Openmaize authentication library - now called Phauxth

Openmaize is an authentication library which relies heavily on Plug and uses JSON Web Tokens for authentication.
I’ve just released version 1.0.0-beta. For people who are already using Openmaize, change the :openmaize line in the deps in your mix.exs file to {:openmaize, “~> 1.0.0-beta”} and read the following guide about the other changes that need to be made. The major change since the last version is that the database functions have been moved outside of the Openmaize library, and you need to generate these functions by running the mix openmaize.gen.ectodb command (if you are using Ecto).
If you have any questions / comments, please let me know.

7 Likes

Hi @riverrun, thanks for the great library!

Do you have any plans to add oAuth providers support (e.g. Facebook)?

1 Like

Yes, but I don’t know when. I need to do a little bit of research about them first and then look into implementing them.

1 Like

I current use Ueberauth at work for authentication (using a ueberauth_ldap plugin to access the LDAP server) as well as the Google OAuth to authenticate to our Google Business account as well. How would openmaize work in comparison?

1 Like

To tell you the truth, I’m not really sure how they are different. I’ll have a closer look at Ueberauth and try to find out more.
Regarding Oauth, though, Openmaize doesn’t support it at the moment. It uses password authentication, with support for two-factor authentication, and if password authentication succeeds, then a JSON Web Token is used to authenticate subsequent requests.

2 Likes

A quick update and notification about a change in beta.2:

Before, there was a database setting called db_module in the config. That has now been removed, and you have to set the db_module directly when you use the plugs. There’s an example in this module. The plugs affected are Openmaize.Login, Openmaize.OnetimePass, Openmaize.ConfirmEmail and OpenmaizeResetPassword.

If any of this is unclear or you have any questions, please let me know.

1 Like

I’ve release version 1.0 (no beta).
Other news is that I’ve opened an issue about adding an option to use sessions instead of JWTs. It would be good to get some feedback about what developers would prefer.
There is also this issue about migrating from Rails / devise. I hope to be making some improvements to the documentation about this in the next few days.

4 Likes

I’ve just released openmaize version 2.0, which uses Plug cookie-based sessions by default, and openmaize_jwt version 1.0, which uses JSON Web Tokens.
Here is the upgrade guide for openmaize, and
here is the upgrade guide for openmaize_jwt.
Here is an example app using openmaize, and here is
an example app using openmaize_jwt.

6 Likes

Small update to using the Plugs in Openmaize:
If you are using the db_module generated by openmaize.gen.ectodb, you don’t need to write db_module: MyApp.OpenmaizeEcto any more, as this is now the default value.
So, for example, plug Openmaize.Login, [db_module: MyApp.OpenmaizeEcto] when action in [:login_user] can now be written as plug Openmaize.Login when action in [:login_user].
If you have any questions, just let me know.

3 Likes

Just released version 2.2 of Openmaize.

There are two big changes:

  1. The generator mix openmaize.gen.phoenixauth is a lot more powerful now and running it after mix phoenix.new will produce a workable app with user authentication. If you add the --confirm option, it will also produce the modules needed for email confirmation and password resetting. See this guide for more info. I’m afraid there isn’t much support for generating files for apis - I haven’t had enough time.
  2. I’ve moved the database-related functions to within Openmaize (they were previously separate to allow developers to use custom database modules, but I now think that this is not necessary, and making this change makes the library more maintainable). If you’re upgrading from a previous version, please read this guide.
1 Like

Last week I updated Openmaize to version 3.0.

The major changes are that I’ve added configurable logging to it and updated the installer (for Phoenix apps) and the wiki.

For anyone who is already using Openmaize, there are two other small changes:

  • the default unique_id (user-identifier) for the Login and OnetimePass modules is now email (instead of username).
  • the user map that is returned by the Openmaize Plugs now filters out certain keys to help prevent sensitive information being leaked

At the moment, the logging provides info and warn messages in logfmt format. The log level, though, can be changed by setting the log_level value in the config - and it can be turned off by setting this value to false.

Finally, many thanks to everyone who has contributed to this project, especially Christian Bäuerlein and Franco Bellagamba, who helped with the installer, Ben Sharman, who contributed to the logging feature, and Guido Tripaldi, who worked with me on making the OnetimePass Plug more secure.

7 Likes

The work on Openmaize is now going to be transferred to Phauxth.

With the changes made to Phoenix 1.3, I decided that this would be a good chance to make several changes myself – changes that I had thinking about for some time.

The major differences between Openmaize and Phauxth are:

  • Phauxth is designed to be a lot more extensible
    • rather than trying to satisfy every authentication need, I want to make it easy for developers to extend the core functionality
  • Phauxth depends on Phoenix (so I can use Phoenix tokens)
5 Likes

Just released version 1.0 of Phauxth.

A couple of changes since the earlier post:

  • Phauxth depends on Plug, but it no longer depends on Phoenix
  • Phauxth uses a custom token implementation based Phoenix.Token

You can find more info at the wiki, and there is also a gitter room.

6 Likes

Just released version 2.1 of Phauxth.

I have also updated the phauxth example app and the phauxth installer.

To update your app to use Phauxth 2.1:

  • remove all references to Comeonin (Comeonin.Argon2.add_hash is now Argon2.add_hash, and Comeonin.Argon2.check_pass is now Argon2.check_pass).
  • update the phauxth dependency to “~> 2.1.0” and the argon2_elixir dependency to “~> 2.0” (or bcrypt_elixir to “2.0” or pbkdf2_elixir to “1.0”).
  • and that’s it!

Any comments / questions, just let me know.

4 Likes