Difference between config.authentication_keys and config.request_keys in devise

Question

In devise.rb, the description for the two configuration is confusing to me:

# Configure which keys are used when authenticating a user. The default is just :email. You can configure it to use [:username, :subdomain], so for authenticating a user, both parameters are required. Remember that those parameters are used only when authenticating and not when retrieving from session. If you need permissions, you should implement that in a before filter. You can also supply a hash where the value is a boolean determining whether or not authentication should be aborted when the value is not present.

# config.authentication_keys = [ :email ]

# Configure parameters from the request object used for authentication. Each entry given should be a request method and it will automatically be passed to the find_for_authentication method and considered in your model lookup. For instance, if you set :request_keys to [:subdomain], :subdomain will be used on authentication. The same considerations mentioned for authentication_keys also apply to request_keys.

# config.request_keys = []

Do not know exactly what is the difference between them and when to use what, can anyone give me a help?

Answer 1

The main difference seems to be that changing config.authentication_keys causes additional/different params to be required from the user, whereas adding values to config.request_keys creates additional authentication of the user by authenticating against the 'request' information sent by the user's browser. Aspects of the request sent by the user's browser will be utilized in the authentication process.

For example, a user whose subdomain is recorded as 'firstdomain.example.com' would not be able to log in through "seconddomain.example.com". This does not happen automatically, and you must override the 'find_for_authentication' method. Assuming your user model is called "User" and you want to add subdomain authentication in addition to email authentication, it might look something like this (taken from the devise wiki):

# app/models/user.rb
class User < ActiveRecord::Base
  def self.find_for_authentication(warden_conditions)
    where(:email => warden_conditions[:email], :subdomain => warden_conditions[:subdomain]).first
  end
end

On the other hand config.authentication_keys is used for requiring either additional params from the user (such as requiring email and username) or for changing which params they are allowed to use (i.e. using username instead of email).

Some additional context:

Devise - How-to: scope login to subdomain

Devise - How-to: allow users to sign in using their username or email address