I switched from devise to sorcery in the week the Railscast was published. This week, I switched back.

I liked the motto of simplicity on sorcery. But in the last couple of years, I rewrote the same SessionsController multiple times.

Sorcery is a great tool, don't get me wrong. However, in terms of security, testablility and community devise seems to have an advantage. Let's analyze this claim:

The points security and testablility are only concerning oauth-modules. Where devise uses the great [omniauth gem], sorcery implements it's own handling. This results in two things:

Testability: The omniauth gem comes with OmniAuth.config.test_mode and OmniAuth.config.mock_auth, which makes (js-)integration testing apps that rely to 100% on OAuth a breeze.

Security: Turns out, sorcery stores the access_tokens of as class variables in used external provider. This means, that after a user logs in via Facebook, the access_token of this user is available during the next user's request.

Looking at the community there are a couple indicator's to compare:

Devise Sorcery
github stars 8283 1345
open/closed issues 10/2366 123/303
last commit 2 days 20 days