Why there is no simple default auth in Rails?

Hello, I’m a Rails newbie.

I wonder why there is no simple auth (sign-in, sign-up, restore password) in the Rails app?

I found that I need to use devise but it’s too complicated for me, and would be much nicer to add auth option for new rails apps like:

rails new my_app --auth

The same like in Laravel.

Also, devise is not supported yet in Rails 7 yet? (I might be wrong).



Devise is the de-facto standard for Rails and it’s simple to use:


We’ve been using it for 10+ years without any problems and it will certainly support Rails 7.

1 Like

He is not wrong though? It still would be nice having a quick generator for doing auth? Rails is known for having bunch of useful generators actionmailer, activestorage

This something that been coming up time and time again for a very long time. What’s even crazy here is that many of the rails alternative and some of them even rails-inspired are nowadays offering a quick way scaffolding auth.


This is the bug with Rails 7:


You can comment there.

I so agree with this. For some reason #DHH has decided that login, authentication, user management, etc. are all outside the scope. But basically every single rails app has that (which you can’t say about document uploading (active storage), emailing (active mail), and other built-ins. And pointing to devise doesn’t do it for me. Last I tried (and based on more recent blogs etc.) devise is not for everyone, it is very (overly) complicated for most apps. But I asked this question on this site (or another one) several years ago and was told to forget about it, it’s never gonna happen.


I think the question is not “does every app need this feature” but “is there a single solution for this feature that will work for most apps”. Things like file storage (ActiveStorage), email (ActiveMailer), etc the answer is generally yes.

Sure there are other solutions. For example we have Paperclip, Dragonfly, Carrierwave, etc for file storage. But ActiveStorage can be a solution that will work for most applications.

For authentication the answer is different. Authentication gets complicated and divergent quickly. Are you even using passwords or are you authenticating via email (like Medium). Do you allow social logins? If so which ones? What about enterprise identity management systems like ActiveDirectory? Do you support 2FA? If so which ones? TOTP? Hardware key? What about security? Should the authentication rate limit? Lockout after a certain amount of attempts? Validate your password is a certain length? Validate it’s not a dictionary word?

There are so many questions and answers to these question that there isn’t one solution to satisfy most apps. For an internal app HTTP Auth with hard-coded credentials might be sufficient. For other apps they don’t want the responsibility of dealing with credentials so only social logins are supported. Other apps want to outsource it to a provider like Auth0.

Because of this goal diversity a marketplace of options is probably best. My list is:

  • HTTP Auth - Toy/Internal apps. This is actually built-in to Rails!
  • Omniauth - Social-login focused (although there is a user/pass provider)
  • Devise - A kitchen sink of many features you likely want (and probably a few you don’t)
  • Auth0 - Enterprise apps that need integration with things like ActiveDirectory

There also is Clearance from Thoughtbot: https://github.com/thoughtbot/clearance/

1 Like

A simple db auth should be provided by the web framework. If you want social auth that’s when you maybe should start looking into gems that handle this things.

I found two frameworks that I follow that have both included some kind of auth-system



I think this is exactly the point. Rails should have an out of the box solution for user authentication that will work for most applications.

Just like you can choose to use Shrine instead of ActiveStorage when you have different requirements than the built-in stuff offers.

I totally agree Rails should come with a “batteries included” user authentication feature.

The fact that devise has been the de-factor standard for 7+ years and HASN’T been folded into Rails core in some capacity still seems strange to me.

1 Like

I believe Devise might be too big and complex for being a default. But just my guess;)

There are many ways in which an authentication system can be bespoke. (Just look at all of the ways Devise can be configured!) I believe the aversion to a default authentication system is based on the desire to encourage developers to design a system that is right for their app.

With that in mind, I’ve submitted a few PRs that I hope could make it nicer to implement a bespoke system:

They haven’t gotten much traction yet, but feedback is welcome.

I have a few more ideas for features I would like to see (such as automatically re-hashing a password on login if the BCrypt cost has changed), but I’m not yet sure how to make them suitable for Rails. For anyone who has implemented their own bespoke authentication system: what would make your code nicer?


Just found this thread. I think including a auth framework would make starting new apps easier but it would encourage folks to leave the defaults and deploy insecure apps. WordPress is an example of a super popular framework that is so easy to deploy and it’s the most hacked web app because of that. I think by forcing us to implement auth Rails encourages better security practices. Just my two cents.