sugestion about project core

[nordbit]

Have a look at https://github.com/ueberauth/guardian I suggest build your system with use of guardian, its flexible autehntication framework with option "ueberauth" - almost all social networks authentication. Guardian + ueberauth + your work with all features like "trackable, registerable, invitable.... etc", sending email, and You have a amazing authentication system like Devise in Rails. Most of authentication system in elixir/phoenix in tutorials on net are based on Guardian, it will be easy for users switch to your "coherence".

[praveenperera]

I don't know if it too late to make such sweeping changes but I really like this suggestion.

The phoenix community seems to be pretty familiar with guardian, and coherence would be great as a layer built on top of it.

[agustif]

A talk about ueberauth/guardian and others is taking place in the Oauth provider issue, in case any of you want to help with a PR doing that! https://github.com/smpallen99/coherence/issues/20

That'd be neat, just out of my scope tbh!

[smpallen99]

After very brief review of guardian, it looks like its mainly a JWT authorization package. Coherence does not offer JWT at this point, but offers session, token, IP authentication. So, I don't think its a question of basing Coherence on Guardian, but more about creating an integration with Guardian.

I think the changes would be pretty minimal for most of the Coherence functionality to work with Guardian plugs. So, perhaps a coherece_guardian package. We can look at the integration points needed for this package and make them so other authentication packages could easily be integrated.

If we do this right, we should be able to use guardian (JWT), uberauth (oAuth client), and some existing oAuth provider package.

I'm not sure when i can get to this. I'm working on a few other requested features for Coherence right now. I also have a backlog of issues I need to look at for Whatwasit and ExAdmin packages. I'm open to contributors to help out :)

[loongmxbt]

I think coherence can be integrated with JWT solutions like Guardian/Openmaize. JWT and sessions both have their use cases. I found Coherence extremely useful for common web-based app user account solution.

Hoping for someone share articles or guides about Coherence + JWT + OAuth.

[hisea]

I've used Guardian/Ueberauth in couple projects and looked at coherence internals a little bit tonight.

My understanding is that there are some overlap in functionality between Coherence and Guardian. For example both provides authentication protection on individual requests.

I can understand OP's point if we think Coherence like Devise in Rails, and Guardian is comparable to Warden for Rack. In the Rails/Ruby case, Devise uses Warden for its authentication part on individual requests where devise just handles the routing and frond end of user registration and sessions.

If the core change to Coherence is not desirable at this time, I think it's still possible to do an integration package, there are couple options:

One option could be this package provides a plug to substitute Coherence.Authentication.Session which would take the jwt, then decodes it, and set the session properly as Coherence requires and signs in as Guardian required for Ueberauth. So user signs in in both framework. This way coherence does the authentication, but the jwt is still available in the controller for adding/extracting additional payload.

Another option is use Guardian to protect against the request. Let coherence to manage user registration, password reset etc. and hands over authentication to Guardian after sign-in/password check. and use Guadians Authentication handler to dispatch failed requests to appropriate Coherence routes.

Either way, there's some changes to Coherence is needed to make this happen. I'm thinking some kind of configurable pipeline or callbacks to allow additional functions to be called after sign in and sign out i.e(here). so the jwt creation step can happen for Guardian.

Any thoughts @smpallen99?

[obsidienne]

I'm not a big fan of JWT. It's not a correct use for session management those blog posts are quite instructive stop using jwt for sessions part 1, stop using jwt for sessions part 2. And with guardian you need guardian_db to prevent playback attack...

[cdesch]

I think JWT authentication and OAuth should be a roadmap items. I really like coherence as it is familiar coming from a Rails perspective, but needs JWT as a feature to support mobile apps as well as integrations with OAuth. I would love to write these additions myself, although I'm just not strong enough with Elixir/Phoenix to do so yet. Not having these features may determine going with Guardian/Uberauth over coherence.

[smpallen99]

@hisea I respectively disagree with the analogy "Coherence is like Devise, Guardian is like Warden" for the following reason: Since Devise is build on top of Warden, and Guardian is like Warden, and Guardian provides only JWT authentication, then Devise would provide only JWT authentication.

tl;dr

I'm looking for someone(s) to set up projects using the different packages listed below and attempt an integration with Coherence. I can help with that integration based on a working project using Guardian, Uberauth, Shield, etc.

tl;r

There is also a discussion thread in this issue about uberauth.

The model is more like:

• Coherence provides user management and several authentication plugs
• Guardian provides JWT a authentication plug
• Uberauth provides a OAuth client (authentications against an external OAuth provider)
• Shield provides a OAuth provider solution

Addressing Guardian and Uberauth...

It should be very simple to use these with coherence. If you just replace the coherence plugs in the router with the plugs from these packages, it may just work. There may be tweaking with routes to get them to play with.

I recommend that someone try and get them working together and take notes on what they needed to do with their project to get it working. If you would like, I'll review the notes and see if we can create a helper package to make the integration easier.

