Authentication and authorisation via Azure Active Directory (Azure AD)

authentication
authorization
azure-active-directory
azure

#1

Continuing the discussion from Ueberauth, Ruby CAS and other SSO options for Elixir or Phoenix:

Has anyone successfully implemented client-side authentication and authorisation via Azure Active Directory (Azure AD)? I’ve been looking into the libraries shield, oidcc (Erlang library), oauth2, guardian and ueberauth today; trying to wrap my head around the essential differences between these libraries, and how to make use of them. Any advice and pointers would be greatly appreciated.

I’m finding it difficult to get a good understanding of how these libraries differ. It would be particularly useful if someone would be so kind as to highlight the important differences between the aforementioned libraries, to make it easier to understand their intended usages.

Edit: Below is a related thread, for future reference.


Ueberauth strategy for MS Graph API
Phoenix - to go with Umbrella or not? ( new project )
#2

shield looks like an opinionated simple oauth2 and auth library only.

oidcc looks like an OpenID Connect client library (nothing else)

guardian is a token library (you really don’t need it in 99% of cases, don’t look at it unless JWT means something to you and you know the costs behind it)

ueberauth is an unopinionated authentication framework pluggable via a huge variety of strategies (and it’s easy to make your own), I’d use this one as the strategies means you can change and update auth far more easily.


#3

Thanks for your input, @OvermindDL1!

Do you have any thoughts about using oauth2 directly, versus a higher level library like ueberauth?


#4

More direct control can be good (although I always end up writing my own strategies for ueberauth anyway, super easy to do and you get that control back), but it also means that if you need to support other things then you have a lot more work you end up having to do. Either is fine depending on your expected current and future work though.


#5

Solid advice, thanks again.

I’ll probably go for ueberauth, looking at the existing strategies to get some ideas on how it’s done.


#6

I only just saw this thread. I’m in the process of publishing an Azure Active Directory authentication library for ueberauth right now! Still has a bit of work to go, mostly around testing and documentation.

Functionally the main thing missing is validation for the nonce and some error handling.


#7

Awesome, thanks! :purple_heart:


#8

Damnit, I’m nearly finished but it looks like there is an existing library that does something very similar to what I’m doing:


#9

Oh! Right… I also discovered that after a while. It was a bit difficult to find, because the name and repo tags didn’t include “Azure” or “Azure AD,” etc. There was a conversation about that in a different forum thread. Also, since this topic was created, Pow has also entered the scene.


#10

Yeh, I started working on mine on and off about 3 months ago before that thread started. No wonder I didn’t find it.


#11

I think @danschultzer would appreciate any help he can get on Pow. He has already implemented a strategy for Azure AD as well (work in progress), but doesn’t have an account to test it out :slight_smile:


#12

one thing I’ve noticed with the other ueberauth library is it seems to have far fewer validations in the callback for the token than mine. Has me wondering whether the extra validations were necessary.


#13

Yeah, I’ve been working on an Azure AD integration for PowAssent here: https://github.com/danschultzer/pow_assent/pull/3

But I got no experience with Azure so I’ve only been able to test it very lightly :slight_smile:


#14

Unfortunately, I don’t know enough about authentication in general and Azure AD in particular to be able to help with that (yet). I’m still in the early stages of learning Elixir.


#15

I created an issue on their repo. Check out the issue:


and my code for solving the same problem (the code could probably be nicer):


#16

Cool! @danschultzer and I spent last week testing and fixing the Azure AD strategy for PowAssent as well. It is working now and has been merged into the main alpha branch (v0.1.0-alpha.12) :slight_smile:

Check out this GitHub issue for more details:


#17

I think most libraries (including my PowAssent integration) are just build with the standard OAuth 2.0 auth code flow in mind. If it’s possible, then validating the token is definitely preferable.


#18

@danschultzer @IRLeif do you guys want me to refactor out my validation stuff into a separate repo that everyone can use? I think it should be possible to write it in a way that is usable for anyone using openid, not just Azure Active Directory.


#19

It may make more sense to have that in an OpenID Connect integration that does the validations, and then build the Azure AD OpenID integration on top of that.


#20

You’ve lost me a bit there. I was talking about a general library for the openid callback validations. Not specific to your authentication library and only handling the validation part, not the rest.

I’m thinking of doing this anyway because I think this might be a common problem. I think alot of people don’t realise the client side validations are necessary.