Multitenant SaaS - authentication, authorization


I would like to find out the best way to start working on a multi-tenant SaaS product involving Elixir’s full-stack.
In the past, I already asked here about authentication and authorization, but without real luck. I am aware of Pow, Guardian, Phx.gen.auth… but somehow I still have a feeling that I will need to develop 2 products. The first one is my idea about Saas, and the second one is something to cover all these things around security.

I was looking into Keycloak, but I would rather avoid another external dependency.

Current tooling gives you the impression that all we have is basic support. Like the majority of products and use-cases would be running backends with minimum support for auth. Am I wrong? I mean I know I am, but I would like to challenge someone to give some useful feedback. Is there any real guide or tutorial or course on topics like Phx.gen.auth…

So I would like to build SaaS and use it as a multitenant platform with all sorts of roles behind and other modern options. And all that to be production-ready.

I would really like to get some guidance on where to go from here.

Thanks, T

1 Like

I don’t think you need to build anything from scratch, there are many good libraries out there.

You need answer few questions:

  1. How do you distinguish the requests coming from different tenants in you multi-tenant app ? domain name or api key

  2. What auth providers you will have for authentication - google, fb, etc

  3. How will you provide auth through json endpoint or oauth2 web flow?

  4. Few details about what SaaS platform it is or any references to an existing product? (to understand auth requirements)

Guardian is very mature library for security - GitHub - ueberauth/guardian: Elixir Authentication .

I have built multi-tenant solution without phoenix auth and pow. They did not even exist back then.

Can you explain what “all sorts of roles behind and other modern options” is meant to mean? In my experience the reason why authentication/authorization libraries are often such a pain-point is that a library is used, which does handle that “stuff” just not in a way it would align well with project/business requirements – especially when faced with continuous development and maintenance.

1 Like

I would be interested to understand more of your needs. What do you mean by multi-tenancy?

I have a simplistic understanding of multi-tenancy basically meaning that the app supports multiple accounts where each account has it’s own set of data including users. At least that’s how my app works. Each table has an account_id column, almost all context functions receive %Account{} as the first argument. I find that manageable, though my app is pretty small. I support username+password authentication plus access token based for the mobile app API. I’m not a fan of generators, but I mostly got my code out of phx.gen.auth.