So Im developing a Rails app- primarily serves API which I want to lock down behjind a nice authorization system. Ive created Rails apps which render HTML and for that I used Devise and CanCan. This time I want to serve JSON to my clients. I basically have the following requirements:
- Need an authorization system thats robust
- A user should be able to log in with existing apps such as facebook, twitter, linked in and google
- There should be full stack authorization available
Now this is my 1st app that Im writing that serves up API so I started researching and so far Ive found the following solutions that people have used:
- I've seen people use Devise with CanCan
- I've seen people talk about using Oauth2 http://railscasts.com/episodes/353-oauth-with-doorkeeper?autoplay=true
- I've heard... "Use Doorkeeper"
- I've heard use ..." Use omniauth"
So basically my 1 day of research basically just confused me more. When di I use these and for my requirements which comnbination would I use! Im struggling to make sense of the alphabet soup, can someone help me understand this
Devise is an authentication engine for Rails apps of all types. Devise allows authentication against username/password, token authentication (good for API's), and an oauth provider (such as Google, Facebook and the like). This obviously allows you to deny access to the API unless the user is signed in through one of the services you offer.
CanCan is an authorization system that will work on top of Devise to allow users access to certain parts of your system based on their role within the system. CanCan has a very slick DSL prviding can and cannot methods for allowing or denying access to views or controller actions.
Doorkeeper is an oauth provider gem if you wanted to roll your own oauth solution on top of your API. This would be if you wanted your application to act in the same manner as Google or FAcebook in providing an oauth endpoint for users to authenticate against. From what you stated above, I don't think this is the case.
Given the requirements you provided above, I believe that Devise and CanCan would be the route that I would choose. This would allow the user to authenticate at first by username/password, or some oauth provider, then allow token authentication after that to access your API. You can then lock down access to specific actions through CanCan.
来源:https://stackoverflow.com/questions/12131079/omniauth-devise-open-id-cancan-whats-what-and-when-do-i-use-which-solution