I’ve been working on an OAuth provider for quite a time now. I published a package including the functional core and its corresponding Ecto/Cache adapters. Being quite new in the Elixir world, all feedbacks are welcome !
I use to start with 0.X releases. As I made breaking changes, I incremented the major version in order to impact that. Was not aware about the fact that 1.0 meant to be production ready. Application layer is decoupled from the core which is kind of stable with the use cases I faced, hence the release. That said there is no production use case yet.
Boruta is a demon guarding a castle in a small town in Poland. I have one representation of him by my home keeping me from bad fate. It is said that if you have such a demon at home nothing can happen to you.
Other packages might surely be suitable and easier to integrate, I built the package in order to test hexagonal architecture in such use case. It is suitable if you want to decouple users and authorization logic. It is better to test it too by Moxing the secondary adapters.
Well, not really. 1.0.0when using SemVer mean that the API is stable, and will not change as long as major version stays the same. It doesn’t say anything about “production readiness” nor even “stability” (depending on the definition of “stable”).
Actually he is a devil If you want to see more about it, then you can check out “Legendy Polskie” (Polish Legends) which is series of short movies (it was meant to be fully cinematic, but they canceled it):
In my opinion the common sense is that 1.0.0 means something that is production ready, at least is what I have seen in all my years amongst all developers I work with, in forums, etc., but I understand that others may see it differently.
SemVer is not a good standard, and a lot of developers and libraries use the x.y.z version scheme without necessarily understand it or even knowing that others may thing they are using it, and also a lot of developers give in their work a different meaning to each part of x.y.z, but less not start discussing SemVer here, because this thread is about Boruta
This release includes some improvements but mainly the support of OpenID Connect core 1.0 and provides generators in order to create basic controllers to expose the specification required endpoints. For now, the version looks to be stable, but still, I put it as a release candidate to see what comes out.
Notice that the package passes OpenID certification test suite. Since it is only indicative, I still need to submit an application which may be done any time in the future.
Have a look at boruta | Hex. As usual, all feedbacks are very welcome.
I just released the 2.0 stable version of Boruta, release candidate has been here for long enough to show the stability of the authorization API. There is still room for improvement for administration tools, they will come up along the way. It includes minor fixes and improved documentation like a how-to setup an authorization provider from scratch. Hoping it would help integrations. (Note that you have a few breaking changes to upgrade from release candidate listed in CHANGELOG)
For a reminder, the package is meant to implement OAuth 2.0 and OpenID Connect core 1.0 specifications in order to bring the core of an authorization server. One of the specificities of the implementation is that it is uncoupled with your user models using hexagonal architecture. Along with the core, you can generate basic Phoenix controllers, views, and templates to expose the specifications required endpoints. Have a look at hex.pm and at GitLab if you want to dig deeper, I would be happy to receive feedback.
Besides the package, I am working on a standalone version that would help to deploy an authorization provider instance easily. For that, it would include also an identity provider and an administration interface. I would be happy to have people involved in the decisions to take about the features to implement. The objective would be to define and shape the features you could be interested in, keeping in mind to target a lightweight open source IAM server. Do not hesitate to reach me if you wanna discuss it.
A quick notice about the release of version 2.0.1. In it, I gave an effort for the generated provider along with phx.gen.auth to pass the OpenID certification. It includes in particular a fix for the hybrid flow error return type following the specification.
I built a server using the package and its generated controllers that now pass the automated tests provided by the OpenID Foundation for the basic, implicit, and hybrid OpenID provider profiles (pull requests for jwks and userinfo endpoints are on the way). I’ll give a note here when I would be sure I can open-source the deployment that passed the tests suite. Keep you posted.
I just released version 2.1.0 of boruta. It includes the addition of OpenID Connect userinfo and jwks endpoints management.
This release helped to build an example server (patatoid / boruta_example · GitLab). It will be the basis to fill out an application to the OpenID Foundation certifications. The steps to achieve this provider have been documented on hex.pm, hoping it is accurate and helps further integrations.
The next step is to submit an application which could happen very soon.
Version 2.1.0 finally got certified for the basic and implicit OpenID profiles . Hybrid profile is much more than advanced, I am discussing a specific point I could not understand well (returned errors encoding) and hope to have such a certification soon.
Elixir have now its own section in the listed OpenID provider libraries Certified OpenID Connect Implementations | OpenID. If anyone think descriptions or documentation can be improved to give a better visibility to the package, it would be very welcome.
Note that I also released 2.1.1 that fixed a dialyzer warning that was introduced in 2.1.0.
Thanks for the community that greatly helped it to be done.
Until then some improvements have been brought to the library. Notably, confidential client management and ID Token signature algorithm configuration.
Those changes introduced a security issue since 2.1.4 and have been fixed in 2.2.1. That leak enabled jwks endpoint implementation to expose symmetric keys as client secrets. It is strongly advised for those using the jwks implementation to update the package and invalidate the private client secrets that have been exposed.
An OpenID certification is on the way for the latest version of the package, keep you posted.
I am a noob when it comes to Backend and Authentication.
phx.gen.auth made my life easier because I don’t have to think about Auth.
I see this cool library you created, can you please add some Demo UI, and Gifs & Screenshots? So I can relate to how it can be used?
P.S. Can it be used to provide Single Sign On to sub domains?
For instance, I have started adding subdomains for different services I am running, and I want to secure their Dashboards behind forward auth proxy.
thank you @pknorth! FYI, I am about to do my research into if Your lib will suit our client, and it will include an internal code review if we decide to use the lib. The industry is large and confidentiality is critical so we kinda have to do it with every package.
The use case will be extending existing custom Single Sign-On solution with OpenID Connect provider.
Happy to hear you are considering using the package.
This library does not stand as a standalone authorization server but provides tooling to build one and extend existing Elixir applications. That said, I am working on a standalone version that is soon to come. Just give me your GitHub account and I’ll provide early access. Once the release is done, I’ll work on the documentation and give more content to assess the product.
It is great to see companies interested in the package.
Some of the package users have passed security audits that already lead to some changes/improvements for them to pass it successfully.
I hope it will also pass your assessment. If anything, drop an issue on GitLab and I’ll work on it (I try to be as reactive as possible). As I said in my previous post, I plan to pass the OpenID certification for the latest version as I am releasing a standalone version on top of the package.
Thank you for considering my work, do not hesitate to reach out if you need more information about the package.