User authentication in Phoenix?

AlexMcConnell · July 12, 2017, 11:05am

OvermindDL1:

Coherence for me, sadly, is entirely untenable as it only supplies an internal registration. It has no support for external directories, no support for oauth (they are talking of it, but nothing yet), and its methods of injecting its views are a little different than usual phoenix’y stuff. ^.^

I currently just use ueberauth as it handles all login types fine, but it does not have any views or back-end handling (including nothing like the features you listed), however those tend not to be hard to make, just needs a library (and I’d still not opt for automatic login/registration page handling). I had been playing with an idea to wrap uberauth in a coherence-like thing that handles all styles via protocol dispatch (and a default case the user could depend on as well for a stock coherence-like style), but I’d also like to do more traditionally phoenix style view handling in it instead of using a host of generators, or not do views at all (maybe just some callback functions for form generation or so). Maybe when I get some free time again later, but for now I am too busy. ^.^;

And when everything is entirely untenable? I’ve been looking for an authentication solution for the app I want to build for 2 months now. To me, having to reinvent the wheel by building email confirmation, password reset emails, and all the little things that Devise provides in Rails is untenable. It seems like Coherence is the only solution for registration based authentication at the moment, tenable or not.

OvermindDL1 · July 12, 2017, 2:18pm

Exactly, those are useful for identity logins (which I am not using), but it would fit perfectly into, say, Ueberauth (which is an authentication framework, entirely pluggable, and coherence would fit inside it quite well).

AlexMcConnell · July 15, 2017, 1:15pm

Okay, I’ve been beating my head against the Phoenix authentication wall for over 2 months, and I’m about ready to give up on Phoenix as a whole. I first ran into this problem 2 years ago, but Phoenix wasn’t even in version 1 yet, so I figured I could come back to it later when auth was ready. Now, it’s been long enough that I really feel like auth should be simple and straightforward, and it simply isn’t.

My app is API only. I want built in user login and password, so I spent a while working on on following some tutorials that show how to build that with Guardian and Comeonin, but it’s incredibly frustrating to be reinventing the wheel like that, and I knew that there was no way I was going to be able to get past the authentication building part of my app without implementing email confirmation and password reset, which I could tell was going to be a huge headache. Given that I have a limited amount of time for working on personal projects, it seems like it would be half a year before I could move onto what I actually want to build.

So, since there’s no solution for standard login/password auth without reinventing the wheel, I decided that I could settle for Google OAuth for now (while waiting for someone to hopefully create a solution for login/password) and tried finding out how to use Ueberauth Google. This has also ended up running into a brick wall. I can’t find any tutorials, just examples, and the examples I find don’t even work when I try cloning their github repos. This includes the official ueberauth_examples, which, even if it did work, is far too complicated, since it implements all of their auth strategies rather than just one.

If anyone has any advice on how to proceed at this point, I’d really like to hear it, because this is incredibly painful. I really want to use Elixir/Phoenix, but this pain point has come to seem insurmountable.

PJextra · July 15, 2017, 2:21pm

I understand that too.
But this is very encouraging:

MikeAnthony · July 15, 2017, 3:53pm

I haven’t given up on Phoenix but only because it seems to be the only viable framework for Elixir (and its strengths are obvious). However sure have put plans to use it on anything serious on the back burner. The frustration is that there seems to be a purity of architecture over getting things done philosophy. “this shouldn’t be in a framework”, “proper way of thinking about you app” “phoenix is not your application”. Not really impressed with that thinking if it means for every project I have to reinvent the wheel. Countless other frameworks either give authentication to you out the box OR have recommended packages that take care of basics like authentication. They are doing well and creating powerful apps. From an entrepreneurial viewpoint (and thats the focus of many companies) we want the basics covered to get proof of concept apps up and running fast and efficiently.

I was beginning to feel comfortable that coherence was close to being that. Disheartened to find out its not there yet. isn’t the whole point of working in a framework to take care of boilerplate things like this? Again doesn’t have to be in core so the “that shouldn’t be in the framework” doesn’t address the issue. Sure does need to be at least one package ready to go.

