tadasajon

tadasajon

Solving auth once and for all -- does this proposed solution make sense?

My partner and I are planning to develop several phoenix apps for various clients. Any app we build is going to need an authentication/authorization system.

I would like to solve the problem once and for all instead of re-implementing a similar but subtly different auth approach in each app we build.

I have found this open-source solution: GitHub - dwyl/auth: đŸšȘ 🔐 UX-focussed Turnkey Authentication Solution for Web Apps/APIs (Documented, Tested & Maintained) · GitHub

This is my understanding of how it works:

  1. The authorization/authentication is abstracted out of any app we build and isolated in this one single Phoenix auth app. This clears up mind-space in the app we are building for our client.

  2. This Phoenix auth app has some nice and somewhat advanced features, such as role-based access control (i.e., users can be super-users, admins, normal users, read-only users, etc) and encryption to keep user info secure in case the auth app’s database is compromised. It also removes all user info from the main app’s database, which also provides more security in case of compromise of the main app’s database.

  3. The auth app runs on a different domain from any app that we are concerned about providing authentication for.

  4. The system works via OAuth. Suppose this auth app is deployed at TadasajonAuth.com – users will then set up TadasajonAuth accounts and any other Phoenix app that we build for clients will use a TadasajonAuth login system – i.e., user will log in with their TadasajonAuth account, similar to how they might currently log in to some site using their Facebook, Twitter, Google, or GitHub accounts.

  5. Since clients that we build apps for will prefer to have a fully personalized auth system, rather than having their users log in with some third-party system called TadasajonAuth, we will use clever logic in the auth app to detect which URL the user is coming from and show appropriate logos, colors, information, etc.

    • In other words, from our clients perspective, their fancy new Phoenix app running at the-clients-domain.com has an auth system running at auth.the-clients-domain.com with DNS settings that point auth.the-clients-domain.com to TadasajonAuth.com and as far as the client or any of their users know, this is a fully operational auth system that is dedicated to the client’s app only.

    • The fact that the app is also providing OAuth for other apps is completely hidden from the client and is also really of no concern to the client – i.e., it makes no difference to the client (except insofar as a single auth app is easier for us to control as developers and is therefore more secure and robust).

  6. The auth app can still allow users to log in with various third-party services, such as Twitter, Google, Facebook, GitHub, Whatever – the auth app will have OAuth hooks set up for a dozen such services and we will just turn on / turn off whatever services we want to use for any particular client app we are building.

    • So if client one would like Google login, then we just use our auth app, configure DNS so it runs at auth.client-one.com, and configure it so that users visiting auth.client-one.com see only a Google login option.

    • Then if client two wants Facebook login, we just use our auth app, configure DNS so it runs at auth.client-two.com, and configure it so that users visiting auth.client-two.com see only a Facebook login option.

    • So we basically have a proxy OAuth app


  7. We will also have basic username, email, password login in case a client just wants that and does not want any third-party login service.

Please tell me what is wrong with this proposed solution!

Most Liked

al2o3cr

al2o3cr

General note: “one auth to rule them all” can be a serious tarpit - especially if it spreads from pure authentication (“who is this user”) into authorization (“what can this user do”). Beware scope creep.


There’s potential cookie headaches with this approach - code on the “auth” site can read and set cookies in the toplevel domain the-clients-domain.com.

Re: per-client customization - you’ll also want to think about how things like password reset emails will work. Will clients want to supply custom branding images or language?


Specifically related to the repo above, the big thing that jumps out is a lack of multitenancy: a Person can be looked up by email alone, which means that the same email can’t be a user on client-one.com and client-two.com. :scream_cat:

tadasajon

tadasajon

Thanks for your feedback @al2o3cr

As far as scope creep, well, authorization is something that all my client apps are going to need, so that’s just baked in to the initial scope for me – I like the fact that this auth app from DWYL comes with authorization and roles built in – that’s a huge plus for me.

Also, since it is an open-source project, I’m planning to clone it and make some modifications to suit my use-case. I imagine that every time I build a new client app that will use this auth system, I’ll just add the name of the new client app to a table in the auth app – so the auth app will have internal awareness of which client apps it provides authentication for – and then I will allow lookup based on email+app, or some other custom logic.

As for your concern about cookies – well, both apps are controlled by me, so if the auth app is able to set cookies, I don’t see that as a security concern – I suppose it will allow me to track which people use two or more client apps that I have built, but I should be able to do this anyway, just by examining my database. Is there some further concern in regard to cookies?

Where Next?

Popular in Questions Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
myronmarston
The Elixir Typespec docs show the following syntax for keyword lists in typespecs: # ... | [key: type] # keyword lists...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New

Other popular topics Top

TunkShif
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
274 41539 114
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
jaysoifer
Is there a way to rollback a specific migration and only that one (“skipping” all the other ones)? Would mix ecto.rollback -v 200809061...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
KronicDeth
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine) This is a plugin that adds support for Elixir to JetBrains IntelliJ...
289 36128 110
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement