I finished coding this solution - posted it here if it can help others (or if someone has suggestions for improving it).
Here is some logic:
The application was originally created using Clearance for authentication / authorization, so using Clearance allows you to continue working with existing names / pwds and an existing authorization code.
User identification
Clearance uses the email address as the primary identifier. The application requires each user to have an email address for other purposes, so we will continue to use email as the primary user identifier. We retrieve it from the FB when the user is registered, if they are registered through the FB. (note that omniauth-facebook requests a custom set of FB permissions, access to the email address is enabled by default).
User registration
New users have the option of creating an email / pwd combo or registering via FB. Omniauth-facebook is used for authentication against FB (and to provide extensions to other auth systems over time). We get user data (name, email address, etc.) from FB, as well as the Facebook token. Authenticated users do not need to provide a password. Users who prefer to register without an FB provide an email address, password, and other user data. Users created by the name of FB are taken for user / editing to finish providing any profile data that we cannot capture from FB. We also maintain the existing user registration mechanism, allowing the user to manually provide email / pwd / other data.
User Confirmations
The gap checks the user's email address. Is our overridden password optional? the function substantially eliminates their password verification. To be used in production, this solution should include user checks to implement "you must have at least one of the valid pwd or valid omniauth keys"
Session Creation
The model of the cleaning session is used (saving mem_type in a cookie).
The session controller is redefined to add a method for signing through the FB. Callback from FB routes to this method, which creates / updates user data and calls Clearance sign_in (user)
Login
Saving a simple model is saved: the "authorize" filter, in fact, just checks that the valid user is signed and the current_user helper is provided.
Using FB
The user FB current is stored after FB authentication (in the authentication object owned by the user). Koala is used for other FB requests (for example, for publishing on the user's wall) ... details are omitted here; I am not doing anything special.
FB Token Update
FB points expire periodically (and the FB autonomous access role has expired). The token is updated when the user logs in, but the token may become invalid before the application expires (when the user exits FB, changes his FB password, or the token expires). I am working on how to periodically update the FB token outside the input stream, but this is not suitable for this answer.