Good auth solutions for Elixir/Phoenix?

There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good experiences with Phoenix Framework auth yet and if so how would they communicate those to a Junior Developer just learning the ropes?

4 Likes

:wave:

What kind of authentication do you want? For cookie-based one you can use Plug.Conn.put_session/3 and Plug.Conn.get_session/2 (after the session has been fetched, which is done by the :fetch_session plug in the default phoenix :browser pipeline in the router). For header-based authentication I usually use bearer tokens which are stored in the database alongside other user / account data.

2 Likes

Guardian is a popular choice. https://github.com/ueberauth/guardian

5 Likes

It is also quite simple to roll your own with Phoenix Token. This will be enough for any Web/API/GraphQL authentication. It is also possible to add autorization, as You can save role_ids inside tokens.

One fact with authentication, it highly depends on situation.

There are solutions for some casesā€¦

Or ueberauth, if You want to integrate third party auth, like FB, Google, Githubā€¦

Which pre-rolled solutions do You have in mind?

3 Likes

I tried Guardian before and I couldnā€™t get it working. Iā€™ll see if our Junior can do it.

Good set of tutorials here: https://medium.com/@Stephanbv/elixir-phoenix-lets-code-authentication-todo-application-part-1-599ee94cd04d

1 Like

In my opinion JWTs in general and Guardian is appropriate for an API endpoint. Its not really geared towards web applications, for reasons that are well articulated in this somewhat salty article.

Cookie-based sessions work great. If you want a helper library, I can recommend doorman without reservation. Weā€™ve been using it in production since January and have no complaints. We also use Guardian for our API endpoints (used by third-party applications - our SPA JSON endpoints still just use cookies).

5 Likes

I am bias because I made it but AccessPass is a pretty full featured auyh solution if you are looking for something to just work out the box with little code.

1 Like

https://medium.com/@andreichernykh/phoenix-simple-authentication-authorization-in-step-by-step-tutorial-form-dc93ea350153

Guardian is a token/jwt library, it doesnā€™t do auth.

1 Like

Guardian is a token/jwt library, it doesnā€™t do auth.

Guardian
An authentication library for use with Elixir applications. Guardian is a token based authentication library for use with Elixir applications.

What could be done with guardian, could be done by Phoenix.Tokenā€¦ with a lighter token. Token/jwt is more for server to server authentication.

2 Likes

Do tell how it acquires that auth then? :wink:
All that Iā€™ve seen shows that it will ā€˜holdā€™ arbitrary data given to it (which could be auth, or other stuff) and stores it via a token or jwt, soā€¦ it looks like a token/jwt library, it does nothing to acquire auth (which is the hard part).

3 Likes

Your junior dev might be interested in the ā€œSimple authenticationā€ section of this tutorial:

https://lobotuerto.com/blog/building-a-json-api-with-phoenix-and-elixir/

I decided to roll my own because itā€™s very easy, and Iā€™m also learning Elixir & Phoenix.
The tutorial was published last month, so itā€™s up to date.

2 Likes

Didnā€™t mean to antagonize, was just quoting their docs :smiley:

Hereā€™s a post explaining how to use Guardian for authentication in a Phoenix web app, seems pretty straight forward: https://itnext.io/user-authentication-with-guardian-for-phoenix-1-3-web-apps-e2064cac0ec1

1 Like

You should read the salty article link posted by @jeremyjh some post agoā€¦

The full title is ā€œStop using JWT for sessionsā€ :slight_smile:

and this previous topic

Unfortunately ā€œauthenticateā€ has really two different meanings here.

Guardian ā€œauthenticatesā€ requests, it does not authenticate user identity. It authenticates requests by checking that it bears a JWT that was signed with the Guardian secret. It authorizes the request by further determining that the token has not expired, and that it has access to the claims required for the current controller method.

Before telling Guardian to sign a JWT, and handing it to a user - you need to authenticate the user by challenging for a username and password, 3fa etc. Guardian does not address this second meaning of authenticate, and its often at least part of what people are asking for in an authentication solution.

3 Likes

Uh, except itā€™s not using Guardian for Authentication, itā€™s using BCrypt local passwords for authenticationā€¦ o.O

JWT is not for sessions, itā€™s for server-to-server transmission of signed data.

And easily 99% of the time when I see people ask about authentication libraries here (or really anywhere) they are asking about how to authenticate user identity.

Only a request that is embedded ā€˜insideā€™ the token to be specific, it does not authenticate, say, a web request that happens to include it (although that could be embedded inside it, although no one ever does that Iā€™ve seen).

Like Guardian is fantastic for passing Authorization information inside a (JWT) token across servers, even then that is used to authenticate access via that authorization, which still has nothing to do with user authentication.

It is not designed to be used for intra-server communication, either Phoenix tokens or the session is better for that. And I have yet to see anyone need multi-distinct-server communication to/from a non-elixir system, thus I have not seen anyone here yet that would benefit from Guardian, thus I wish people would quit suggesting it as it just makes things more difficult for the people that try to use Guardian. Quite literally in that article linked above instead of putting the ā€˜YouAreAllowedToDoAnythingā€™ authorization information inside a Guardian (JWT) token, what they SHOULD be doing is putting it on the phoenix session, at which point the code is significantly less, itā€™s faster, itā€™s less likely to break, etcā€¦ etcā€¦

4 Likes

Yes, I thought the link would naturally lead a beginner to the other ueberauth packages: https://github.com/ueberauth :slight_smile:

1 Like

It really really doesnā€™t based on how much it keeps getting asked about on these forums. ^.^;

1 Like