-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token based authentication with Phoenix #268
Comments
Hi @SimonLab, thanks for opening this issue. 🙌
This question is related to: dwyl/auth#34 |
Here is my current understanding of the authentication (and authorisation) system:
I guess it wasn't clear for me how the auth application and the main application are communicating, is the above diagram correct? |
@SimonLab indeed from this diagram, it is not clear to me either how the 3 parts are communicating. 😉 |
I've been refreshing my memory by reading about JWT, the issues from the Auth repository and Phoenix umbrella app.
Having a specific application to manage the authentication/authorisation makes it independent from the main application and reduce the complexity of the code. Now the question is how to achieve this. The issue dwyl/auth#25 mention using a Phoenix umbrella application. If we want to keep the complexity of the project low I don't think an umbrella app might be the right choice as it doesn't really decoupled the main app form the auth app:
also https://elixirforum.com/t/phoenix-to-go-with-umbrella-or-not-new-project/16414 Another idea is to create a "normal" Phoenix application which will be used as an API to manage authentication, authorisation and user sessions. It's what I've tried to describe in the diagram above with the "Auth App". It's also what @RobStallion seems to have tested dwyl/auth#34 (comment) I'm keen to go with the API Phoenix application for auth. I think we need first to clean the repository as we won't need for the first version Alog or dependencies like Ueberauth |
@SimonLab can you please open an issue for that so we can ensure that both packages use the same version? Thanks! ☀️ |
@SimonLab what do you think about this diagram: Workflow
Please let me know if you have time for a quick Zoom call to discuss. (or if it's already clear, comment) |
Next I'm looking at: https://github.com/joken-elixir/joken 👀 |
The diagram on #268 (comment) makes sense. The only aspect I'll need to see more in detail is the role of the referrer and how to save it and use it. |
@SimonLab thanks for confirming that the diagram is clear. 👍
|
after testing the oauth flow with a client via our application API I realised that the last step when getting the oauth token, ie the redirect endpoint defined in your oauth application, won't reply automatically to the client.
I will also look at the following Elm package: https://github.com/truqu/elm-oauth2/tree/6.0.0 |
I've done more reading about the different options to let a user authenticate with Oauth. Once the application receives the token we can then send this token to our API. It will then use this token to get the user information, create a jwt from this data and create a new session for the user. |
@SimonLab what is the difficulty with redirecting to the The "Implicit Flow" is for SPAs that don't have a way of storing secrets on the client. |
Yes I just realised that I over complicated the flow, not sure why I blocked on this and thought the backend wouldn't be able to send the response to the right client. It's working well with a redirect and passing the jwt as a query parameter, for example the phoenix controller can be: def index(conn, %{"code" => code}) do
{:ok, token} = ElixirAuthGoogle.get_token(code, conn)
{:ok, profile} = ElixirAuthGoogle.get_user_profile(token.access_token)
# Create auth token from profile email
# Create session
redirect(conn, external: "https://appelm.herokuapp.com?jwt=yeaaajwt.yeaaaa.aaaey")
#render(conn, "index.json", profile: profile)
end I need now to remember how to manage routes with Elm: https://guide.elm-lang.org/webapps/navigation.html |
One the previous comment, the code show how to send back a jwt from the api to the client with a redirect: redirect(conn, external: "https://appelm.herokuapp.com?jwt=yeaaajwt.yeaaaa.aaaey") However we want to avoid hardcoding the redirection url as different clients (i.e domain name) will be able to access. So we need a way to send the jwt to the correct client. A way for the server to know where to redirect is to use the referer = case List.keyfind(conn.req_headers, "referer", 0) do
{"referer", referer} ->
referer
nil ->
IO.puts "no referer"
nil
end
google_url = ElixirAuthGoogle.generate_oauth_url(conn) <> "&state=#{referer}"
github_url = ElixirAuthGithub.login_url_with_scope(["user:email"]) <> "&state=#{referer}" When the user click on the link, oauth will redirect to the callback url defined in the oauth application with the def index(conn, %{"code" => code, "state" => client}) do
{:ok, token} = ElixirAuthGoogle.get_token(code, conn)
{:ok, profile} = ElixirAuthGoogle.get_user_profile(token.access_token)
redirect(conn, external: "#{state}?jwt=yeaaajwt.yeaaaa.aaaey")
end We can later on use another jwt for the state. This will allow the API server to verify the redirection url: |
@SimonLab do we need to update our |
elixir_auth_github contains a function to add a state: However at the moment I'm concatenating the state to the url in the application. Maybe we could combine the functions by passing an Elixir map/struct containing all the query parameter we want to add: %{scope: ["user:email"], state: "redirect to..."} I'd like also to add an option to be able to specify the callback url. At the moment it is hardcoded in |
@SimonLab yeah, that |
This is taking shape in https://github.com/dwyl/auth_plug 🚧 |
The |
@SimonLab as the original "owner" of this issue, can you confirm if the |
|
The current authentication is using Phoenix session:
https://github.com/dwyl/app-mvp-phoenix/blob/d0b43ba3ee95bc292cdf4d79fffab5bfed36198a/lib/app_web/controllers/google_auth_controller.ex#L24-L41
and the login function:
https://github.com/dwyl/app-mvp-phoenix/blob/d0b43ba3ee95bc292cdf4d79fffab5bfed36198a/lib/app_web/controllers/auth_controller.ex#L24-L29
I'm looking now at how to create a token based authentication which can be used with an API and allowing clients (e.g Elm application) to authenticate with the Phoenix backend.
Looking at: dwyl/auth#38
The text was updated successfully, but these errors were encountered: