Doorkeeper VS Devise

You can use doorkeeper gem. Which can convert your Rails application into an identity provider. But this means that one of your applications will be the single source of truth for users management.

The doorkeeper gem.

Take a look at doorkeeper.

Disclosure: I work for FusionAuth.

Depends on what you are looking for.

If you want a standalone auth server, you can use FusionAuth in docker/docker-compose: https://fusionauth.io/docs/v1/tech/installation-guide/docker

You can also package up a library; most major languages have one or more OAuth/OIDC libraries: https://github.com/doorkeeper-gem/doorkeeper for Ruby, https://spring.io/projects/spring-security for Spring/Java, https://oauth2.thephpleague.com/ for PHP, https://pypi.org/project/oauthlib/ for Python.

https://oauth.net/code/ has a further selection of libraries in a variety of languages.

Are there any code examples to implement the PKCE flow in Doorkeeper? I am a bit confused on how to implement it here: https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-PKCE-flow

For authorization we use Doorkeeper gem with PKCE flow.

One thing that is missing from this list is open source language specific libraries. Projects such as https://oauthlib.readthedocs.io/en/latest/oauth2/server.html and https://github.com/doorkeeper-gem/doorkeeper

Depending on your use case, for example if you only have one application, you might be better off running something embedded in your app, or independent but using the same runtime/deployment environment. Then, when you are ready to add another app or integration, you should be able to introduce a standalone auth system more easily if appropriate (because all your auth interactions should be relatively standardized). I'm a big fan of standalone auth systems as a way to simplify access control and give a single view of a user/customer, but you can also succeed using open source embedded libraries.

When the moment comes to introduce a standalone system, you should consider a few dimensions (this list pulled from a previous comment of mine: https://news.ycombinator.com/item?id=26360048 ):

   * open source or not

In October 2024, I presented at the Toronto Ruby Meetup on discovering the potential of using Lockable. Devise is a popular authentication library that provides ready-made solutions for user authentication. One of the features it offers is Lockable, which is used to lock a user account after a certain number of failed login attempts. This feature helps improve security by preventing brute force attacks.

Acknowledging that I haven't had a chance to try the new Rails 8 auth stack... over the last decade I've gone from being a Devise hater to a Devise lover.

Yes, it can seem esoteric and magical (in the bad way) until you wrap your head around the idioms and design philosophy. There's a lot of functionality that happens unless you override it. I fully get that this rubs a lot of people who aren't in the pool the wrong way.

However, in addition to the impressive selection of modular capabilities mentioned elsewhere in this thread, there's a very bright light that goes on when you realize that you can make powerful changes to the way the library works by reopening a few controller classes and defining your own methods.

My strong advice for anyone looking at Devise and perhaps feeling stumped is to open up https://github.com/heartcombo/devise/tree/main/app/controlle... and spend some tens of minutes looking at how the library does what it does. These controller - especially sessions and registrations - contain all of the business logic driving the "magic". Not only do they reveal themselves as relatively simple and well thought out, all of those yield calls mean that you can call those methods while passing a block to them. Whatever is in that block will be evaluated inside of that method when it runs.

The people who designed Devise put a lot of thought into this stuff. When you get it, you suddenly don't want to be without it.

However, using ActionController::Live can sometimes lead to unexpected issues, particularly with authentication libraries like Devise. Devise may raise errors when ActionController::Live is active, especially related to the session or Warden errors, as discussed in this GitHub issue. This happens because ActionController::Live opens a separate thread for streaming, which can cause conflicts with Devise’s thread safety and session handling.

If you like to know how to implement Devise for user authentication, here's the link- Devise

Use devise gem, which is probably the most famous rails authentication system.

IMHO the stateful opaque token approach is simple enough that it can (and often does) get baked into whatever language/framework you’re using to write your app. In addition, the very nature of session tokens is such that the logic for what the token actually means/represents lives in your app, on the server.

So, that may be why we don’t see more “opaque session token” standards/libraries out there as an alternative to JWTs.

But if you want an existing example, Devise for Rails [1] has been around a while.

[1] https://github.com/heartcombo/devise

Users can signup and login via the Devise gem and create their organizations.

However for smaller apps it might be an overkill. In "real-life" production systems, overengineering is one of the biggest crimes. This is true any framework and technology, so in Rails you might want to use Rodauth since it is big and interesting and challenging, but then again, if you are building a simple greenfield MVP you do not have the time or need, for a big, complex solution. In those cases Rails developers usually go for Devise. It is one of the most known Rails gems, in multiple Rails surveys it was both number 1 in popularity, likability and "most frustrating" rankings.

Since Rails 7, there's more and more tooling that enables us, developers, to roll our own authentication. Devise is great and has been an amazing companion over the years. It also has this neat little feature - an authenticated route constraint which "hides" certain routes from people that are not signed in.

[changelog] https://github.com/heartcombo/devise/blob/main/CHANGELOG.md [upgrade guide] https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-%5BHotwire-Turbo-integration%5D