tadasajon
Solving auth once and for all -- does this proposed solution make sense?
My partner and I are planning to develop several phoenix apps for various clients. Any app we build is going to need an authentication/authorization system.
I would like to solve the problem once and for all instead of re-implementing a similar but subtly different auth approach in each app we build.
I have found this open-source solution: GitHub - dwyl/auth: đȘ đ UX-focussed Turnkey Authentication Solution for Web Apps/APIs (Documented, Tested & Maintained) · GitHub
This is my understanding of how it works:
-
The authorization/authentication is abstracted out of any app we build and isolated in this one single Phoenix
authapp. This clears up mind-space in the app we are building for our client. -
This Phoenix
authapp has some nice and somewhat advanced features, such as role-based access control (i.e., users can be super-users, admins, normal users, read-only users, etc) and encryption to keep user info secure in case theauthappâs database is compromised. It also removes all user info from the main appâs database, which also provides more security in case of compromise of the main appâs database. -
The
authapp runs on a different domain from any app that we are concerned about providing authentication for. -
The system works via OAuth. Suppose this
authapp is deployed at TadasajonAuth.com â users will then set up TadasajonAuth accounts and any other Phoenix app that we build for clients will use a TadasajonAuth login system â i.e., user will log in with their TadasajonAuth account, similar to how they might currently log in to some site using their Facebook, Twitter, Google, or GitHub accounts. -
Since clients that we build apps for will prefer to have a fully personalized auth system, rather than having their users log in with some third-party system called TadasajonAuth, we will use clever logic in the
authapp to detect which URL the user is coming from and show appropriate logos, colors, information, etc.-
In other words, from our clients perspective, their fancy new Phoenix app running at the-clients-domain.com has an auth system running at auth.the-clients-domain.com with DNS settings that point auth.the-clients-domain.com to TadasajonAuth.com and as far as the client or any of their users know, this is a fully operational auth system that is dedicated to the clientâs app only.
-
The fact that the app is also providing OAuth for other apps is completely hidden from the client and is also really of no concern to the client â i.e., it makes no difference to the client (except insofar as a single
authapp is easier for us to control as developers and is therefore more secure and robust).
-
-
The
authapp can still allow users to log in with various third-party services, such as Twitter, Google, Facebook, GitHub, Whatever â theauthapp will have OAuth hooks set up for a dozen such services and we will just turn on / turn off whatever services we want to use for any particular client app we are building.-
So if client one would like Google login, then we just use our
authapp, configure DNS so it runs at auth.client-one.com, and configure it so that users visiting auth.client-one.com see only a Google login option. -
Then if client two wants Facebook login, we just use our
authapp, configure DNS so it runs at auth.client-two.com, and configure it so that users visiting auth.client-two.com see only a Facebook login option. -
So we basically have a proxy OAuth appâŠ
-
-
We will also have basic username, email, password login in case a client just wants that and does not want any third-party login service.
Please tell me what is wrong with this proposed solution!
Most Liked
al2o3cr
General note: âone auth to rule them allâ can be a serious tarpit - especially if it spreads from pure authentication (âwho is this userâ) into authorization (âwhat can this user doâ). Beware scope creep.
Thereâs potential cookie headaches with this approach - code on the âauthâ site can read and set cookies in the toplevel domain the-clients-domain.com.
Re: per-client customization - youâll also want to think about how things like password reset emails will work. Will clients want to supply custom branding images or language?
Specifically related to the repo above, the big thing that jumps out is a lack of multitenancy: a Person can be looked up by email alone, which means that the same email canât be a user on client-one.com and client-two.com. ![]()
tadasajon
Thanks for your feedback @al2o3cr
As far as scope creep, well, authorization is something that all my client apps are going to need, so thatâs just baked in to the initial scope for me â I like the fact that this auth app from DWYL comes with authorization and roles built in â thatâs a huge plus for me.
Also, since it is an open-source project, Iâm planning to clone it and make some modifications to suit my use-case. I imagine that every time I build a new client app that will use this auth system, Iâll just add the name of the new client app to a table in the auth app â so the auth app will have internal awareness of which client apps it provides authentication for â and then I will allow lookup based on email+app, or some other custom logic.
As for your concern about cookies â well, both apps are controlled by me, so if the auth app is able to set cookies, I donât see that as a security concern â I suppose it will allow me to track which people use two or more client apps that I have built, but I should be able to do this anyway, just by examining my database. Is there some further concern in regard to cookies?
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








