Phoenix and Rails
Authentication
Introducing Phoenix Auth APIs to a diverse ecosystem.
Slide 2
Slide 2 text
Hi! I'm Andrew.
I work here.
Slide 3
Slide 3 text
I'm a bike
commuter
A while ago I built a bunch of little tools to track where I was going
on my bike.
Slide 4
Slide 4 text
Sooo many
different things
It's kind of a mess:
GPS track ingestion in Node and JS, Mongo
Visualization in Ruby on Rails
Storage in PostgreSQL
Authentication & identity in... TBD
Slide 5
Slide 5 text
What the app is
Slide 6
Slide 6 text
I know, I'll use Elixir!
Idea: What if I introduced Elixir into my project as an identity
service?
Responsibilities:
Authentication
Authorization (TBD)
Slide 7
Slide 7 text
Fell in love!
Slide 8
Slide 8 text
Desired
architecture
Introduce an identity system, which will store the list of users and
their tokens - and manage sessions, too!
Slide 9
Slide 9 text
Step 1: Phoenix app
from scratch
Played with Ueberauth
Wrote a plugin: ueberauth_strava
Wrote it inside my Elixir app, then extracted into its own hex
package.
Ueberauth is kind of like OmniAuth
Slide 10
Slide 10 text
Demo
See: Ueberauth code
Slide 11
Slide 11 text
Step 1, done:
At this point, the app can log you in (SSO) with Strava, and find
(or create) a user account. It also stores a token.
Slide 12
Slide 12 text
Step 2: Research
authentication
Ueberauth is closely aligned with Guardian, which pushes you to
use JWT (JSON Web Tokens) as an auth and session mechanism.
Slide 13
Slide 13 text
JWT, briefly.
www.jwt.io
JSON object that stores:
Claims (authorizations, permissions)
Signatures, tokens
Expiry times
Store it in:
Cookie? Local Storage?
Slide 14
Slide 14 text
Step 2, findings:
Hm, that might not be for me. Why not?
Session expirations complicated
Complex implementation
Overkill - this is just a side project!
"Stop Using JWT For Sessions"
Slide 15
Slide 15 text
Step 3: Rails and
Phoenix session
sharing!
Rails and Phoenix share parallel implementations of the Rails
session serialization and deserialization code. Stored in a cookie.
Slide 16
Slide 16 text
Step 3: Rails and
Phoenix session
sharing!
Rails and Phoenix share parallel implementations of the Rails
session serialization and deserialization code. Stored in a cookie.
I wrote a blog post on this: Rails, Meet Phoenix
Slide 17
Slide 17 text
How to do this:
Set up Phoenix and Rails with the same:
SECRET_KEY
cookie name prefix
cookie salt (encrypted, and signing salt)
Then add a plug library PlugRailsCookieSessionStore
Slide 18
Slide 18 text
Tada!
Slide 19
Slide 19 text
Finally: open a Users
API
Internal apps can access it to get a list of users and their tokens.
GET /users
Simple Bearer-Token auth, protected over SSL.
Slide 20
Slide 20 text
Soooooo...
Slide 21
Slide 21 text
Which brings us
here...
cyclecity.io
Slide 22
Slide 22 text
Takeaways
Get started with Elixir however you can.
Just because it's shiny.. doesn't mean you have to use it!
Slide 23
Slide 23 text
Thanks!
Track your rides! cyclecity.io
Me:
[email protected]
twitter.com/@andrewhao
github.com/andrewhao