Authentication using passport-jwt

General
1

I'm trying to setup authentication using the passport-jwt strategy, but am so far having now luck. I want to pass the JWT token as a query parameter for authentication
I first tried using the passports fromUrlQueryParameter extractor with a very simple verifier:

  type: "strategy",
  strategy: {
  	name: "jwt",
  	label: 'Authenticate via JWT token',
  	icon:"fa-cloud",
  	strategy: require("passport-jwt").Strategy,
  	options: {
  		secretOrKey : "<secret>",
  		jwtFromRequest: require('passport-jwt').ExtractJwt.fromUrlQueryParameter("token"),
  		verify: function(jwt_payload, done) {
  			console.log("JWT_PAYLOAD was :" + jwt_payload);
  			return done(null, "Andrew");
  		}
  	},
  },

I hit http://localhost:1880/auth/strategy?token=my_valid_token and I just get bounced to a login page with a button to login. The clicking the button just lands me back at the login page. Nothing is logged from the verify function.

I thought I'd try to verify the strategy is getting invoked by replacing the extractor with my own function that includes some logging:

  type: "strategy",
  strategy: {
  	name: "jwt",
  	label: 'Authenticate via JWT token',
  	icon:"fa-cloud",
  	strategy: require("passport-jwt").Strategy,
  	options: {
  		secretOrKey : "<secret>",
  		jwtFromRequest: function(req) {
  			console.log("jwtFromRequest called with:" + req.query.token);
  			return req.query.token;
  		},
  		verify: function(jwt_payload, done) {
  			console.log("JWT_PAYLOAD was :" + jwt_payload);
  			return done(null, "Andrew");
  		}
  	},
  },

This DOES log my token, but I still see nothing logged from the verify function and I get bounced to the login panel.

Any suggestions about what I might be doing wrong?

2

I've also tried just hitting http://localhost:1880/?token=my_token and http://localhost:1880/auth/strategy/callback?token=my_token

Same result.

3

Hi @acoulson2000

the Strategy authentication type is only intended for OAuth/OpenID based strategies that require the user to be redirected to a 3rd party site to do the authentication. passport-jwt doesn't fit that model.

We are currently working on a new addition to the adminAuth configuration that can be used to validate requests using an externally generated token, rather than require it to use a token generated by Node-RED.

The current design assumes the token is provided by HTTP header - but I see your want to provide it via a query parameter. That is something we could consider incorporating into the design.

4

Hmm, timely proposal!

We don't strictly need the query parameter option, as we would be constructing the request from a service in the same domain, although it would certainly be nice.

How long would it typically take for a proposal like this to make it's way into a release?

I guess for the the time being, we can use a custom authenticator, post our JWT token in the password, and do our own validation.

5

There isn't really a 'typical' to cite :slight_smile:

In this instance, we know there is a specific need for it from the team who have contributed the design and there is a PR already in-flight - Add admin api authentication function by KazuhiroItoh · Pull Request #2479 · node-red/node-red · GitHub

So it definitely will be in Node-RED 1.1.0. I just don't yet have a timescale for when that release will be - probably within the next 2 months.

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.