View Source AshAuthentication (ash_authentication v4.0.0)

AshAuthentication provides a turn-key authentication solution for folks using Ash.


This package assumes that you have Ash installed and configured. See the Ash documentation for details.

Once installed you can easily add support for authentication by configuring the AshAuthentication extension on your resource:

defmodule MyApp.Accounts.User do
  use Ash.Resource,
    extensions: [AshAuthentication],
    domain: MyApp.Accounts

  attributes do
    uuid_primary_key :id
    attribute :email, :ci_string, allow_nil?: false
    attribute :hashed_password, :string, allow_nil?: false, sensitive?: true

  authentication do
    strategies do
      password :password do
        identity_field :email
        hashed_password_field :hashed_password

  identities do
    identity :unique_email, [:email]

If you plan on providing authentication via the web, then you will need to define a plug using AshAuthentication.Plug which builds a Plug.Router that routes incoming authentication requests to the correct provider and provides callbacks for you to manipulate the conn after success or failure.

If you're using AshAuthentication with Phoenix, then check out ash_authentication_phoenix which provides route helpers, a controller abstraction and LiveView components for easy set up.

Authentication Strategies

Currently supported strategies:

  1. AshAuthentication.Strategy.Password
    • authenticate users against your local database using a unique identity (such as username or email address) and a password.
  2. AshAuthentication.Strategy.OAuth2
  3. AshAuthentication.Strategy.MagicLink
    • authenticate by sending a single-use link to the user.


Add-ons are like strategies, except that they don't actually provide authentication - they just provide features adjacent to authentication. Current add-ons:

  1. AshAuthentication.AddOn.Confirmation
    • allows you to force the user to confirm changes using a confirmation token (eg. sending a confirmation email when a new user registers).


Some add-ons or strategies may require processes to be started which manage their state over the lifetime of the application (eg periodically deleting expired token revocations). Because of this you should add {AshAuthentication.Supervisor, otp_app: :my_app} to your application's supervision tree. See the Elixir docs for more information.



Find all resources which support authentication for a given OTP application.

Given a subject string, attempt to retrieve a user record.

Return a subject string for user.


@type resource_config() :: %{
  domain: module(),
  providers: [module()],
  resource: module(),
  subject_name: atom()
@type subject() :: String.t()


Link to this function


View Source
@spec authenticated_resources(atom() | [atom()]) :: [Ash.Resource.t()]

Find all resources which support authentication for a given OTP application.

Returns a list of resource modules.


iex> authenticated_resources(:ash_authentication)
[Example.User, Example.UserWithTokenRequired]
Link to this function

subject_to_user(subject, resource, options \\ [])

View Source
@spec subject_to_user(subject() | URI.t(), Ash.Resource.t(), keyword()) ::
  {:ok, Ash.Resource.record()} | {:error, any()}

Given a subject string, attempt to retrieve a user record.

iex> %{id: user_id} = build_user()
...> {:ok, %{id: ^user_id}} = subject_to_user("user?id=#{user_id}", Example.User)

Any options passed will be passed to the underlying callback.

@spec user_to_subject(Ash.Resource.record()) :: subject()

Return a subject string for user.

This is done by concatenating the resource's subject name with the resource's primary key field(s) to generate a uri-like string.


iex> build_user(id: "ce7969f9-afa5-474c-bc52-ac23a103cef6") |> user_to_subject()