And when I turn off "protect_from_forgery" in Rails, it goes through fine. So my question now becomes "how do I supply the correct header from my JQGrid POSTs?"

Have you checked for the anti cross site request forgery header in the ajax request? 

Rails won't accept post requests without that by default.

I'm using ruby-openid to do authentication with Google, and used Seth Ladd's nice recipe to get that working.

Which it does -- for page views and POSTS from web forms.

However, whenever JQGrid does a POST to update data on the server, two things happen:

1. Even if the user's browser is already authenticated via logging in to Google, the POST appears to the server as if it were coming from an unauthenticated one, and gets redirected to the OpenID authentication dance. That wouldn't be a showstopper except that
2.  As soon as the server sends back the 401 that's supposed to initiate the redirect-and-authenticate thing, the whole enchilada just stops dead. Normally (as in, say, a POST request from a form submission with a standard web page), the browser sees the 401, reads the enclosed "authenticate over here" info, does the dance, comes back with the session set up, and the cycle continues. But from JQuery/JQGrid...not so much.

Any ideas? I'm confident that I'm missing something obvious here, but I've got one of Rumsfeld's "unknown unknowns" going, I don't know what it is that I'm missing, much less how to fix it! Seems like this should be a long-solved problem, eh?

I could be running afoul of XSS defenses, but if so I've no idea how to proceed other than ****-canning the serious investment we've already made in OpenID (including users already signing up & having to furnish/remember passwords -- ick!).

Thanks in advance!

(Rails 3.0.7, ruby-openid 2.1.8, JQGrid 3.5.3, JQuery 1.3.2, using Google as the OP so that user never has to type in their identity URL.)