Good auth solutions for Elixir/Phoenix?


What kind of authentication do you want? For cookie-based one you can use Plug.Conn.put_session/3 and Plug.Conn.get_session/2 (after the session has been fetched, which is done by the :fetch_session plug in the default phoenix :browser pipeline in the router). For header-based authentication I usually use bearer tokens which are stored in the database alongside other user / account data.


Guardian is a popular choice.


It is also quite simple to roll your own with Phoenix Token. This will be enough for any Web/API/GraphQL authentication. It is also possible to add autorization, as You can save role_ids inside tokens.

One fact with authentication, it highly depends on situation.

There are solutions for some cases…

Or ueberauth, if You want to integrate third party auth, like FB, Google, Github…

Which pre-rolled solutions do You have in mind?


I tried Guardian before and I couldn’t get it working. I’ll see if our Junior can do it.

Good set of tutorials here:

1 Like

In my opinion JWTs in general and Guardian is appropriate for an API endpoint. Its not really geared towards web applications, for reasons that are well articulated in this somewhat salty article.

Cookie-based sessions work great. If you want a helper library, I can recommend doorman without reservation. We’ve been using it in production since January and have no complaints. We also use Guardian for our API endpoints (used by third-party applications - our SPA JSON endpoints still just use cookies).


I am bias because I made it but AccessPass is a pretty full featured auyh solution if you are looking for something to just work out the box with little code.

1 Like

Guardian is a token/jwt library, it doesn’t do auth.

1 Like

Guardian is a token/jwt library, it doesn’t do auth.

An authentication library for use with Elixir applications. Guardian is a token based authentication library for use with Elixir applications.

What could be done with guardian, could be done by Phoenix.Token… with a lighter token. Token/jwt is more for server to server authentication.


Do tell how it acquires that auth then? :wink:
All that I’ve seen shows that it will ‘hold’ arbitrary data given to it (which could be auth, or other stuff) and stores it via a token or jwt, so… it looks like a token/jwt library, it does nothing to acquire auth (which is the hard part).


Your junior dev might be interested in the “Simple authentication” section of this tutorial:

I decided to roll my own because it’s very easy, and I’m also learning Elixir & Phoenix.
The tutorial was published last month, so it’s up to date.


Didn’t mean to antagonize, was just quoting their docs :smiley:

Here’s a post explaining how to use Guardian for authentication in a Phoenix web app, seems pretty straight forward:

1 Like

You should read the salty article link posted by @jeremyjh some post ago…

The full title is “Stop using JWT for sessions” :slight_smile:

and this previous topic

Unfortunately “authenticate” has really two different meanings here.

Guardian “authenticates” requests, it does not authenticate user identity. It authenticates requests by checking that it bears a JWT that was signed with the Guardian secret. It authorizes the request by further determining that the token has not expired, and that it has access to the claims required for the current controller method.

Before telling Guardian to sign a JWT, and handing it to a user - you need to authenticate the user by challenging for a username and password, 3fa etc. Guardian does not address this second meaning of authenticate, and its often at least part of what people are asking for in an authentication solution.


Uh, except it’s not using Guardian for Authentication, it’s using BCrypt local passwords for authentication… o.O

JWT is not for sessions, it’s for server-to-server transmission of signed data.

And easily 99% of the time when I see people ask about authentication libraries here (or really anywhere) they are asking about how to authenticate user identity.

Only a request that is embedded ‘inside’ the token to be specific, it does not authenticate, say, a web request that happens to include it (although that could be embedded inside it, although no one ever does that I’ve seen).

Like Guardian is fantastic for passing Authorization information inside a (JWT) token across servers, even then that is used to authenticate access via that authorization, which still has nothing to do with user authentication.

It is not designed to be used for intra-server communication, either Phoenix tokens or the session is better for that. And I have yet to see anyone need multi-distinct-server communication to/from a non-elixir system, thus I have not seen anyone here yet that would benefit from Guardian, thus I wish people would quit suggesting it as it just makes things more difficult for the people that try to use Guardian. Quite literally in that article linked above instead of putting the ‘YouAreAllowedToDoAnything’ authorization information inside a Guardian (JWT) token, what they SHOULD be doing is putting it on the phoenix session, at which point the code is significantly less, it’s faster, it’s less likely to break, etc… etc…


Yes, I thought the link would naturally lead a beginner to the other ueberauth packages: :slight_smile:

1 Like

It really really doesn’t based on how much it keeps getting asked about on these forums. ^.^;

1 Like

I’m trying phauxth. It’s easy to setup, works and is well documented. So far it’s been a good experience.