Greater_Good
Ueberauth, Ruby CAS and other SSO options for Elixir or Phoenix
When I researched Elixir earlier this year, I was told that there wasn’t a CAS server app for it similar to Ruby CAS. Someone today told me that they think Ueberauth is an implementation of CAS for Elixir. Is this correct? The appeal of CAS (and Ruby CAS) is I’ve read that CAS handles OpenID Connect (and also Oauth2 since OpenID Connect is built on Oauth2), and SAML, and offers other benefits. If Ueber is an implementation of CAS, does it implement all aspects of CAS or … which things does it not? If it’s not an implementation of CAS, what features/benefits of CAS does it have and what does it lack?
We are a nonprofit looking for a solution for SSO on multiple Elixir websites/apps that automatically recognizes and logs in users to all our sites if they’ve logged into any one of the sites. We’d ideally like to allow people to register using their social media accounts; and would like maximum flexibility going forward such as being able to integrate with outside services like Salesforce, allowing third-party partner users to ping the APIs of some of our websites and being able to integrate with our own non-Elixir apps.
We’re in the process of choosing a developer to implement a solution and the applicants are recommending different solutions (some Ueber, some Ruby CAS, one Jasig CAS, etc.) I’m having a tough time deciding which approach to go with. Has anyone used Ueber for SSO on multiple Elixir websites/apps and how time consuming was it to do and how bug-free was it? Has anyone used Ruby CAS recently and how bug free was it? Would appreciate input on any aspects of Ueber, CAS or other solutions.
Most Liked
OvermindDL1
Guardian is a token library, don’t touch it. You probably want Ueberauth with one of it’s strategies.
dstockdale
Ueberauth is great at what it does, which is handle the initial oath authentication. That’s it’s only goal so it doesn’t offer to handle your sessions, yet alone do any kind sort of single sign on.
I did evaluate Ruby CAS years ago when looking at a single sign on solution for someone. I found the whole thing a bit over complicated but haven’t actually used it so could be wrong. It’s not being maintained either which is alarming.
More recently I was looking for a lighter approach to SSO and found a sass offering from Auth0 https://auth0.com/docs/sso/current. This looked practical for at least doing a quick prototype and assessing how it would all work.
LostKobrakai
I think you’re missing the distinction between CAS server and CAS client. The ueberauth strategy is an implementation of a CAS client. So you can login to your elixir app by signing in at your CAS server. The server might be running casino or any other CAS server implementation. Ueberauth will never provide a CAS server implementation. At most it might be used as part of a CAS server implementation to authenticate users against further 3rd party services, like e.g. twitter or google.
leifericf
I have also been investigating the possibilities for using OpenID Connect in a Phoenix project. The best Elixir library I have found so far is Shield, as @Greater_Good also mentioned above. Unfortunately, that library does not seem to be actively maintained, and it has some critical open issues.
Luckily, there exists a Certified OpenID Connect Implementation for Erlang, called oidcc. This library seems to be more robust and actively maintained. OpenID Connect itself is also extensively documented on their website, where they also provide two implementer’s guides.
Since Elixir can leverage Erlang libraries, I’m considering to use oidcc directly, perhaps creating some abstractions of my own as necessary, using the official OpenID documentation as a guide.
Update: Yeah… I did some more testing and reading today, and managed to get a rudimentary Phoenix app up and running with the aforementioned Erlang oidcc library. Now I know how much I don’t know. It doesn’t seem like oidcc does what I thought it does. As far as I understand, it’s a server-side library, not a client library, and so it doesn’t perform the desired “OAuth Dance” (Authorization Code strategy needed for Azure AD) with token verification, etc. So, I’ll probably be using oauth2 instead, possibly guardian or ueberauth. But first, I’ve got some more reading to do…







