Creating authentication from scratch in Phoenix is way too hard. Looking for advice...

I recently spent a few weeks studying Programming Elixir book by Dave Thomas and enjoyed it quite a lot. Now I am going through Programming Phoenix book and after cruising through the first 4 chapters, I am having tremendous difficulty in grasping chapter 5 which deals with creating authentication from scratch. I have prior experience in Rails and I had a similar experience when I learnt it from Micheal Hartl’s excellent RoR book. Eventually, I learnt devise so now knowing Authentication deeply didn’t hurt me I guess. My question is if I give up on this chapter and carry on and learn ueberauth and guardian, will I be fine ? My goal is be able to build well Authenticated web app and APIs in Phoenix.


I personally find ueberauth and guardian much more complicated than what is presented in the Programming Phoenix book. What exactly do you find difficult there?

1 Like

This is pretty good: Pow: Robust, modular, extendable user authentication and management system

1 Like

I think I am fumbling in understanding how plugs and changesets are being used in the chapter. Also understanding how sessions work for implementing login/logout is hard for me.

Did you mean I should consider pow instead of ueberauth/guardian ? I have seen the community is more inclined towards ueberauth/guardian for production grade apps. Also, jwt is supported in gaurdian.

I would recommend strongly against rolling your own authentication, especially for production apps. It’s a great exercise, but it’s not something you usually should have to mess with when actually building an app.

I would use any good open source auth system, ideally one that has security audits. Guardian and ueberauth may work well for you, but you should read up on them. Guardian is based on JWT, and it didn’t work for the kind of apps I was building.

I ended up writing Pow that uses short lived sessions by default. I wanted to have an auth system where I didn’t have to think of the internals, and that I can spin up in seconds for a new project :grin:

You can use Pow with Guardian though if you need JWT. It’s not one or the other.


Rolling your own is a lot of fun though :slight_smile: and I’ve learned a LOT by giving it a go once upon a time. However, I agree that it is generally a bad idea if you are trying to make a production-grade app. Didn’t know about pow, will definitely check that out!


Personally, I don’t like to use external packages for auth stuff. Especially those bigger packages that come with own migrations, controllers and templates. Customizing it takes 5x longer than building the stuff I need. I also want to keep control over how the data is handled and stored.

I am not saying the packages out there are shit, I just don’t feel comfortable using them.


Plugs, changesets and sessions are also used by 3rd party auth libraries. Changesets also appear in Ecto and is a very nice means of encapsulating closure. Both plugs and changesets also appear in other business processes and can be taken as a basic architecture for Elixir/Phoenix applications.

In short, understanding these goes beyond just the exercises in the book.


Yeah, I had the same issue. All existing user management libraries was tough to work with, and very limiting when I needed any kind of customization. I constantly hit my head against the wall. It was such a frustrating experience that it prompted me to create Pow. Hopefully I have been able to prevent most of these issues and hit a good balance between being a plug n’ play library and easy customization.