adminAuth tokens function for jwt works in v1.3.5 but not in v2.1.4

Hi All,

We've got an implementation of Node-RED which sits behind cloudflare and authenticates via the JWT process. In v1.3.5 this function worked well and wasn't a problem. When I've upgraded to v2.1.4, this same function doesn't work anymore and just gives me a 401 - Unauthorized.

The node modules are loaded correctly and no error is being dumped into the logs of the container to say there's a problem, either.

This is the function that we're using:

adminAuth: {
    tokens: function(token) {
        return new Promise(function(resolve, reject) {
            var jwt = require('jsonwebtoken');
            var jwksClient = require('jwks-rsa');
            var client = jwksClient({
                jwksUri: process.env.NODE_RED_JWKS_URI,
            var options = {
                algorithms: [ 'RS256' ],
                audience: process.env.NODE_RED_JWT_AUDIENCE,
                issuer: process.env.NODE_RED_JWT_ISSUER
            function getKey(header, callback){
                client.getSigningKey(header.kid, function(err, key) {
                    var signingKey = null;
                    try {
                        signingKey = key.publicKey || key.rsaPublicKey;
                    } catch (e) {
                    callback(null, signingKey);
            jwt.verify(token, getKey, options, function(err, decoded) {
                if (err) {
                } else {
                    var user = { username:, permissions: '*' };
    tokenHeader: 'cf-access-jwt-assertion'

So to clarify, this same function works fine when I roll back to 1.3.5 but doesn't authenticate me on 2.1.4.

Are there any additions I can make to it to perhaps show me in the console or the logs where it might be going wrong or failing?

After doing some more digging and logging, the user variable is getting assigned with the correct data, but it's still not assigning the user to the session.

Is there another flag somewhere else in the settings.js file which could be causing it to not work?

in v2 we moved from the request library to the more maintained got library - so I'd guess it's something to do with that.

No - the request/got move isn't related to adminAuth.

Not sure what's going on here. I'm currently looking at the code as I know we don't do a good job logging this stuff (partly due to the fact we offload a lot of it to the passport framework).

Short of being able to recreate this - which would require more info on how to get it setup properly - it may be we add better logging/tracing to 2.1.5 and see what that reveals.

Managed to track down the actual issue and it is now fixed in git ahead of 2.1.5.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.