stackoom
  简体   繁体   中英

Omniauth, Devise, Open ID, CanCan - Whats what and When do I use which solution for a Rails API app

 原文  2012-08-26 14:51:39       ruby-on-rails/ openid/ authorization/ oauth-2.0/ omniauth

Question

So Im developing a Rails app- primarily serves API which I want to lock down behjind a nice authorization system. Ive created Rails apps which render HTML and for that I used Devise and CanCan. This time I want to serve JSON to my clients. I basically have the following requirements:

  1. Need an authorization system thats robust
  2. A user should be able to log in with existing apps such as facebook, twitter, linked in and google
  3. There should be full stack authorization available

Now this is my 1st app that Im writing that serves up API so I started researching and so far Ive found the following solutions that people have used:

  1. I've seen people use Devise with CanCan
  2. I've seen people talk about using Oauth2 http://railscasts.com/episodes/353-oauth-with-doorkeeper?autoplay=true
  3. I've heard... "Use Doorkeeper"
  4. I've heard use ..." Use omniauth"

So basically my 1 day of research basically just confused me more. When di I use these and for my requirements which comnbination would I use! Im struggling to make sense of the alphabet soup, can someone help me understand this

1 answers

solution1
 6 ACCPTED  2012-08-26 15:32:41

Devise is an authentication engine for Rails apps of all types. Devise allows authentication against username/password, token authentication (good for API's), and an oauth provider (such as Google, Facebook and the like). This obviously allows you to deny access to the API unless the user is signed in through one of the services you offer.

CanCan is an authorization system that will work on top of Devise to allow users access to certain parts of your system based on their role within the system. CanCan has a very slick DSL prviding can and cannot methods for allowing or denying access to views or controller actions.

Doorkeeper is an oauth provider gem if you wanted to roll your own oauth solution on top of your API. This would be if you wanted your application to act in the same manner as Google or FAcebook in providing an oauth endpoint for users to authenticate against. From what you stated above, I don't think this is the case.

Given the requirements you provided above, I believe that Devise and CanCan would be the route that I would choose. This would allow the user to authenticate at first by username/password, or some oauth provider, then allow token authentication after that to access your API. You can then lock down access to specific actions through CanCan.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Rails 4, Devise, Omniauth, Cancan, Twitter API How do I setup omniauth-facebook on an already existing omniauth and devise rails app? Devise / CanCan 2.0 / Omniauth: What permissions are required for Omniauth signin rails , devise omniauth, multiple app_id ,app_secret OmniAuth facebook with Devise in Ruby on rails not passing app_id How do I know when a user is registering vs logging in with Devise and Omniauth in Rails Not Authorized when using CanCan and Devise (Rails 4) Rails, Devise, and Mongo - Which versions do I use? Devise OmniAuth with a Multi-tenant Rails 5 App Rails, Devise & Omniauth - See what's in env[“omniauth.auth”]
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM