Authentication recommendations?


I'd like to solicit recommendations for authentication systems for Rails apps. I rolled my own basic system the last project I had, but I'd like to leverage others' good work this time. However, I don't have much time to investigate the current offerings. Most important to me is reliability and security over features.

Thanks in advance! Michael

I like OmniAuth ( or JanRain Engage (

Hope this helps, _Ryan Wilcox

I've used devise on a site successfully. However there's a bit of work to get it to understand multiple subdomains (I use a secure subdomain once logged in).

I also followed Ryan Bates' excellent railscasts to create my own (#250 Authentication from Scratch - RailsCasts)

Hey Michael,

The two more popular solutions these days have already been mentioned: Devise and Omniauth. They both can integrate with each other, by the way.

Devise is an authentication system that is very easy to set up and get running, but my experience with it was that it's much harder to customize than, for example, AuthLogic (which is what I'm using these days, there's a Rails 3 branch for it over at github that works great).

Omniauth, by contrast, allows users to login through other systems. If your app is public-facing, this may be a really good feature to offer. Say your users have Twitter or Facebook accounts - if you set it up right, you can let them login through Twitter, Facebook, Google Apps, etc. with a single click (usually, assuming they're already logged in on the third provider of choice).

AuthLogic is another solution that has kind of "fallen by the wayside" so to speak in terms of popularity. It was really popular back in the Rails 2.3.x days, but with the release of Rails 3, hasn't officially caught up to being compatible with Rails 3 out of the box. However, as is the nature of open source, some other folks have worked on it to make it compatible with Rails 3, and as mentioned above, there's a specific branch for that over on github that I'm using in a rails 3.0.7 app right now, and it works great.

My personal *OPINION* (and that's all it is, an opinion) is that I happen to like AuthLogic a lot more, because it's less of a full solution, and more of a "framework" for authentication, whereas Devise is more a full stack solution out of the box. Ergo, Devise tends to be much harder to customize than AuthLogic, because using AuthLogic at all requires you to put it into your specific controllers the way you want. It's not that you CAN'T customize Devise - you can, and there are several wiki posts about it (note: when I last looked at it, much of that documentation looked outdated and incompatible with the current release, but they could have corrected it by now - your mileage may vary) - but I personally find AuthLogic to be much easier to use overall, because I generally have some specific things I want to do with authentication and signups that are more difficult to pull off in Devise.

Good luck to you!

Thanks to all for the great information!