1. 选择Session or JWT？

关于Session和JWT的区别和联系，可以看以下两篇文章：
[1] 什么是 JWT -- JSON WEB TOKEN
[2] 服务器session和jwt之争
[3] cookie session，jwt，弱一致性数据与重放攻击
[4] 为什么 APP 要用 token 而不用 session 认证？

总结，Web端用session+https没有什么问题，session注意加密即可。App/API端用JWT，注意实现的方式，jwt存在的目的是防止每次认证都hit database。

2. Überauth

Überauth是一个基于Plug的Elixir Web应用认证系统。

如果你熟悉 Ruby 你可以把 Plug 想成 Rack，再加上一点 Sinatra。它提供了编写 Web 应用组件的一组规范，以及接入 Web 服务器所需的一些适配器。虽然 Plug 不属于 Elixir 的核心库，但它依然是一个 Elixir 官方维护的项目。

关于Plug的更多介绍，可以参考以下两个链接：
[1] Plug Documentation
[2] Elixir School Plug

Ueberauth是一个两步认证框架，它提供了清晰的API，允许社区自定义许多认证策略。它深受Omniauth项目的启发，概念类似，但是实现上不同。Ueberauth提供的仅是初始的认证（初始OAuth流，从登录表单获取信息等），它并不会认证每个请求，这交给你应用来实现。你可以指定一个token或者把应用需要的结果放到session中。可以通过Guardian等来帮助你应用层面的认证，即请求级别的认证。

两个阶段是request和callback，这些阶段由策略Strategies实现。

2.1 Strategies 策略

Strategies是Plug，用来装饰拦截请求。

Strategies实现了两个步骤，然后允许request流过下面的plugs。根据strategies需求，实现request和callback两步是可选的。如果strategy不重定向，请求会装饰以Ueberauth的信息，并在pipeline中传递。

目前Strategies分为Provider Strategies和Developer Strategies：

Provider Strategies

• Facebook - Authenticate using the Facebook API.
• GitHub - Authenticate using the GitHub API.
• Google - Authenticate using the Google API.
• Paypal - Authenticate using the Paypal API.
• Slack - Authenticate using the Slack API.
• Twitter - Authenticate using the Twitter API.
• vk.com - Authenticate using the VK API.
• Weibo - Authenticate using the Weibo API.

Developer Strategies

• Identity - A basic username/password strategy.

2.2 Request Phase 请求步骤

The request phase is where you request information about the user. This could be a redirect to an OAuth2 authorization url or a form for collecting username and password. The request phase is concerned with only the collection of information. When a request comes in on the request phase url the relevant strategy will receive the handle_request! call.

请求步骤会请求用户信息。这一步会跳转到OAuth2认证url或者一个包含用户名密码的表单。请求步骤只关注信息。

2.3 Callback Phase 回调步骤

The callback phase is where the fun happens. Once a successful request phase has been completed, the request phase provider (OAuth provider or host site, etc) should call the callback URL. The strategy will intercept the request via the callback_phase!
. If successful, it should prepare the connection so the Ueberauth.Auth
struct can be created, or set errors to indicate a failure.

一旦请求步骤成功，请求步骤服务商（OAuth或者主站）会请求回调URL。这个策略会拦截callback_phase!的请求。如果成功，它会准备好连接，Ueberauth.Auth结构体被创建，如果失败，则报错。

3. Guardian

An authentication framework for use with Elixir applications.
Guardian is based on similar ideas to Warden but is re-imagined for modern systems where Elixir manages the authentication requirements.

Guardian remains a functional system. It integrates with Plug, but can be used outside of it. If you're implementing a TCP/UDP protocol directly, or want to utilize your authentication via channels, Guardian is your friend.

The core currency of authentication in Guardian is JSON Web Tokens (JWT). You can use the JWT to authenticate web endpoints, channels, and TCP sockets and it can contain any authenticated assertions that the issuer wants to include.

正如上面介绍的，Guardian为你应用请求进行认证，它并不校验密码或是从OAuth服务商获取信息。你可以通过Überauth或者构建自己的email/password认证基于Comeonin。Guardian只处理每个请求的认证。
Guardian looks after authenticating each request to your application. It doesn't do the initial checking of passwords or fetching information from an OAuth provider. For that you can use something like Überauth or roll your own email/password using something like Comeonin. Guardian handles each request authentication. Challenging users and confirming their credentials is up to your application. Guardian assumes that you have a user representation that you've confirmed already.

[1] http://blog.overstuffedgorilla.com/simple-guardian/

4. 其他框架

Openmaize
coherence - ExAdmin作者提供的用户登录注册系统
openmaize - 基于JWT的用户认证

5. 扩展阅读

[1] Phoenix Guardian 示例项目
[2] http://blog.overstuffedgorilla.com/
[3] https://www.youtube.com/watch?v=X6Z-sDSJ3sE