Rails Auth

The following are popular gems for Rails authentication and authorization.

As a reminder, authentication means determining whether the person making the request is really a certain user, and authorization means determining what that user is allowed to do.

  • CanCanCan - allows authorization via central Ability classes
  • Devise - a high-level Rails authentication framework, including full Rails engine features (model mixins, views, controllers)
  • Doorkeeper - allows your Rails app to be an OAuth 2 provider; i.e. your own user store is made available through the OAuth API
  • OmniAuth - allows authentication via a number of third-party services, some OAuth and some otherwise
  • Pundit - allows easily configuring authorization via policy classes
  • Warden - a low-level Rack authentication framework, suitable for web services

Some relationships between these gems include:

  • Pundit and CanCanCan can be used with any of the others, because it’s the only authorization library listed; the others are all authentication. You would only want to use one of the two.
  • If you’re making a web service:
    • Use Doorkeeper if you want people to authenticate to it with OAuth
    • Use Warden if you want them to authenticate in a different way
  • If you’re making a webapp:
    • Use Devise alone if you are only logging in to your own user table
    • Use OmniAuth alone if you’re only authenticating against third parties, and you’re okay building screens
    • Use Devise with its OmniAuth integration if you’re allowing signup with email or with third parties, or if you don’t want to build screens