This is the same approach that I think we should use with guardian to support JWT. I just don't think we should reinvent the wheel for these solutions. We should figure out a way to integrate them.

Another note. If we decide that something needs to be done at the plug level to make them work, then I can help create a coherence plug interface. The may help if we need to create integration packages at the plug level.

I don't really have time to learn these auth packages at the moment, so I need help by someone willing to setup a project with the package working and then bring in coherence. If I have working example projects, I should be able to help coming up with an integration strategy.

Addressing OAuth Provider (i.e. Shield) Integration ...

I also suspect that this should seamlessly integrate with Coherence. It serves a different purpose since takes a request from a OAuth Client to provide a authentication token.

[smpallen99]

@mustafaturan FYI

[hisea]

Hi @smpallen99

Thanks for the reply.

Sorry I didn't mean that comparing Coherence/Devsie/Warden/Guardian in the sense that Coherence have to follow the design decision that was made in Devise/Guadian i.e. use . I just wanted to point out that Guadian is similar to Warden that it's a authentication layer at Plug/Rack level. and Coherence provides a lot more functionality similar to Device i.e. the user profile flow(registration/login/password recovery) at meantime Coherence is also doing authentication which overlaps with Guardian. If this is the design decision made by Coherence, I'm totally fine with it. We just need to figure out a easy integration path with OAuth/JWT plugs in terms of authentication because of the overlap of functionality.And I think a lot of the times session store is good enough if not better choice than JWT.

I will try to setup Coherence/Ueberauth in one of my newer project and document the findings. I dont need JWT in this project and will try to see if I can just use Coherence/Ueberauth and bypass Guardian.

[niccolox]

I am interested in this, I'll try to setup a sandbox phoenix app that uses above and see if we can get some CI running

how is that?

Coherence Guardian Ueberauth Shield ExAdmin (not above)

[OvermindDL1]

For note:

• Guardian: JWT only, useful for those purposes, it should not be used for general token handling but rather for API's and such, not places where cookies work.
• Ueberauth: An authentication framework, it does not show webpages or anything of the sort, it handles the back-end of the authentication only including giving you a username/password, OAuth, LDAP, etc..., before and after that is your doing, Coherence could and probably should wrap Ueberauth.

[niccolox]

I thought Coherence Ueberauthable would be the missing piece of code

thanks for the feedback

[cdesch]

@niccolox I think it is a good idea to get a project together with them working together as @smpallen99 suggested earlier. At first, it was confusing for me as well on what domain each one handles. I now see (+1 for learning) how they can be used together and where each one can be used for where it fits best. (E.g. Guardian for the JWT API and using coherence for base login on HTML pages.) I don't think this is a Coherence problem, but more of a (at least for me) "...I came from Rails, I want similar libraries... wait!! what do you mean things are not the same as in Rails? .... oh, I get it. Now that it makes sense, I like this much better, it was silly of me to be looking for 1 for 1 substitutions".... more of a general understanding of the problem domain and how each library is applied.

Making an example project with each used in their own fashion might help a lot of people. Let me know if you create one @niccolox. I'll help and add on to it with where I had difficulty understanding.

I hope that makes sense. I bet @smpallen99 is getting tired of the Coherence == Devise reference.

[niccolox]

thanks again for all this, I forked an existing example https://github.com/FolkBot/contact_demo and was going to work on this

but, I also saw Phoenix 1.3 rc 0 was out so I thought I might start from scratch and cherry pick this, but I am not sure how Coherence generators will work (or not)

I am not a Rails head so its all new to me aka Devise etc

I've been schlepping around in PHP Web CMS for the last 5/8 years or so and Phoenix Elixir feels like back to the future, in the best possible way

will probably make my own Coherence+Ueberauth app based on my own projects with the new 1.3 style generators as a second step..

anyways, I hope to get to this, next few days

[smpallen99]

My plan is to have the generators work with the 4 project structures that I'm aware of phoenix.new, phx.new phx.new --umbrella, phx.new.web, and phx.new.ecto. One issue right now is that I don't believe the new phx generators are complete yet. There does not seem to be a way to add contexts and schemas on projects that are created withphx.new.webandphx.new.ecto`. I'm using them now in a project, but I have to create the schema and context in the web project and manually copy and namespace.

[niccolox]

I think I have Coherence, Guardian, Guardian DB, Ueberauth, Ueberauth Github and Ueberauth Identity pretty much all working together in a Phoenix 1.3 umbrella app

next step is to either use Canary or hand-role a db based user role system

I used most of the Phoenix Guardian by hassox Guardian auth code and simple implementation of Coherence so far

I may fork Ueberauth Identity and make it Ueberauth Coherence (or something) ..

anyways, I can't publicly share the code, but can give a private gitlab share if that's useful

its my second Phoenix project, its still in development, so its quite immature