It is important to point out that using find_or_create_by in the User.from_omniauth method means that you will have no control over who has access to your application. That is, anyone with a valid twitter account will be able to generate a user object.
For many applications, that may be the desired behaviour, but there are many other instances where this is not the case. I do not think this should be the default behaviour described in this sort of tutorial. It should be described as an alternative. That is, you should describe the least dangerous configuration first and foremost, and then show alternative options.