Why does UserSession.find return nil when using user_credentials = single_access_token?

I believe that I've set up everything such that single_access_token
should be sufficient to pull a user's session.

The scenario is:
Bob uses Firefox and creates an account on LoginUI (http://
www.coolaj86.info/loginui).
Instead of using cookies, Bob's single_access_token comes in the
response to the request.
LoginUI submits Bob's single_access_token with every request
(essentially using it as though it were the persistence token).
Bob clicks 'account settings' and changes his password, but the
request fails.

The request fails because the record is not found (presumably it's
trying to find Bob by the persistence token rather than the single
access token.

I've been very thorough in looking through the documentation, but I
must be missing something. What is it that I'm neglecting?

class UsersController < ApplicationController
  def update
    # params[:user_credentials].inspect shows the correct
'xxxSingle_Access_Tokenxxx'
    user_hash = RegisteredUserSession.find.record
    user = RegisteredUser.find(user_hash)
    user.update(params[:user])
    user.save

    respond_to do |format|
      format.json { head :ok }
    end
  end

  private
    def single_access_allowed?
      true
    end
end

class UserSession < Authlogic::Session::Base
  allow_http_basic_auth = true
  params_key = 'user_credentials'
  single_access_allowed_request_types = :all
end

class RegisteredUserSession < UserSession
end

class User < ActiveRecord::Base
  set_table_name "users"
  attr_accessible :display_name, :email, :password

  acts_as_authentic do |c|
    c.require_password_confirmation = false
  end

  class << self
    def public_hash(obj)
      {
        :display_name => obj.display_name,
        :email => obj.email,
        :single_access_token => obj.single_access_token,
        :errors => obj.errors
      }
    end
  end
end

class RegisteredUser < User
  attr_accessible :display_name, :email, :password

  validates_presence_of :display_name
  validates_length_of :password, :within=>6..254

  acts_as_authentic do |c|
    c.require_password_confirmation = false
    c.change_single_access_token_with_password = true
    c.email_field = 'email'
  end
end

apologies, I meant to send this to the authlogic list