To authorize Devise (if you want to be more flexible, you can immediately take Warden)
To delimit the powers of CanCan.
All this has long been proven in practice.

Authlogic - if you need flexibility.
But I think you just understood what a device is. It does not solve any of the tasks that you have given, it is engaged in authentication .
CanCan (or already CanCanCan for 4 rails) deals with authorization, but does not deal with roles You
can do the roles yourself (if everything is simple), for example, as cancan suggests - https://github.com/ryanb/cancan/wiki/Role-Based- Au...
or use different gems railscasts.com/episodes/188-declarative-authorizat...
if your so-called backoffic and client is something more than permissions by roles, then I don't understand what it is at all, and which side to the device.
Authentication and authorization is such a popular topic that you definitely won't do anything qualitatively new

And I think that authorization and authentication should be written for yourself.
The only thing that I would not write myself is Oauth authentication - and I would take OmniAuth
. Otherwise, everything else is written quite quickly and the main thing is that you will fully understand the mechanism of how the most important part of your application works. Although if you know the gem well, let's say the device and understand exactly how it works, and if something happens, you can change everything - take it.
I don’t understand what the problem is to write this from scratch, especially since, for example, there is a 2-part screencast on railscasts, which shows how to do it from scratch. Then it is not so difficult to make a plate with roles and a method that checks whether the user has this or that role.
I mean, this is an important part of the application - in fact, this is the future backbone - according to which you will be allowed to enter the admin panel or give - do not let something edit or let into some part of the site.

devise+pundit work well together too