Setting up Authorization in Phoenix web applications
Here's an exchange I've had on a few occasions when discussing a new
web app project:
Ok, I can't blame Bob for not wanting to talk about security and
authorization, it's not interesting or fun, however dodging these types of
questions can leave us, developers, in a tough spot.
So what do you do in a situation like this, where the details are vague, but
you've got to start implementing something?
Well, you need to be careful, because you're facing a couple of big risks.
Without clear direction, you might end up:
- Adding too few authorization features
- or adding unnecessary authorization features.
Here's my suggestion, for dealing with authorization when the requirements
are vague.
Choose an approach that:
- is simple and well understood
- is widely adopted
- follows the 80/20 rule (on features)
So what approach is simple and well understood?
This would have to be Role Based Access Control (RBAC), which is been around
for almost 3 decades. RBAC doesn't solve every authorization problem you
might have, but it is relatively simple, and well understood.
So what's the most widely adopted approach?
Well, that would have to be Role Based Access control as well, in fact, most
larger businesses use some form of Role based access control, in the systems
they use.
What do I mean by "follows the 80/20 rule"?
It means, choosing the solution that takes ~20% of the effort, compared to the
more sophisticated options, yet it covers ~80% of the use cases you have.
Role Based Access Control, feels like the perfect 80/20 solution.
So, how might you implement Role Based Access control in a Phoenix Web
application?
Check out the above free screencast to learn more.
Links
Authorization In Elixir & Phoenix with pow and pow_assent
Want to learn more about Elixir & Phoenix?
Checkout my new course: Elixir & Phoenix for
Beginners
Top comments (0)