Authentication Systems!

Where is Phoenix in terms of providing out of the box auth or providing a full featured auth-system that’s agreed upon by the community ?

Hiya

I believe Phoenix doesn’t ever intend to include authentication, instead they allow users to select what they need.

Guardian/Uberauth provide a nice experience with little fuss. Personally I would prefer to keep it simple and write it myself.

Cheers,
Louis

5 Likes

There’s also a fairly big thread on auth in Phoenix here:

:023:

It seems like it would violate the purpose of both Phoenix and OTP to try to jam authentication into Phoenix itself. The flexibility that the mix and OTP structures provide in terms of allowing multiple applications to co-depend and co-exist within the same compiled erlang release mean that you’ve got a fairly limitless set of opportunities to configure your authentication patterns in still relatively conventional ways using OTP primitives like Genserver.

Honestly I think the argument could be made that the web-first structure offered by Phoenix already goes some way in obscuring parts of that underlying OTP architecture - trying to jam more functionality like auth etc. on top of it would defeat the lightweight implementation of the framework as it stands, and would probably hinder more OTP-centric design.

The larger ethos of the Erlang and Elixir communities seem to widely favor libraries over ‘frameworks’, and for good reason - with a framework you’re basically just opting into an application structure that somebody else has already designed for you, whereas library-centric design gives you the freedom to design the application as best fits your purposes and domain. This might require more thought about system architecture, but should ultimately lead to better solutions and better developers.

Agreed. But is there any library that’s used by large part of community like guardian and yet provide whole set of features?
Most of the apps require auth feature. With the current set of libraries that are provided by elixir or any other ecosytem, we are kinda reinventing the wheel. And it’s a baggage to maintain auth module with all the security concerns.

I do believe we need some language agnostic auth sytem. And if it can be in elixir nothing can be better than that.

There is a project named keycloak which solves most of the auth related problems and is backed by RedHat. It’s not very easy to customize but it solves the auth problems elegantly.
Link: https://www.keycloak.org/

This might be just the the beginning. But the project itself opens up a whole range of new possibilities which is hard to think of with just elixir or ruby eco-systems at this point of time.

Now the question is: should be embrace solutions like keycloak or should we roll our own auth ?
And if the answer is it depends then what are the pros and cons ?

I was running into the same issues when I started out with phoenix. I ended up making https://github.com/jpiepkow/accesspass to fit a lot of the concerns of a full auth system. I have quite a bit on the roadmap for what I want to accomplish with it down the road but it is very much usable right now and I believe quite unique in its solution of authentication and security.

Check AccessPass - a opinionated authorization library for more information.

Please do put any questions or concerns here/in the link above or on the github because I really do want to continue to improve it to something that many people cause use.

3 Likes

I use coherence and coherence assent

Spring is also plug and play for authentication. You can include it or no , or choose what authentication you want to use.
But spring is much more than Phoenix. You could build REST API using spring bust also much more.
For example lately spring added https://cloud.spring.io/spring-cloud-function/ which allow to create lambda functions on AWS.

I am not advocate for Spring :slight_smile:
You can easy build application from blocks but everything is based on annotations and dependency injection patterns.

I think this is the kind of discussion like defining a default cluster topology in OTP. I mean, you can’t please Greeks an Trojans. For example, some people might think that OAuth 2.0 is not secure enough and would rather stay with OAuth 1.0 as Twitter does. One might want a very complicated auth scheme with tables and more tables of User - Devices - seeds for 2fa and so on. Meanwhile most people are only looking into having a e-mail/password authentication.

It is worth noting that authentication should not be a part of the WEB layer IMHO. I agree with the guidelines described in the Mithril docs. Authentication could be a whole context in Phoenix 1.3 parlance which the web layer would call in instead of binding your authentication to the web layer.

Anyway, it is hard to be sufficiently generic in this point.

1 Like