What combination of libraries do you use for your Phoenix web app for standard user authentication? There are a couple listed in the awesome-elixir list, notably, ueberauth.
What I am looking for is a basic user account (email/password), register, login/logout, forgot password, and roles/groups for ACL. I want an admin panel for managing users, too, but I realize I will probably have to build this out.
Most of what I see is for basic JSON Web Token (JWT) authentication for API backends or similar. So I am a little confused about the standard practice for user auth in a plain ol’ web app.
I took a browse through hex.pm but didn’t see anything promising except authentic which doesn’t seem to be a real thing (the GitHub repo is an empty project). Basic_auth would be fine for the simplest apps, but what I am looking for is user account management and maybe even profiles.
I think you are right about roll-your-own, but I am still pretty new to Elixir/Phoenix, and not sure how to go about it.
Are you from a Ruby/Rails background? If so there is an excellent series on user authentication at Rails Casts - when I come to roll my own I hope to do something similar to that.
(Btw I have just added ‘Languages you are interested in’ and ‘Languages you have used’ fields to our profiles)
Ah right, well you’re in for a treat with Elixir and Phoenix then (no offence to any PHP developers )
With regards to your question, hopefully some others will chime in, but I would have thought watching a Laravel tut on auth should give you a fairly good idea on what you will need to implement in Phoenix, if not there is a very old Railscast on the topic that might be closer to Phoenix (this is just a guess as I’ve not learned any Phoenix myself yet).
A lot of the Phoenix blogs I see seem to use guardian. It’s also JWT based. The exception being the Trello clone tutorial. They appear to be rolling their own authentication system.
I get that Phoenix wants to remain authentication agnostic. However this makes me curious as the big feature in the next iteration of Phoenix is channel presence. Not sure how they plan to implement that without having any built-in conception of a user.
uberauth/guardian seems to be very common and popular.
The Programming Phoenix book and other beginner friendly resources use Comeonin which has Bcrypt (not sure if it can be considered exactly the same as Guardian?). I’ve been using it in my project and it’s nice.
There’s also Basic Auth which I’ve used in a blog. It’s pretty simple and it’s just to setup an authentication form to access certain pages and resources (useful for a blog since only you want to access the create new post action and so on).
I’m the maintainer of Openmaize, and I would welcome any feedback that you have.
I’m looking into making some of the functionality a little more straightforward to use at the moment, and I would like to add support for two-factor authentication before releasing a version 1.0.
Yes, I would like to support Oauth. So far, though, I haven’t done much research on the topic. I am planning on making it easier for the developer to override parts of the Login module, so as to make it more customizable, but I don’t know how that would work with any existing Elixir Oauth app.
Has anyone tried more then one of these and could offer comparisons?
I know I’ve used several auth solutions in the Rails world and it just kind of depends on how fully featured you want your solution to be (and what your tolerance for being coupled to that dependency is).
I often just use BCrypt and build my own auth in Rails.
I’m tempted to do the same here, but guardian w/ JWT looks tempting.
I’m not sure myself if JWT is really a good fit for Phoenix authentication.
JWT was designed as a solution for micro services using REST. In that situation you have multiple requests to different endpoints with absolutely no conception of a persistent connection. Each of the requests is a short lived isolated connection event.
So you send a token along with each request instead of repeating authorization handshakes dozens of times.
With Phoenix channels, there is obviously a persistent connection.
Addict and Guardian are both great. However, exactly like with Rails, there is built in solution into the framework that does most of the heavy lifting for you. Look at Phoenix.Token and Comeonin.Bcrypt combination to generate signed token (that you set in a cookie) and hash/compare passwords respectively.