rodauth-rails VS webauthn-ruby

In this article, I would like to show how to set each of these up in a Rails app that uses rodauth-rails. I'll be using Safari on macOS Ventura, and have iCloud Keychain sync enabled, which is a requirement for Apple passkeys.

Once I felt things were functioning well enough, I extracted the glue code into the rodauth-rails gem and added tests. I also included an install generator, which created the initial skeleton with sensible default configuration. A new Roda superclass provided a convenience configure method for loading the Rodauth plugin together with the rails feature.

FWIW I'm using rodauth and I like it: https://github.com/janko/rodauth-rails

My question is pretty much in the title. Is it possible to do Omniauth in a Rails API Only app? I've been looking into devise-token-auth and rodauth-rails. rodauth-rails has a tutorial for Omniauth (https://github.com/janko/rodauth-rails/wiki/OmniAuth), but it is using a Rails monolith.

I didn't create it, it was created by Jeremy Evans, I just contribute to it occasionally ;). I created the Rails integration, because I wanted to bring it into the Rails ecosystem, and I recently started recording screencasts. So I'm biased in that sense :)

maybe https://github.com/janko/rodauth-rails

$/myapp> bundle info rodauth-rails * rodauth-rails (0.18.1) Summary: Provides Rails integration for Rodauth. Homepage: https://github.com/janko/rodauth-rails Path: /Users/shino/.rbenv/versions/3.0.0/lib/ruby/gems/3.0.0/gems/rodauth-rails-0.18.1

I don't know if you've seen, but I wrote a guide that shows an integration, which you can use for now. This is also what the official demo Rails app uses.

Rodauth provides first class support for passkeys, implemented on top of the excellent webauthn-ruby gem. It enables using passkeys as a multifactor authentication method, or for passwordless login and registration. In addition to routes, views and database storage, it also provides the complete JavaScript part that interacts with Web Authentication API for zero configuration.

Would it make sense to leverage another gem like https://github.com/cedarcode/webauthn-ruby for this? Or are we thinking a completely devise internal implementation? Either way I’m interested in contributing to this movement for devise

I've used this gem for rails apps https://github.com/cedarcode/webauthn-ruby

Luckily, there is a WebAuthn gem for Ruby (thanks!) that will do all the hard work for us. Just run bundle add webauthn.

All OTP-based 2FA methods are phishable. For real security, you should be looking at FIDO (U2F or WebAuthN)