I may in the near future need to implement an OAuth2 provider. I was curious if anyone has any experience doing that and could share some insights/gotchas about doing so? Is there an Elixir library you recommend for doing something like that?
2 Likes
OAuth2 provider or consumer? I’ve not ran across any providers yet but I am curious if one gets made. 
From the top of my head and with no order of preference:
OKTA IS THE IDENTITY STANDARD
The Okta Identity Cloud is an independent and neutral platform that securely connects the right people to the right technologies at the right time.
Curity is based on the design principle of separation of concerns. This means that Curity is ready for the identity structure of today, as well as prepared for the unknown principles of tomorrow.
Never Compromise on Identity
We provide a universal authentication & authorization platform for web, mobile and legacy applications.
Provider
Why that order?
I wanted to say no order of preference 
I just pasted them in the order I remembered them…
I’ve been using a hydra server for OAuth2 provider on one of my open source projects, but I would love something in Elixir. ^.^
Didn’t Okta cost money?
All them will cost if the free tier is not enough to cover your needs…
I did find these two:
https://github.com/mustafaturan/authable
Anyone use these and recommend one over the other?
2 Likes
Yeah that’s not so good. I self-host, edit them, etc… Any thing that is not open source, or costs anything (especially as I make no money on any of my personal projects, free open source the whole way), or that I cannot easily self-host is pretty easily a hard Nope.
I do not have affiliation with any of them, I just use them time to time in my demos, that was the first ones that come to my mind…
I would also go with self hosted and open source ones, but the Auth0 free tier seems to be very generous, if is only for a pet project.
Another option, used a lot in the enterprise world, and this time open source:
Add authentication to applications and secure services with minimum fuss. No need to deal with storing users or authenticating users. It’s all available out of the box.
You’ll even get advanced features such as User Federation, Identity Brokering and Social Login.
For more details go to about and documentation, and don’t forget to try Keycloak. It’s easy by design!
1 Like
Why not use an already built with Ueberauth Strategies? We accept a few in our SaaS, like Microsoft and Google.
The goal would to allow single sign-on across multiple applications. So, we would have a provider that allows the user to login via other OAuth providers or our existing accounts. The other applications then direct the user to this application to login. The individual apps only need to support one OAuth provider as the only authentication strategy, rather than each implementing the same set and then also sharing our existing accounts somehow.
That is still doable with a umbrella / microservices for centralized authentication, but sure, makes sense to build a new…
That’s true only if your applications do share the same hostname, as we are talking of cookie-based sessions and cookies won’t be sent to different hostnames.
OAuth is more for API access control (think mobile applications, SPAs and access delegation to third party apps), while OpenID Connect (an OAuth2 superset) is for delegated authentication (think SSO between web apps). It’s kind of the successor to SAML2. It may be what you’re looking for. I’d add CAS server (java) and Identity Server (.NET) to the list of open-source server supporting OAuth2, OpenID Connect and SAML2.
However as long as you can stick with using a web cookie-based session you might be better with that because these federation protocols add a whole new complexity to your stack.
1 Like
Thanks for pointing me towards OpenID Connect. I’d seen it, but didn’t realize it was different from the OpenID of yesteryear, which was the URL as authentication mechanism.
Things are on the same domain for the time being. But I’ll still check it out.
A follow up to this thread. I ended up going with danschultzer/ex_oauth2_provider and it’s worked great.
2 Likes
I update this thread with boruta | Hex, an OpenID certified provider that works great and provides quite a lot of customization possibilities.
You can also have a look at the source code GitHub - malach-it/boruta_auth: A yet complex but OpenID™ certified OAuth / OpenID Connect provider core
How about this one: README — Oidcc v3.1.1
Haven’t tried it yet, because it requires OTP 26/Elixir >=1.14.5 (uses new Erlang “maybe” expressions). There are also Phoenix plugs to handle OAuth2/OIDC endpoints.
The package you mention is a client, the last version was supported by the EEF. Here we are speaking about the providers or the authorization servers, boruta is one of them.
