Guardian vs Coherence API

It seems like a lot of people prefer to use Guardian over using Coherence for their apps, and I don’t really understand. Are there any reasons other than making it easier to add FB/Google login? I’m building an API, so I don’t care much about the views, but I consider password reset to be mandatory for any authentication system (and that pretty much requires unique emails and email confirmation), so it seems like a no brainer, but I want to make sure I’m not missing something important.


I’ll take a shot at an answer here. But first, in full disclosure, I’m the author of the Coherence package.

  • Coherence does not have built in support for JWT tokens. I recently added Phoenix Tokens that I use for channels authentication.
  • Coherence was originally designed as a web based design. Using it for API authentication can be done, but you many need to rely on community blog posts for help
  • Coherence plugs are a little no-standard.
  • Guardian has been around longer than Coherence

There are probably other reasons.

I have a near term requirement to get oAuth working with Coherence, so I will be investing some time looking what it takes to integrate uberauth with Coherence.


You seem to be the only one that cares. :stuck_out_tongue:

Okay, first I have to ask “Why do people keep comparing Guardian with Coherence?” as they are 2 entirely different libraries with 2 entirely different use-cases.

A summary:

  • Guardian: A JSON webtoken library. It has a few helpers for integrating with a phoenix pipeline. Great for integration between remote servers for authorization transferal. It should not be used in most of the places it is being used though as JSON webtoken’s are heavy and are for specific purposes. This is purely for authorization purposes between servers. It is not something that should be used if you use, say, a database from all accessible locations. It does not, I repeat NOT handle authentication what-so-ever, it is purely authorization (designed for remote authorization).
  • Ueberauth: An abstraction library for handling authentication from ‘any’ source to get a unified interface. It has things for everything from oauth, google, github, and many others to LDAP (my own at least) or anything else you can think of, to simple ‘identity’ login (username/password). It does not handle web pages, user storage, authorization, or anything of the sort. It is just an ‘authentication’ library that can handle any type of authentication. It can handle auth from everything from web or even API communications.
  • Coherence: A library that handles everything from the front-end web pages for ‘identity’ style logins with password resetting and more. It is fantastic if you intend to have only a username/password setup but it is not at all useful in really any way if you intend to use a remote service for logins (like LDAP for me). It is also not very useful for API handling, primarily it is just for user-facing setup. It does not handle authorization.

Honestly, in my maybe not so humble opinion, Coherence should be one of the strategy's inside Ueberauth (a kind of super-identity strategy) with ueberauth giving a unified interface to the user of these libraries to handle the final authentication part to acquire authorization information however the user wishes. Another library should handle authorization and perhaps could have helpers to work with Ueberauth pretty transparently (which my internal system already has pretty well built in, I should rip it out sometime into a standalone library).

In essence I think it should be:

  • Authentication interface by the library users should be: Ueberauth
  • Identity authentication strategy ‘inside of ueberauth’ should be: Coherence (with a lot less page auto-generation and such, does not fit well in to any system I’ve built yet as it is, but that is being changed and improved in Coherence over time)
  • Local Authorization should be: Honestly I’ve not found a great library for this yet, even the one I made and am using I am not quite satisfied with (hence why I have not published it); I need to think about this topic a lot more still…
  • Remote Authorization should be: Guardian

But regardless, conflating and comparing Guardian and Coherence is apples and oranges, I really really really wish people would stop. I’m not sure where people are even getting these ideas from that they are comparable at all? o.O?


Because Guardian identifies itself as an Elixir authentication library.

1 Like

A Coherence strategy within Ueberauth actually sounds like a pretty great idea. Going that route to make it the “default” approach to using Coherence would provide a Devise-like experience for new applications with solid ground to expand.


In ‘passing’ authentication credentials that already exist, not in ‘doing’ the authentication. :slight_smile:

That is what I’d been for the whole time! :smiley:

In essence I’d think Coherence should just be a strategy in Ueberauth + More (helpers and so forth). :slight_smile:

Still need to come up with a great authorization style though, I am not liking anything yet… ^.^;

1 Like

Which would mean that it is, as you said, an authorization library, and they shouldn’t call it an authentication library. If people are misunderstanding it, it seems to be a failure in its description.

Indeed they likely should not, but I did not write it. :wink:

However, reading about what it does makes it plainly obvious that it only works with JWT’s and nothing else whatsoever.

This was true prior to version 1.0. As of 1.0 Guardian will work with any kind of ‘Token’ as specified in it’s readme. JWT is one type - and the type that it uses out of the box.


Ooo, that is a good boost to its API! :slight_smile:


I can’t be the only one using both together? Coherence is great for the general user flow… you get templates for password reset/session management, email hooks etc pretty free, and then use guardian for token management. Coherence generates the file you need even to interrupt the relevent flows for your own token managements. Dunno if someone’s doing it much better but it feels nice so far


Just picked up this thread. Very interesting idea @OvermindDL1 to have Coherence as an Ueberauth strategy. I’ll take a look at UeberAuth again and try to get a picture of what this would look like.

BTW, for those readers that know me, I’m the author of Coherence…


@subetei does your Coherence/Guardian integration work out of the box, or you have any fancy rewiring/plumbing to get it work? I have never tried it myself. Also, I have some token stuff in Coherence and I’m wondering if I should try and replace that with a Guardian dependency. Any thoughts?

@smpallen99 it worked pretty easily with just the normal integration points of guardian. On the coherence side I only had to add the guardian logic to the redirects module just as you recommend I believe.

Thoughts to guardian dependency… seems like that could work. I like working with guardian and that would make a pretty nice and clear overall solution. Could probably get away with sensible defaults settings for it that work for 90% of cases so any extra config would be optional. Will double check the code this weekend and add better thoughts

1 Like

Having blindly taken Ueberauth as the industry standard for Elixir, I somehow managed to never come across Coherence until now.

Functionality-wise it looks awesome! Even has nice metrics tracking out-of-the box - far better I’d even dare to ask for. We absolutely need a solid de facto library in Phoenix handling all this for us developers.

I have Ueberauth+Guardian set up in my current project as I need OAuth, but I definitely want to find a way to integrate Coherence for direct registrations. My backend is API only, did anyone come across any blog posts, medium articles etc. that could help with this?

1 Like

Hey @smpallen99 are you still looking after coherence? There are quite a few PRs left and not much communication since last year as well as unreleased changes to

@vertti @subetei do you guys have a reference implementation for coherence + guardian you’re willing to share?


Hi @sashman dunno how I missed being notified on your reply but ended up on the thread through another notification. Been a long time since then so maybe it’s silly to offer help now but let me know if you still want an example, tis all open source