设计是所有类型的Rails应用的认证引擎。设计允许对用户名/密码，令牌认证（良好的API的）和一个OAuth提供商（如谷歌，Facebook等）的认证。这显然​​使得除非用户通过您所提供的服务之一，签署了您拒绝访问的API。

Devise is an authentication engine for Rails apps of all types. Devise allows authentication against username/password, token authentication (good for API's), and an oauth provider (such as Google, Facebook and the like). This obviously allows you to deny access to the API unless the user is signed in through one of the services you offer.

康康舞是一个授权系统，该系统将在设计的顶部工作，以允许用户访问基于系统中的角色的系统的某些部分。惨惨有一个非常漂亮的DSL prviding 可和不能允许或拒绝访问的观点或控制器的操作方法。

CanCan is an authorization system that will work on top of Devise to allow users access to certain parts of your system based on their role within the system. CanCan has a very slick DSL prviding can and cannot methods for allowing or denying access to views or controller actions.

看门是，如果你想滚你的API之上自己的OAuth解决方案一个OAuth提供商的宝石。这将是，如果你想你的应用程序相同的方式为谷歌或Facebook采取行动在为用户进行身份验证OAuth用户端点。从你上述的东西，我不认为是这样。

Doorkeeper is an oauth provider gem if you wanted to roll your own oauth solution on top of your API. This would be if you wanted your application to act in the same manner as Google or FAcebook in providing an oauth endpoint for users to authenticate against. From what you stated above, I don't think this is the case.

给你上面提供的要求，我认为，制定和惨惨将是我会选择的路线。这将允许用户在首先通过用户名/密码，或者一些OAuth的提供商之后进行身份验证，然后让令牌认证访问您的API。然后，您可以通过惨惨锁定访问的具体行动。

Given the requirements you provided above, I believe that Devise and CanCan would be the route that I would choose. This would allow the user to authenticate at first by username/password, or some oauth provider, then allow token authentication after that to access your API. You can then lock down access to specific actions through CanCan.