Authentication recommendations?


I'd like to solicit recommendations for authentication systems for
Rails apps. I rolled my own basic system the last project I had, but
I'd like to leverage others' good work this time. However, I don't
have much time to investigate the current offerings. Most important
to me is reliability and security over features.

Thanks in advance!

I like OmniAuth ( or JanRain
Engage (

Hope this helps,
_Ryan Wilcox

I've used devise on a site successfully. However there's a bit of
work to get it to understand multiple subdomains (I use a secure
subdomain once logged in).

I also followed Ryan Bates' excellent railscasts to create my own

Hey Michael,

The two more popular solutions these days have already been mentioned:
Devise and Omniauth. They both can integrate with each other, by the

Devise is an authentication system that is very easy to set up and get
running, but my experience with it was that it's much harder to
customize than, for example, AuthLogic (which is what I'm using these
days, there's a Rails 3 branch for it over at github that works

Omniauth, by contrast, allows users to login through other systems.
If your app is public-facing, this may be a really good feature to
offer. Say your users have Twitter or Facebook accounts - if you set
it up right, you can let them login through Twitter, Facebook, Google
Apps, etc. with a single click (usually, assuming they're already
logged in on the third provider of choice).

AuthLogic is another solution that has kind of "fallen by the wayside"
so to speak in terms of popularity. It was really popular back in the
Rails 2.3.x days, but with the release of Rails 3, hasn't officially
caught up to being compatible with Rails 3 out of the box. However,
as is the nature of open source, some other folks have worked on it to
make it compatible with Rails 3, and as mentioned above, there's a
specific branch for that over on github that I'm using in a rails
3.0.7 app right now, and it works great.

My personal *OPINION* (and that's all it is, an opinion) is that I
happen to like AuthLogic a lot more, because it's less of a full
solution, and more of a "framework" for authentication, whereas Devise
is more a full stack solution out of the box. Ergo, Devise tends to
be much harder to customize than AuthLogic, because using AuthLogic at
all requires you to put it into your specific controllers the way you
want. It's not that you CAN'T customize Devise - you can, and there
are several wiki posts about it (note: when I last looked at it, much
of that documentation looked outdated and incompatible with the
current release, but they could have corrected it by now - your
mileage may vary) - but I personally find AuthLogic to be much easier
to use overall, because I generally have some specific things I want
to do with authentication and signups that are more difficult to pull
off in Devise.

Good luck to you!

Thanks to all for the great information!