Rails 3 authentication solutions

Question

I poked around StackOverflow and Google, but couldn't find anyone who has put together a comparison of authentication gems or plugins for Rails (I'm looking for something for Rails 3). What authentication solutions are available for Rails 3, which are most popular, and what are the differences between them?

score 47 · Accepted Answer · answered Nov 21 '10 at 05:08

47

Ruby toolbox has a list of the most popular ones: http://ruby-toolbox.com/categories/rails_authentication.html

You can see that Devise and Authlogic are definitely the most popular.

Personally I use Devise. It works well with Rails 3, is easily customizable, and makes it very easy to integrate Twitter and Facebook based auth.

answered Nov 21 '10 at 05:08

mike

4,393
1
27
16

One of the most important for me was openID based auth systems. Great answer :) – Abe Petrillo Aug 24 '11 at 23:46
2

Good answer. [Sorcery](https://github.com/NoamB/sorcery) is another excellent library that's a little newer on the scene. – Andrew Apr 22 '12 at 23:11

score 14 · Answer 2 · answered Nov 21 '10 at 06:38

For a Rails3 App definitely Devise ;). Devise is the only authentication system which provides security on all the 3 stack layers of rails: - In 'M', 'v', and 'C' and hence the best to go with. But you got to learn more on how to customize devise to custom fit your application's need. You can find help on customizing in this page https://github.com/plataformatec/devise/wiki/_pages

score 13 · Answer 3 · answered Nov 17 '11 at 13:25

13

In Rails authentication from scratch is dead simple to do. Ryan Bates covers this here http://railscasts.com/episodes/270-authentication-in-rails-3-1

answered Nov 17 '11 at 13:25

jamesc

12,423
15
74
113

3

Revisiting this in late 2012, it seems like a better solution. Rails already does so much (like before_filters) and devise often does too much. – B Seven Sep 16 '12 at 17:37

score 6 · Answer 4 · answered Nov 21 '10 at 05:29

6

devise, devise, devise

answered Nov 21 '10 at 05:29

thenengah

42,557
33
113
157

score 1 · Answer 5 · answered Nov 11 '13 at 04:44

I am surprised OminAuth did not get a mention in any of the answers. (Agreed OmniAuth is more recent than this question is, but there are answers that came after)

Undoubtedly, this is the most exhaustive authentication solution available currently for rails applications.

Under the hood, OmniAuth uses OAuth2, which is evolving as the de-facto standard for authentication in web applications across platforms and frameworks. Almost all major internet players support OAuth2 - Github, Google, Facebook, Twitter, LinkedIn are just a few to name.

Of course, Devise works very well with OmniAuth so It should not be a major headache for those already using Devise

score 0 · Answer 6 · answered Mar 20 '13 at 13:37

0

Kinda late to the party, but I wrote something up for it here:

http://zergsoft.blogspot.jp/2012/08/rails-3-authentication-compared-warden.html

I cover Warden, Devise and home grown.

answered Mar 20 '13 at 13:37

jpgeek

4,991
2
28
26

score 0 · Answer 7 · answered Nov 11 '13 at 04:31

The tutorial by Michael Hartl is great for learning how to set up your own.

http://ruby.railstutorial.org/ruby-on-rails-tutorial-book

I have used that on multiple apps and love the flexibility of setting up my own Authentication Method.

Though for the most part I use Devise and LOVE it. It is very quick/easy to implement, very secure, and does exactly what I need it do.

https://github.com/plataformatec/devise

I will typically use it in conjunction with CanCan and Rolify

score 0 · Answer 8 · answered Jul 16 '11 at 20:30

0

I'm a big proponent of rolling your own. Depending on your requirements its fairly straight-forward and reduced dependency on a key component. Rails 3.1 makes it even easier.

answered Jul 16 '11 at 20:30

loneaggie

297
2
8

5

It seems to me an authentication library would be the _last_ place you'd want to trust yourself to roll your own. – jrdioko Jul 16 '11 at 22:56
authentication != encryption. I don't trust myself to do anything with encryption, but the basics of authentication are very simple. Rails 3.1 even includes built-ins now for helping with the salt. The other way to look at it is, if its important enough to protect, who do you turst to protect it? There's are definitely times when an already used library works, and I think Devise is a great one. – loneaggie Jul 16 '11 at 23:34
3

Also you have a wider community to debug the code if a weakness is found. Me vs All Hackers or Me+opensource awesomeness vs Hackers – Abe Petrillo Aug 24 '11 at 23:49
1

I've studied security & crypto and I strongly agree that you never want to roll your own in this space. I've seen way too many poorly implemented auth SDKs written by the ignorant. This stuff needed lots of eye balls to check that it's correct and secure and 'time to bake in the oven' to get the bugs out. – Tony O'Hagan Sep 04 '12 at 04:16

Rails 3 authentication solutions

8 Answers8

Linked