User authentication in Phoenix?

authentication
phoenix

#43

It is not that it is complicated, just that it is generic. It assumes nothing about your web server, if you even use a web server, or anything of the sort. It is a general library to handle essentially any form of auth, such as I use Google Auth and I built an LDAP auth that is used in mine through ueberauth, I’ve not seen that being possible in any other library yet. If you need the power then it is very nice. If you are making a simple sign-up site with no external links then eh, not needed.

As for Guardian, it is an awesome JWT library, and I use it for sockets and API endpoint, I ‘barely’ use it in my app (just as a ‘holder’ for a better lookup) and I instead use my PermissionEx library with the Canada library for permission handling in pages.


#44

@mayppong any update on Ueberauth + Coherence + ueberauth_identity ?

did this combination work for you?


#45

Sort of. It’s kind of working but I haven’t actually move any further than “oh it’s working, let’s move on to other part of the project now”.

I didn’t use Guardian though since I would have to also used hassox/guardian_db to prevent replay attack and consequently have to migrate couple more tables. It became a giant mess of many dependencies and tables very quickly. I haven’t found any good solution suggested short of more tables and more background processes.

I sort of stuck with Coherence once Ueberauth handed the request over. That said, I also made a package, birbnest, for storing session in an Agent on server-side instead of worrying about JWT stuff. It’s not really actively maintained since it’s a pet project and it’s not hard to hand-rolled yourself tbh. In any case, JWT wasn’t worth the effort for what I needed.


#46

this DOES feel like a mess imho, I just cracked my head on
guardiandb guardian ueberauth and now starting canary … I wish coherence
and exadmin had a bridge to later

surely one hex could combine all this in a standard way?


#47

Too many ways to do authorization though. There can be plug authorization, fine-grained permission that changes based on what is grabbed from the DB (like mine), etc… etc…


#48

I do agree, somewhat. Maybe not one hex to rule them all, but something like needing guardian and guardian_db seems silly. To me, this replay attack is a bug and guardian needs to be fixed. The fact that guardian_db has existed for so long and not folded into guardian yet doesn’t inspire confidence in Ueberauth.

That said, I’m not into the JWT anyway so I’m probably pretty bias against guardian already.


#49

Guardian_db is for when you are using a JWT as a session container, which you should not really be doing. JWT’s are intended for stateless API connections, the session should be used for stateful connections like HTTP.


#50

But doesn’t Guardian uses JWT to store session by default? Did I miss where you can configure Guardian to use other session storage?


#51

Guardian does not use any storage at all, it is nothing but a JWT generator and reader, designed for and works amazingly for API endpoints. Guardian_db uses storage (the database specifically) to ‘emulate’ a session storage for those who just want to use one thing for everything. But you ‘should’ be using the normal phoenix session storage to hold normal, like, HTTP web pages connections, and JWT is best for, say, websockets or stateless API endpoints or ‘passing’ information securely via the client to a different server or so.


#52

In case anyone stumbles upon this thread, I wrote a very simple blog post on how to roll your own authentication with Guardian and Comeonin.


#53

Hello Steve. Thanks for this awesome package. I’m trying Coherence and loving it. I’m just confused with the controllers. Where are they located? What’s the difference between passing and not passing --controllers to mix coherence.install? Again, thanks.


#54

what seems to be missing here is integration between Phoenix/Coherence (Rails equivalent Devise) and Phoenix/Ueberauth (Rails equivalent Omniauth)

Devise https://github.com/plataformatec/devise has an Omniauth module

Omniauthable: adds OmniAuth (https://github.com/omniauth/omniauth) support.

whereas Coherence doesn’t (afaik) https://github.com/smpallen99/coherence

it would be great for the ecosystem (i.e. me) if that was changed

:079:

I should also add I got Guardian, Guardian DB, Ueberauth & Canary basically working

would like to have ExAdmin and Coherence also… maybe that’s not realistic right now

it seems to me that an Coherence Ueberauthable module is an important missing piece

imho it would be great if Plataformatec could backfill this one !

I am new to Elixir but will see what I can contribute to this


#55
Marc,

Thanks for the feedback!!

If you don’t pass —controllers to the install task, the once located in the package are used. You can view them in your project at deps/coherence/web/controllers. If you use the —controllers option, they are generated in your project under web/controllers/coherence. Use the —controllers option if you want to customize them. Also note that if you generate the controllers, you need to name space them correctly in your router since the generated controllers are named MyProject.Coherence.SomeController.

Hope that helps,Steve


#56

Happened upon this gem today. It walks you through setting up coherence with satisfyingly pedantic detail.


#57

Hi Steve and others experienced in Coherence,

I did not pass --controllers during installation. But now I need to do some customizations. Should I just copy the controller I want to modify from deps/coherence/web/controllers to web/controllers/coherence?

Thanks for your help.

Marc


#58

Marc,

If you copy the controllers, just make sure you rename the modules and change the scope on your router.ex file.

Steve


#59

Got it. Thank you very much.


#60

Yes, but auth is a core feature for webapps, is it not?


#61

It is, but that’s not the point. The point is, that projects don’t all have the same requirements to the authentication system. One might need facebook and twitter oauth, the next does need jwt token authentication, another might just need http basic auth for an api and some other one simple cookie based session authenticatiom. Even none or all of them would be possible. Therefore it’s the better way to leave authentification to the users choice in the first place and not bother forcing a default way of handling authentication.


#62

I feel that adoption of the framework will be sped up if there is strong core support for 2-3 widely used authentication systems. Leaving it up to the user is more flexible for power users, but is a turn off for others. One could make your point about the templating system or the router or anything else.