Build Status

High-performance Ruby on Rails OAuth2 provider for a closed set of trusted apps with multiple roles support.

Use cases

Leash is built to support the following scenario:

  • You build a system that consists of multiple apps.
  • List of the apps does not change too often and apps are not created during system runtime.
  • You want to have a central authentication system for these apps but authorization can vary from app to app.
  • You have a few fundamentally different user classes (user, admin etc.).
  • These apps are trusted, in other words: if app talks to auth server with valid credentials, you don't ask user whether he/she allows to enable data flow.

Potential use cases are:

  • Intranet.
  • Larger websites that are decoupled into several smaller apps.

Fundamental ideas

  • As the app list is fixed, let's store their credentials in ENV. Fast, easy to maintain and compatible with 12factor.
  • As tokens are not very persistent, let's use redis for storing them.
  • As such app can be a subject of high load, let's use redis as a backend.
  • Do not reinvent the wheel, let's use devise for authentication.

Supported OAuth 2 flows

  • Authorization Code (for apps running on a web server)
  • Implicit (for browser-based or mobile apps)

Unsupported features

At the moment, Leash does not support:

  • Any other flows than mentioned above.
  • Scopes.
  • Token refreshing and invalidation.

Compatible ruby version

  • Leash is tested with ruby 2.2.1.


Work in progress. Early stage of development.




Marcin Lewandowski