OvermindDL1 · July 17, 2017, 2:23pm

If it is API only, why not just use simple token auth? If you handle registration over API then that is just a simple username/password or whatever you want, just compare it to the database. The hard part of auth is either the UI (which does not exist for API endpoints beyond json or graphql or so) and third-party auth like google or github or so (which ueberauth handles wonderfully). Auth_pipe is looking useful soon as well and would also be fantastic for API endpoints. What more are you wanting beyond those?

zinclozenge · July 17, 2017, 3:19pm

I think the lack of a readily available authentication solution is a huge barrier to adoption for Phoenix and subsequently Elixir. It’s such a common requirement that it just feels bad having to spend time on it when you’re coming from Rails or Django or whatever. I’ve personally kind of tabled Phoenix indefinitely which is too bad because I consider channels to be a best in class feature.

AlexMcConnell · July 22, 2017, 12:41pm

It seems to me that the hardest part of authentication by far is dealing with users who have forgotten their authentication, and the entire point of using third party auth is to avoid that problem. I’ve tried ueberauth/google, but I can’t find an implementation that actually works. Though the problem on that front is more one of documentation, examples, and tutorials rather than not having the tools.

OvermindDL1 · July 24, 2017, 4:32pm

Hmm? I use google auth at work in ueberauth (and ldap, and a custom remote db access, and soon to be CAS) without issue?

ion · October 22, 2017, 7:52am

Would Phauxth solve that concern?

It has support for confirmation and reset.

https://hexdocs.pm/phauxth/Phauxth.Confirm.html

the example app ( https://github.com/riverrun/phauxth-example ) uses bamboo, which has an SMTPAdapter.

Elixirbrain · February 25, 2018, 10:46am

Two questions please:

Has anybody done a systematic feature comparison of all these libraries?
Have any of these libraries been formally audited?

Thanks.

AstonJ · February 25, 2018, 3:58pm

Not as far as I’m aware…

SZJX · July 8, 2018, 6:50pm

Apparently somebody has written some blog posts about the libraries, and he liked Phauxth the most: http://www.alexafshar.com/blog.html

danschultzer · August 24, 2018, 8:30pm

So I’ve been working on a solution myself since nothing really worked that well for my team. Coherence is the closest to a full feature authentication solution, but it has been built like a Rails monolith app which handles poorly in our elixir environment.

I took the approach to make a library that’s both modular and as plug n’ play as possible. It took much longer to build than I anticipated, but I think it has a strong foundation that will make it easy to work with and expand upon.

I would love to get some feedback to prepare for the 1.0.0 release. We got one app running in production with Pow (switched from Coherence). I’ll probably do the full release next month when we’ve deployed a second app with Pow to production.

https://elixirforum.com/t/pow-robust-modular-extendable-user-authentication-and-management-system/15807
https://github.com/danschultzer/pow

There’s also PowAssent for multi-provider auth (OAuth, OAuth2, etc).

jpinnix · August 25, 2018, 5:37pm

@danschultzer What are the advantages of Pow over Guardian? For example, I noticed there is the ability to utilize Guardian for the session plug (https://github.com/danschultzer/pow#authorization-plug), but why not just use Guardian instead of Pow in that case?

danschultzer · August 25, 2018, 6:10pm

They don’t compare as Pow provides the whole user registration framework (ecto schema, phoenix controller/templates), while Guardian is an authentication library. Pow has built-in session based authentication, that can be replaced with Guardian or you own custom authentication.

So if you use Pow, then almost all the steps in the get started tutorial in Guardian is taken care of by Pow: https://github.com/ueberauth/guardian/blob/9addcdfc523828cf7eb21ee6bc78c91e9156e1c4/guides/tutorial/start-tutorial.md

Pow also has password reset, email confirmation, “remember me” and multi-provider extensions. Pow is built to make it faster, easier and more secure for developers to add user registration to their app, while keeping it easy to customize (e.g. using Guardian JWT for authentication).

jpinnix · August 25, 2018, 6:38pm

Thanks for the clarification!

Also, after thinking about this the last few days, I’ve decided to go with the default Pbkdf2 hashing for the project I’m working on right now. I had asked you about Argon2 for a potential project that would require it. Glad to see you dropped in those instructions on the README.

Owens · May 7, 2019, 3:57am

@danschultzer I see you created phoenix_oauth2_provider, kudos.

Curious what the difference is with this and the popular OAuth2?

I’d like to use something that easily connects with pow.

danschultzer · May 7, 2019, 4:29am

OAuth2 is a client library, while PhoenixOauth2Provider is a provider/server library. If you got an app running with Pow and you want to permit sign in or registration with an OAuth 2.0 provider then you should take a look at PowAssent.

Owens · May 7, 2019, 4:31am

Thanks Dan.

What I want to do is build a mobile app that can access data from my API/backend. Not interested in Twitter/Facebook/Google login.