And when everything is entirely untenable? I’ve been looking for an authentication solution for the app I want to build for 2 months now. To me, having to reinvent the wheel by building email confirmation, password reset emails, and all the little things that Devise provides in Rails is untenable. It seems like Coherence is the only solution for registration based authentication at the moment, tenable or not.
Exactly, those are useful for identity logins (which I am not using), but it would fit perfectly into, say, Ueberauth (which is an authentication framework, entirely pluggable, and coherence would fit inside it quite well).
Okay, I’ve been beating my head against the Phoenix authentication wall for over 2 months, and I’m about ready to give up on Phoenix as a whole. I first ran into this problem 2 years ago, but Phoenix wasn’t even in version 1 yet, so I figured I could come back to it later when auth was ready. Now, it’s been long enough that I really feel like auth should be simple and straightforward, and it simply isn’t.
My app is API only. I want built in user login and password, so I spent a while working on on following some tutorials that show how to build that with Guardian and Comeonin, but it’s incredibly frustrating to be reinventing the wheel like that, and I knew that there was no way I was going to be able to get past the authentication building part of my app without implementing email confirmation and password reset, which I could tell was going to be a huge headache. Given that I have a limited amount of time for working on personal projects, it seems like it would be half a year before I could move onto what I actually want to build.
So, since there’s no solution for standard login/password auth without reinventing the wheel, I decided that I could settle for Google OAuth for now (while waiting for someone to hopefully create a solution for login/password) and tried finding out how to use Ueberauth Google. This has also ended up running into a brick wall. I can’t find any tutorials, just examples, and the examples I find don’t even work when I try cloning their github repos. This includes the official ueberauth_examples, which, even if it did work, is far too complicated, since it implements all of their auth strategies rather than just one.
If anyone has any advice on how to proceed at this point, I’d really like to hear it, because this is incredibly painful. I really want to use Elixir/Phoenix, but this pain point has come to seem insurmountable.
I understand that too.
But this is very encouraging:
I haven’t given up on Phoenix but only because it seems to be the only viable framework for Elixir (and its strengths are obvious). However sure have put plans to use it on anything serious on the back burner. The frustration is that there seems to be a purity of architecture over getting things done philosophy. “this shouldn’t be in a framework”, “proper way of thinking about you app” “phoenix is not your application”. Not really impressed with that thinking if it means for every project I have to reinvent the wheel. Countless other frameworks either give authentication to you out the box OR have recommended packages that take care of basics like authentication. They are doing well and creating powerful apps. From an entrepreneurial viewpoint (and thats the focus of many companies) we want the basics covered to get proof of concept apps up and running fast and efficiently.
I was beginning to feel comfortable that coherence was close to being that. Disheartened to find out its not there yet. isn’t the whole point of working in a framework to take care of boilerplate things like this? Again doesn’t have to be in core so the “that shouldn’t be in the framework” doesn’t address the issue. Sure does need to be at least one package ready to go.
If it is API only, why not just use simple token auth? If you handle registration over API then that is just a simple username/password or whatever you want, just compare it to the database. The hard part of auth is either the UI (which does not exist for API endpoints beyond json or graphql or so) and third-party auth like google or github or so (which ueberauth handles wonderfully). Auth_pipe is looking useful soon as well and would also be fantastic for API endpoints. What more are you wanting beyond those?
I think the lack of a readily available authentication solution is a huge barrier to adoption for Phoenix and subsequently Elixir. It’s such a common requirement that it just feels bad having to spend time on it when you’re coming from Rails or Django or whatever. I’ve personally kind of tabled Phoenix indefinitely which is too bad because I consider channels to be a best in class feature.
It seems to me that the hardest part of authentication by far is dealing with users who have forgotten their authentication, and the entire point of using third party auth is to avoid that problem. I’ve tried ueberauth/google, but I can’t find an implementation that actually works. Though the problem on that front is more one of documentation, examples, and tutorials rather than not having the tools.
Hmm? I use google auth at work in ueberauth (and ldap, and a custom remote db access, and soon to be CAS) without issue?
Would Phauxth solve that concern?
It has support for confirmation and reset.
the example app ( https://github.com/riverrun/phauxth-example ) uses bamboo, which has an SMTPAdapter.
Two questions please:
- Has anybody done a systematic feature comparison of all these libraries?
- Have any of these libraries been formally audited?
Not as far as I’m aware…
Apparently somebody has written some blog posts about the libraries, and he liked Phauxth the most: http://www.alexafshar.com/blog.html
So I’ve been working on a solution myself since nothing really worked that well for my team. Coherence is the closest to a full feature authentication solution, but it has been built like a Rails monolith app which handles poorly in our elixir environment.
I took the approach to make a library that’s both modular and as plug n’ play as possible. It took much longer to build than I anticipated, but I think it has a strong foundation that will make it easy to work with and expand upon.
I would love to get some feedback to prepare for the 1.0.0 release. We got one app running in production with Pow (switched from Coherence). I’ll probably do the full release next month when we’ve deployed a second app with Pow to production.
There’s also PowAssent for multi-provider auth (OAuth, OAuth2, etc).
@danschultzer What are the advantages of Pow over Guardian? For example, I noticed there is the ability to utilize Guardian for the session plug (https://github.com/danschultzer/pow#authorization-plug), but why not just use Guardian instead of Pow in that case?
They don’t compare as Pow provides the whole user registration framework (ecto schema, phoenix controller/templates), while Guardian is an authentication library. Pow has built-in session based authentication, that can be replaced with Guardian or you own custom authentication.
So if you use Pow, then almost all the steps in the get started tutorial in Guardian is taken care of by Pow: https://github.com/ueberauth/guardian/blob/9addcdfc523828cf7eb21ee6bc78c91e9156e1c4/guides/tutorial/start-tutorial.md
Pow also has password reset, email confirmation, “remember me” and multi-provider extensions. Pow is built to make it faster, easier and more secure for developers to add user registration to their app, while keeping it easy to customize (e.g. using Guardian JWT for authentication).
Thanks for the clarification!
Also, after thinking about this the last few days, I’ve decided to go with the default Pbkdf2 hashing for the project I’m working on right now. I had asked you about Argon2 for a potential project that would require it. Glad to see you dropped in those instructions on the README.