PowAssent: Instant multi-provider support for Pow

danschultzer · February 28, 2019, 7:05pm

Multi-provider support for Pow with out-of-the-box support for many providers. I finally got a 0.1.0 release up today, and I hope some of you will find it useful

Please let me know if there’s anything that can be improved in the docs or with features. Thanks!

https://github.com/danschultzer/pow_assent
https://hexdocs.pm/pow_assent/

Pow thread: Pow: Robust, modular, extendable user authentication and management system

PowAssent details

Base strategies

OAuth 1.0
OAuth 2.0

Strategies

Azure AD
Basecamp
Discord
Facebook
Github
Google
Instagram
Slack
Twitter
VK

Few dependencies

PowAssent has nearly no dependencies. :httpc is used as the default HTTP client with built-in SSL validation!

Mint can be added for HTTP/2 support.

Can PowAssent be used without Pow?

Yes! You can use any strategy directly:

config = [
  client_id: "REPLACE_WITH_CLIENT_ID",
  client_secret: "REPLACE_WITH_CLIENT_SECRET",
]

{:ok, %{conn: conn, url: url}} = PowAssent.Strategy.Github.authorize_url(config, conn)

case PowAssent.Strategy.Github.callback(config, conn, params) do
  {:ok, %{conn: conn, user: user}} -> # …
  {:error, reason} -> # …
end

I’ve been using this technique for a lean super admin login.

What about Ueberauth?

You can use Ueberauth with Pow, or add a custom strategy that uses Ueberauth underneath!

However, most strategies uses the OAuth protocols, and it’s much easier to just add your custom strategy. It takes no time to set up. Pull requests are welcome!

A big difference from Ueberauth is that PowAssent is self contained. Strategies are built-in and consists of very little code. They rely on base strategies like OAuth or OAuth2 to do the heavy lifting. All strategies are consistent, and e.g. switching out underlying HTTP client or JSON library is no problem. Unfortunately with Ueberauth you’ll have several different dependencies that each handle things differently. This may also cause dependency conflicts.

Adding a custom strategy

Provider support is super easy. You just need to write one (tiny) module:

defmodule MyApp.CustomStrategy do
  use PowAssent.Strategy.OAuth2

  def default_config(_config) do
    [
      site: "https://api.example.com",
      user_url: "/authorization.json"
    ]
  end

  def normalize(_config, user) do
    %{
      "uid"   => user["id"],
      "name"  => user["name"],
      "email" => user["email"]
    }
  end
end

And then add it to your providers:

config :my_app, :pow_assent,
  providers: [
    custom_strategy: [
      client_id: "REPLACE_WITH_CLIENT_ID",
      client_secret: "REPLACE_WITH_CLIENT_SECRET",
      strategy: MyApp.CustomStrategy
    ]
  ]

Happy coding

dimitarvp · March 2, 2019, 3:02am

Amazing work!

Could you include a link to that library in the root Pow documentation? Having a small section with recommended additional Pow libraries would be very helpful there.

danschultzer · March 2, 2019, 4:39pm

Thanks! It’s in the readme, but it’s kind of hidden towards the end: https://github.com/danschultzer/pow#other-libraries

Maybe it would be better with a reference to it in the Extensions section.

danschultzer · March 10, 2019, 4:15pm

Pow 0.2.0 released

Changelog: Github
Hex: https://hex.pm/packages/pow_assent/0.2.0

This release contains several breaking changes. The plug methods and controllers have been streamlined so they are much easier to work with. However, you don’t need to change a thing unless you’ve a very customized 0.1.0 setup.

Removed Plug.Conn from strategies

Strategies no longer uses plug conn param. Now you only have to pass configuration and params. This means that PowAssent strategies can be used in any context with no expectation for any dependency!

PowInvitation

Support for the new PowInvitation extension in Pow 1.0.3!

It’s plug n’ play. Zero configuration.

blatyo · May 24, 2019, 3:36pm

I noticed you changed things to allow the capture of oauth token values, like access token. That’s cool. However, it seems like user identities aren’t updated after initially created. So, that seems to mean if a user re-logs in to an oauth provider, then the new access token and refresh token won’t get updated. Am I missing something?

danschultzer · May 24, 2019, 4:17pm

You’re right, the user identity is never updated, only created or deleted. When there’s a match for :provider and :uid, the user will just be authenticated. I’m not sure what the solution should be, so I’ve just opened an issue on github I’ll give this some thought.

blatyo · May 24, 2019, 6:37pm

I left a comment on the issue. https://github.com/danschultzer/pow_assent/issues/69

Hopefully that’s useful.