amarandon

amarandon

Sharing authentication session with another app

Hello Elixir Forum !

I have an existing web app that I’d like to integrate within a new phoenix project. To provide context for those who might be familiar with it, that other app is JupyterHub, a multi-user server for the popular Jupyter data-science platform. But what I’m going to describe shouldn’t be specific to that particular app. In a way what I’m trying to achieve is the inverse of this : PASETO vs JOSE (JWT - JSON Web Tokens) (protocols/standards for managing user sessions) - #9 by idi527 I want to manage user accounts and login in my phoenix app and have my users be logged in automatically to the third party app.
I figured out how to control the login/logout process within the third-party app. It’s quite flexible, it could be based on calling an external service or on parsing a cookie. Both apps will be served under the same domain so it’s possible to share cookies between the two. In fact I managed to hack something together using Guardian and JWT. I works like this:

While it seems to be working, I’m not really happy with this solutions for a few reasons:

  1. there are security concerns with using JWT for authentication which I don’t fully understand
  2. JWT wasn’t designed for authentication in the first place, as mentioned several times in this forum by @OvermindDL1 and others
  3. it bothers me to transfer information (the user id) that I don’t really need to give to the user agent, even if it’s a signed cookie that in theory cannot be tampered with (we all know that cryptography sometimes end up being broken)

Ideally, I’d like to share only a session id between both apps. The third party app would receive that session id via a cookie that can be shared between both apps since they’re both on the same domain. The third party app would issue a request in the background to a protected endpoint of the phoenix app. That endpoint would return user information to the third party app, which would use that information to log the user in. Here is a diagram of the workflow I’m thinking of:

What do you think of this plan so far ?

I’m currently trying to implement something based on Phauxth, which seems to be simpler and easier to understand that Guardian. Now I’m trying to figure out I can implement the endpoint that takes a session cookie and returns user information. It seems to be a triple of dot-separated, base64-encoded strings, but not quite, as decoding its parts with Base.decode64/1 gives me an :error. Decoding it with GNU coreutils’ base64 program gives me this:

tm
  _csrf_tokenmcopw6CzJhZ+ZoPsm6jW9Dw==mphauxth_session_idmF94xYayLj2Ff17Aiw4base64: invalid input

Once I’ll have figured out the exact format of this cookie, I suppose I can retrieve the phauxth session and extract user info. So if you have more info about how the session cookie works, that would probably help me. I tried reading Plug’s source code but got a bit lost.

Edit: I found that the ETS session storage allows to retrieve the session data easily given just the session ID. I understand the drawbacks of this storage and I’m thinking of implementing a custom session storage for my PostgreSQL database.

Most Liked

alexandrubagu

alexandrubagu

If you want to archive the solution described above I think you can read or implement the OAuth2 RFC. Also if the app internally you can stick with SSO ( based on ip / LDAP )

I found this an elixir implementation for this: GitHub - ueberauth/oauth2: An Elixir OAuth 2.0 Client Library · GitHub maybe will help you.

OvermindDL1

OvermindDL1

They are reuseable within their active time period unless you store invalidation data on the server, which if you are doing that then there is no point in JWT to begin with. :slight_smile:

It’s good for database-less purely time-based non-invalidateable authorization, not authentication. :slight_smile:

If the apps share a backend, just pass a signed ID.
If the apps don’t share a backend but share signing keys, then use a token.
Else this might be a good case for JWT (transferring data safely between servers that have no connections between each other), though they’ll need each others public keys to verify the signature.

Oh that’s just a lot easier then, just make sure they share the same signing key for the cookie and good to go (or put in unsigned data if tampering is not an issue).

Actually what it looks like to me that you are trying to create is an SSO/OAuth/Etc server authentication, why not just use those standards?

Oh hey, yes this!

Just follow the spec and use existing libraries for it. :slight_smile:

amarandon

amarandon

Thank you both for your replies!

From what I understand, OAuth was also designed to handle authorization, not authentication. Some have bended it to handle authentication by providing an authorized “user info” resource and this has even given birth to OpenID Connect, a standard on top of OAuth that is explicitly designed for authentication and which makes use of … JWT!

This is all very confusing and is nothing specific to Elixir or Phoenix so i shall not bother this forum more with this question. My problem of accessing session data is solved by the ETS session storage backend, which I may replace with a custom SQL-based backend later on.

Where Next?

Popular in Questions Top

mgjohns61585
Could someone help me? I’m making my first elixir program, number guessing game. I can’t figure out how to convert the user’s guess from ...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
LegitStack
I’m trying to make a websocket server in Phoenix or raw Elixir. I heard about gun, I think I could use cowboy, but since I’m not that sma...
New
Lily
In templates/appointment/index.html.eex: <%= for appointment <- @appointments do %> <tr> <td><%= appoi...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

Other popular topics Top

TunkShif
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
274 41539 114
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
axelson
This post is a wiki (feel free to hit the edit button near the bottom right of this post to add your own changes!) This post collects co...
239 47930 226
New
marick
I had some trouble figuring out how to make many-to-many associations work. Once I got it working, I wrote a blog post. Because I’m a nov...
New
Qqwy
Update: How to use the Blogs & Podcasts section You can post links to your blog posts or podcasts either in one of the Official Blog...
3271 126479 1222
New
sergio
Kind of like when jquery came out, it was super necessary. Existing drag and drop libraries have a bunch of baggage to support old browse...
New

We're in Beta

About us Mission Statement