Has anyone successfully implemented client-side authentication and authorisation via Azure Active Directory (Azure AD)? I’ve been looking into the libraries shield, oidcc (Erlang library), oauth2, guardian and ueberauth today; trying to wrap my head around the essential differences between these libraries, and how to make use of them. Any advice and pointers would be greatly appreciated.
I’m finding it difficult to get a good understanding of how these libraries differ. It would be particularly useful if someone would be so kind as to highlight the important differences between the aforementioned libraries, to make it easier to understand their intended usages.
Edit: Below is a related thread, for future reference.
shield looks like an opinionated simple oauth2 and auth library only.
oidcc looks like an OpenID Connect client library (nothing else)
guardian is a token library (you really don’t need it in 99% of cases, don’t look at it unless JWT means something to you and you know the costs behind it)
ueberauth is an unopinionated authentication framework pluggable via a huge variety of strategies (and it’s easy to make your own), I’d use this one as the strategies means you can change and update auth far more easily.
More direct control can be good (although I always end up writing my own strategies for ueberauth anyway, super easy to do and you get that control back), but it also means that if you need to support other things then you have a lot more work you end up having to do. Either is fine depending on your expected current and future work though.
I only just saw this thread. I’m in the process of publishing an Azure Active Directory authentication library for ueberauth right now! Still has a bit of work to go, mostly around testing and documentation.
Oh! Right… I also discovered that after a while. It was a bit difficult to find, because the name and repo tags didn’t include “Azure” or “Azure AD,” etc. There was a conversation about that in a different forum thread. Also, since this topic was created, Pow has also entered the scene.
I think @danschultzer would appreciate any help he can get on Pow. He has already implemented a strategy for Azure AD as well (work in progress), but doesn’t have an account to test it out
one thing I’ve noticed with the other ueberauth library is it seems to have far fewer validations in the callback for the token than mine. Has me wondering whether the extra validations were necessary.
Unfortunately, I don’t know enough about authentication in general and Azure AD in particular to be able to help with that (yet). I’m still in the early stages of learning Elixir.
Cool! @danschultzer and I spent last week testing and fixing the Azure AD strategy for PowAssent as well. It is working now and has been merged into the main alpha branch (v0.1.0-alpha.12)
I think most libraries (including my PowAssent integration) are just build with the standard OAuth 2.0 auth code flow in mind. If it’s possible, then validating the token is definitely preferable.
@danschultzer@IRLeif do you guys want me to refactor out my validation stuff into a separate repo that everyone can use? I think it should be possible to write it in a way that is usable for anyone using openid, not just Azure Active Directory.
It may make more sense to have that in an OpenID Connect integration that does the validations, and then build the Azure AD OpenID integration on top of that.
You’ve lost me a bit there. I was talking about a general library for the openid callback validations. Not specific to your authentication library and only handling the validation part, not the rest.
I’m thinking of doing this anyway because I think this might be a common problem. I think alot of people don’t realise the client side validations are necessary.
