Cannot POST /auth/strategy/callback

sg26565 · 11 October 2022 17:30

I'm trying to get OAuth/OpenID based authentication working for my Node-RED instance. I'm using Azure AD as identity provider and the passport-azure-ad module. My relevant sections of my settings.js look like this

   adminAuth: {
        type:"strategy",
        strategy: {
            name: "azuread-openidconnect",
            label: 'Sign in with Azure AD',
            icon: "fa-windows",
            strategy: require("passport-azure-ad").OIDCStrategy,
            options: {
                identityMetadata: "https://login.microsoftonline.com/<tenent id>/v2.0/.well-known/openid-configuration",
                clientID: "<client id>",
                responseType: "id_token",
                responseMode: "form_post",
                redirectUrl: "https://localhost:1880/auth/strategy/callback",
                issuer: "https://login.microsoftonline.com/<tenant id>/v2.0",
                scope: ['openid', 'profile', 'email'],
                verify: function(token, tokenSecret, profile, done) {
                    done(null, profile);
                }
            }
       },
       users: function(user) {
            return Promise.resolve({ username: user, permissions: "*" });
        }
    },

    https: {
      key: require("fs").readFileSync(require("path").join(__dirname,'key.pem')),
      cert: require("fs").readFileSync(require("path").join(__dirname,'cert.pem'))
    },

This works as far as it shows a login screen where I can click on the "Sign in with Azure AD" button. It then redirects to Azure AD for authentication and comes back with an identity token.
However, the final POST to /auth/strategy/callback fails with a HTTP 404 message. It seems that Node-RED is not listening on the redirect URL.

Any idea what I'm doing wrong?

TotallyInformation · 11 October 2022 19:01

Not sure but possibly if you turn on audit logging, you might get some more info.

I also note from another thread that someone used this:

callbackURL: "/auth/strategy/callback",

No idea if that helps, sorry.

sg26565 · 17 October 2022 13:22

Hi,

I solved my issue. It seems that Node-RED does not support POST messages from the identity provider, it has to be a GET. That renders the "form_post" response mode of OIDC unusable. On the other hand, it is bad practice to send sensitive information, such as an identity or access token, as a query string with a GET message as the query string may end up in log files, etc. In fact, our Azure Active Directory actively prohibits that.

As an alternative, I used the "code" response mode of OIDC, where the identity provider sends an authorization code instead of an identity token. The authorization code does not contain sensitive data and may therefore, be transmitted as query string with a GET method. Node-RED then uses a client secret to exchange the authorization code with an access token. This communication goes directly from the Node-RED server to the identity provider and does not hit the browser.

Therefore, my working configuration for Azure Active Directory is:

    adminAuth: {
        type:"strategy",
        strategy: {
            name: "azuread-openidconnect",
            label: 'Sign in with Azure AD',
            icon: "fa-windows",
            strategy: require("passport-azure-ad").OIDCStrategy,
            options: {
                identityMetadata: "https://login.microsoftonline.com/<tenant id>/v2.0/.well-known/openid-configuration",
                clientID: "<client id>",
                clientSecret: "<client secret>",
                responseType: "code",
                responseMode: "query",
                redirectUrl: "https://localhost:1880/auth/strategy/callback",
                issuer: "https://login.microsoftonline.com/<tenant id>/v2.0",
                scope: ['openid', 'profile'],
                verify: function(token, tokenSecret, profile, done) {
                    profile.username = profile.displayName // use display name as username
                    done(null, profile);
                }
            }
       },
       users: function(user) {
           return Promise.resolve({ username: user, permissions: "*" });
       }

Feature request: If Node-RED would support POST messages as callback from the identity provider, then we could use identity tokens as well in a secure way and would not need client secrets.

knolleary · 17 October 2022 13:25

Could I get you to raise an issue on GitHub - node-red/node-red: Low-code programming for event-driven applications so this gets looked at?

sg26565 · 17 October 2022 13:25

Yes, will do.

system · 16 December 2022 13:26

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Why would /auth/strategy/callback return a 404 General	3	535	9 February 2021
Cannot POST /auth/strategy/callback SAML General security	4	201	15 August 2024
How to achieve node-red Dashboard editor security using openid/oauth Dashboard	6	841	19 June 2021
Node Red Authentication General	0	346	10 January 2020
Is it possible to change the callback url? General security	2	466	9 August 2022

Cannot POST /auth/strategy/callback

Related topics