Live Q&A with Ilya Bodrov on Rails Authentication, 3rd September 8PM (PST)


This thread was for our Q&A session with [Ilya Bodrov][1], which took place on September 3rd, 2015.

Ilya is a long time [SitePoint author][2] and recently a [SitePoint Premium teacher][3] with the release of his latest course [Getting Started with Backbone.JS][4]. Ilya loves all things web and regularly contributes to many open source projects [amongst other things][5], but he is most passionate about building web components and authentication in Rails. Just have a read of some of his articles:

  1. [Messaging with Rails and Mailboxer][6]
  2. [Steam-Powered DOTA on Rails][7]
  3. [Rails Authentication with Authlogic][8]
  4. [CanCanCan: The Rails Authorization Dance][9]

It’s clear to see that Ilya knows his Rails!

Original message:

If you have been itching to ask him a question, or have a rails question you’d like answered then please come along and join us. He will be answering all of your Rails authentication questions for 30 minutes on this very page.

To ensure your question is answered, we’re accepting early submissions. Please feel free to pop in your question through this thread, Twitter (#askilyaSP) or [this form][10].

Want to join but are unsure about when it takes place in your timezone? [This link][11] will be able to assist. Not familiar with SitePoint? Really?! [Go have a look][12]. Not familiar with SitePoint Premium? [This][13] will will bring you up to speed.

See you here on the 3rd of September!

[1]: http://%20

Hi Ilya and Angela! Thanks for organizing the Live Q&A on Rails Authentication this Thursday!

My question for Ilya, is whether there are any leading practices he would recommend with respect to implementing SSO (Single Sign-On) with Rails with LDAP/Active Directory (e.g. - a typical internal corporate user database, in a Windows environment) – or, alternately, “gotchas” to be aware of.

Thanks in advance for any insights, experiences or wisdom he can share on the subject!


I’m working on a PR to make an OAuth2 provider for authenticating users on other properties.

Would love some feedback on setting up Doorkeeper, whether rg users should each own an Application, or not, and how you’d test this. We’re using the authentticated_client flow (not password) and use SSL, and also appreciate any thoughts on security.

Users must be signed in to rg to create or view Applications.

Have you used Doorkeeper, opro, or other provider libraries? Looked at Mozilla macaroons?


1 Like

Welcome to todays Q&A with @bodrovis, a SitePoint author and SitePoint Premium teacher.

Today Ilya will be answering all your Rails authentication questions, in fact any question relating Rails and Ruby (his favourite topics). Feel free to ask him all of your questions on the forums. If you’re on twitter, you can tweet questions using #askIlyaSP and we’ll bring them into the discussion.

Happy chatting!

Hello and thank you for the question!

Well, I personally have not implemented such scenarios, but did research the topic a bit. What I’d recommend is using RubyCAS ( to deploy a standalone SSO app. CAS, in contrast to OpenID, centralizes authentication - a pretty comprehensive comparasion is available here I can’t say that deploying RubyCAS is that simple, so be prepared to invest some time. Still, project’s wiki does give information about getting started and customizing. I believe here is your scenario:

Also, there is a plugin for Devise that supports CAS Who knows, maybe one day I’ll write an article about it as well.

Best of luck!

1 Like

Hello, Benjamin!

Thank you for the question. I’d really love to help, however I haven’t used Doorkeeper that extensively. The only thing that you are discussing and I did use is Clearance (and my article on it is coming soon). Still, you’ve given me a lot to think of and research so hopefully in a couple of weeks I’ll write about Doorkeeper and opro as well, so that other folks have some place to set off.

Also, thanks to everyone working on rubygems for all the hard work! :smile:

If you’re referring to my question about making an OAuth provider, I’m not sure how RubyCAS would help.

OT: isn’t OpenID super super dead?

p.s. this is just a chat on this page, right? No video or anything?

Oh, I am sorry, that was the answer to Methos. I’ll edit the post and add a quote.

As far as I know, OpenID is pretty much dead.

No, just a good old chat :smile:

Hi @bodrovis,
We had a couple of questions come through social. This one is from @James_Hibbard:

Scenario 1: I have a Rails app with reasonable test coverage. I then decide to add user authentication with Devise. In itself, this is successful, however requiring users to be authenticated before accessing certain resources, causes many of my existing tests to fail.

Do you have any tips or resources you can point towards for handling this scenario?

@bodrovis Thanks for your reply. Do you have any experience with authentication providers? (as opposed to clients?). already uses Clearance as you noted, but it, like Devise, AuthLogic, etc. are to OAuth was having a password-based login on my personal site to having a ‘Log in with GitHub’ button, no?

Unfortunately, I don’t quite get the idea. Why can’t you just set some fake session for the tests and pretend that a user is authenticated? As long as Devise uses Warden, it is totally possible. Sorry if I misunderstood you.

The google form is protected.

Adding in some test helpers to handle authentication is how we do it!

There’s a full page on it here

module RequestHelpers

  include Warden::Test::Helpers

  # Requests do not have a sign_in helper
  # Polyfill with login_as from Warden::Test::Helpers
  def sign_in(user)

and then in our spec file

require 'spec_helper'

describe SomeRequest do
  let(:user) { create(:user) }
  describe "#index" do
    before do
      sign_in user
    # tests etc

@James_Hibbard Devise has test-helpers for login_in(@user) etc. that you’d often put in a before/setup block. I’ll update this comment when I find a good example.

Me and my collegue did create a custom OAuth provider (on Sinatra) a couple of years ago and from what I can remember that was a huge pain. :confounded:

Absolutely true, Clearance is an email-password authentication solution.

Yeah, this is exactly what I was referring to! My thanks :smile:

Thank you!

Hi @bodrovis,

Here’s another question from @James_Hibbard:
Scenario 2: I’m planning on building a Rails app from scratch using TDD. I know in advance that the users will have to log in to use the app. I’m using Devise for authentication and the cancancan gem for authorization.

Do you have any tips or resources you can point towards for handling this scenario? (i.e. where to start and the best order to do what)

@bodrovis Have you worked with having to authenticate using a SPA front end and a rails backend?