You know, you HN guys are super buzzword and design blind. This company slaps "bcrypt", "SSL", and "open source" on a decently designed bootstrap page and the response is "this will totally work!" Sad.
I found these problems in just scanning through some links off that first page. Seems like this crowd would be able to pull up more, and definitely shouldn't just saying "Oh SSL, well then that whole thing is totally solid."
For example, this statement "Credentials are stored as salted hashes using bcrypt," means passwords are being passed to this provider, so you better trust them to not be snooping passwords all the time. Also, bcrypt is questionable http://www.unlimitednovelty.com/2012/03/dont-use-bcrypt.html Finally, it looks like your server is talking to them via SSL through a library https://github.com/hstove/omniauth-dailycred#ssl-error. If that's the case then when you try to do this with some SSL clients they don't validate the cert. Take Python's, where you have to do a backport http://pypi.python.org/pypi/backports.ssl_match_hostname/ to get that enabled.
I found these problems in just scanning through some links off that first page. Seems like this crowd would be able to pull up more, and definitely shouldn't just saying "Oh SSL, well then that whole thing is totally solid."