Generating a Guardian Secret Key

Posted on 29 Dec 2016 by Eric Oestrich

I’ve been working on a Phoenix project at work and I added authentication for the API via Guardian. Guardian is easy to use except for setting up the secret key. It took a few tries to finally get a key that worked, and it wasn’t easy to find out how.

Generate the key

To start, generate a key in iex -S mix.

jwk_384 = JOSE.JWK.generate_key({:ec, "P-384"})
JOSE.JWK.to_file("password", "file.jwk", jwk_384)

I placed this file in priv/repo/dev.jwk for development purposed. In staging/production I stick the file contents in an environment variable.

Configure Guardian

Once the key is generated, configure the application to load it.

config :guardian, Guardian,
  allowed_algos: ["ES384"],
  issuer: "MytApp",
  ttl: { 30, :days },
  secret_key: fn ->
    secret_key = MyApp.config(Application.get_env(:my_app, :secret_key))
    secret_key_passphrase = MyApp.config(Application.get_env(:my_app, :secret_key_passphrase))

    {_, jwk} = secret_key_passphrase |> JOSE.JWK.from_binary(secret_key)
  serializer: MyApp.GuardianSerializer
defmodule MyApp do
  def config({:system, env}), do: System.get_env(env)
  def config(value), do: value

I use this set of functions to allow loading config via environment variables.

Configure Environments

config :my_app, :secret_key_passphrase, "password"
config :my_app, :secret_key,!("priv/repo/dev.jwk")

Configure the dev environment.

config :venu, :secret_key_passphrase, {:system, "SECRET_KEY_PASSPHRASE"}
config :venu, :secret_key, {:system, "SECRET_KEY"}


I hope this helps better explain how to set up Guardian for your Phoenix project.

comments powered by Disqus
Creative Commons License
This site's content is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise specified. Code on this site is licensed under the MIT License unless otherwise specified.