Azure AD authentication example

Hello everyone. Today, I wanted to set-up external authentication to my Node-RED instance editor, using the Azure Active Directory of our company. I could not find any guide on this specific task, so after searching around and with a little bit of fiddling I got the integration working. I would like to share the configuration here, so if anyone would like to do the same it could be helpful for them.

As described by the official guide for external security, Node-RED can use any Passport.js authentication plugin. There are multiple of the for Active Directory, I used this one named passport-azure-ad. It exposes many options, the ones in the code below worked for me, but you may need to change them according to the documentation I linked.

Here is the working config, don't forget to replace your correct information where needed:

adminAuth: {
        type: "strategy",
        strategy: {
            name: "azuread-openidconnect",
            label: 'Sign in with Azure',
            icon: "fa-windows",
            strategy: require("passport-azure-ad").OIDCStrategy,
            options: {
                identityMetadata: "https://login.microsoftonline.com/###YOUR-TENANT-GUID###/v2.0/.well-known/openid-configuration",
                clientID: "###YOUR-APP-CLIENT-ID###",
                clientSecret: "###YOUR-APP-CLIENT-SECRET###",
                responseType: "code",
                responseMode: "query",
                redirectUrl: "http://localhost:1880/auth/strategy/callback",
                allowHttpForRedirectUrl: true,
                scope: ['email', 'profile'],
                verify: function (profile, done) {
                    profile.username = profile._json.preferred_username;
                    done(null, profile);
                }
            },
        },
        users: function (user) {
            return Promise.resolve({ username: user, permissions: "*" });
        }
    },

You need to register an Application in your Azure portal, link at aka.ms/appregistrations. You then use the clientID and clientSecret from there.

The function in the "users" field lets every user in the organization log in to the editor.

3 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.