John Doe can login with his email and password.
So far so good. Now John decides he wants to switch to OpenId.
5) In the login portlet click on OpenId
6) Use "https://www.google.com/accounts/o8/id" as your OpenId provider (or the url of your OpenId provider if you don't use gmail)
7) Get redirected to gmail - John Doe uses his gmail account to log in
8) Gmail (or the OpenId provider) generates an authentication URL: https://www.google.com/accounts/o8/id?id=AItOawlPq...
9) Get redirected back to your portal
What should happen:
10a) Liferay finds the user with OpenId url https://www.google.com/accounts/o8/id?id=AItOawlPq... -> user is logged in
10b) Liferay sees that there is no user with such OpenId URL.
11) Get the email address from the OpenId response
12) Find user by email - email@example.com
13) Update John's user account and set his OpenId URL to https://www.google.com/accounts/o8/id?id=AItOawlPq...
14) Joe is now logged in
What actually happens:
between 6) and 7) Liferay tries to find the user with the general OpenId URL ("https://www.google.com/accounts/o8/id") and then by screen name (by somehow converting the general OpenId URL to "www.google.com.accounts.o8.id") which of course fails. The matching of users (by OpenId authentication URL or email or screen name) must happen AFTER step 9) when the user finished the authentication.
Attached is a patch that fixes OpenIdAction.java