There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good experiences with Phoenix Framework auth yet and if so how would they communicate those to a Junior Developer just learning the ropes?
What kind of authentication do you want? For cookie-based one you can use
Plug.Conn.get_session/2 (after the session has been fetched, which is done by the
:fetch_session plug in the default phoenix
:browser pipeline in the router). For header-based authentication I usually use bearer tokens which are stored in the database alongside other user / account data.
Guardian is a popular choice. https://github.com/ueberauth/guardian
It is also quite simple to roll your own with Phoenix Token. This will be enough for any Web/API/GraphQL authentication. It is also possible to add autorization, as You can save role_ids inside tokens.
One fact with authentication, it highly depends on situation.
There are solutions for some cases…
Or ueberauth, if You want to integrate third party auth, like FB, Google, Github…
Which pre-rolled solutions do You have in mind?
I tried Guardian before and I couldn’t get it working. I’ll see if our Junior can do it.
Good set of tutorials here: https://medium.com/@Stephanbv/elixir-phoenix-lets-code-authentication-todo-application-part-1-599ee94cd04d
In my opinion JWTs in general and Guardian is appropriate for an API endpoint. Its not really geared towards web applications, for reasons that are well articulated in this somewhat salty article.
I am bias because I made it but AccessPass is a pretty full featured auyh solution if you are looking for something to just work out the box with little code.
Guardian is a token/jwt library, it doesn’t do auth.
Guardian is a token/jwt library, it doesn’t do auth.
An authentication library for use with Elixir applications. Guardian is a token based authentication library for use with Elixir applications.
What could be done with guardian, could be done by Phoenix.Token… with a lighter token. Token/jwt is more for server to server authentication.
Do tell how it acquires that auth then?
All that I’ve seen shows that it will ‘hold’ arbitrary data given to it (which could be auth, or other stuff) and stores it via a token or jwt, so… it looks like a token/jwt library, it does nothing to acquire auth (which is the hard part).
Your junior dev might be interested in the “Simple authentication” section of this tutorial:
I decided to roll my own because it’s very easy, and I’m also learning Elixir & Phoenix.
The tutorial was published last month, so it’s up to date.
Didn’t mean to antagonize, was just quoting their docs
Here’s a post explaining how to use Guardian for authentication in a Phoenix web app, seems pretty straight forward: https://itnext.io/user-authentication-with-guardian-for-phoenix-1-3-web-apps-e2064cac0ec1
You should read the salty article link posted by @jeremyjh some post ago…
The full title is “Stop using JWT for sessions”
and this previous topic
Unfortunately “authenticate” has really two different meanings here.
Guardian “authenticates” requests, it does not authenticate user identity. It authenticates requests by checking that it bears a JWT that was signed with the Guardian secret. It authorizes the request by further determining that the token has not expired, and that it has access to the claims required for the current controller method.
Before telling Guardian to sign a JWT, and handing it to a user - you need to authenticate the user by challenging for a username and password, 3fa etc. Guardian does not address this second meaning of authenticate, and its often at least part of what people are asking for in an authentication solution.
Uh, except it’s not using Guardian for Authentication, it’s using BCrypt local passwords for authentication… o.O
JWT is not for sessions, it’s for server-to-server transmission of signed data.
And easily 99% of the time when I see people ask about authentication libraries here (or really anywhere) they are asking about how to authenticate user identity.
Only a request that is embedded ‘inside’ the token to be specific, it does not authenticate, say, a web request that happens to include it (although that could be embedded inside it, although no one ever does that I’ve seen).
Like Guardian is fantastic for passing Authorization information inside a (JWT) token across servers, even then that is used to authenticate access via that authorization, which still has nothing to do with user authentication.
It is not designed to be used for intra-server communication, either Phoenix tokens or the session is better for that. And I have yet to see anyone need multi-distinct-server communication to/from a non-elixir system, thus I have not seen anyone here yet that would benefit from Guardian, thus I wish people would quit suggesting it as it just makes things more difficult for the people that try to use Guardian. Quite literally in that article linked above instead of putting the ‘YouAreAllowedToDoAnything’ authorization information inside a Guardian (JWT) token, what they SHOULD be doing is putting it on the phoenix session, at which point the code is significantly less, it’s faster, it’s less likely to break, etc… etc…
Yes, I thought the link would naturally lead a beginner to the other ueberauth packages: https://github.com/ueberauth
It really really doesn’t based on how much it keeps getting asked about on these forums. ^.^;