Cannot POST /auth/strategy/callback

I'm trying to get OAuth/OpenID based authentication working for my Node-RED instance. I'm using Azure AD as identity provider and the passport-azure-ad module. My relevant sections of my settings.js look like this

   adminAuth: {
        type:"strategy",
        strategy: {
            name: "azuread-openidconnect",
            label: 'Sign in with Azure AD',
            icon: "fa-windows",
            strategy: require("passport-azure-ad").OIDCStrategy,
            options: {
                identityMetadata: "https://login.microsoftonline.com/<tenent id>/v2.0/.well-known/openid-configuration",
                clientID: "<client id>",
                responseType: "id_token",
                responseMode: "form_post",
                redirectUrl: "https://localhost:1880/auth/strategy/callback",
                issuer: "https://login.microsoftonline.com/<tenant id>/v2.0",
                scope: ['openid', 'profile', 'email'],
                verify: function(token, tokenSecret, profile, done) {
                    done(null, profile);
                }
            }
       },
       users: function(user) {
            return Promise.resolve({ username: user, permissions: "*" });
        }
    },

    https: {
      key: require("fs").readFileSync(require("path").join(__dirname,'key.pem')),
      cert: require("fs").readFileSync(require("path").join(__dirname,'cert.pem'))
    },

This works as far as it shows a login screen where I can click on the "Sign in with Azure AD" button. It then redirects to Azure AD for authentication and comes back with an identity token.
However, the final POST to /auth/strategy/callback fails with a HTTP 404 message. It seems that Node-RED is not listening on the redirect URL.

Any idea what I'm doing wrong?

Not sure but possibly if you turn on audit logging, you might get some more info.

I also note from another thread that someone used this:

callbackURL: "/auth/strategy/callback",

No idea if that helps, sorry.

Hi,

I solved my issue. It seems that Node-RED does not support POST messages from the identity provider, it has to be a GET. That renders the "form_post" response mode of OIDC unusable. On the other hand, it is bad practice to send sensitive information, such as an identity or access token, as a query string with a GET message as the query string may end up in log files, etc. In fact, our Azure Active Directory actively prohibits that.

As an alternative, I used the "code" response mode of OIDC, where the identity provider sends an authorization code instead of an identity token. The authorization code does not contain sensitive data and may therefore, be transmitted as query string with a GET method. Node-RED then uses a client secret to exchange the authorization code with an access token. This communication goes directly from the Node-RED server to the identity provider and does not hit the browser.

Therefore, my working configuration for Azure Active Directory is:

    adminAuth: {
        type:"strategy",
        strategy: {
            name: "azuread-openidconnect",
            label: 'Sign in with Azure AD',
            icon: "fa-windows",
            strategy: require("passport-azure-ad").OIDCStrategy,
            options: {
                identityMetadata: "https://login.microsoftonline.com/<tenant id>/v2.0/.well-known/openid-configuration",
                clientID: "<client id>",
                clientSecret: "<client secret>",
                responseType: "code",
                responseMode: "query",
                redirectUrl: "https://localhost:1880/auth/strategy/callback",
                issuer: "https://login.microsoftonline.com/<tenant id>/v2.0",
                scope: ['openid', 'profile'],
                verify: function(token, tokenSecret, profile, done) {
                    profile.username = profile.displayName // use display name as username
                    done(null, profile);
                }
            }
       },
       users: function(user) {
           return Promise.resolve({ username: user, permissions: "*" });
       }

Feature request: If Node-RED would support POST messages as callback from the identity provider, then we could use identity tokens as well in a secure way and would not need client secrets.

Could I get you to raise an issue on GitHub - node-red/node-red: Low-code programming for event-driven applications so this gets looked at?

Yes, will do.