Custom Authentication And Replacing Application Tokens

We are using node-red as our job orchestration tool. We want to perform the custom authentication to API and reuse the JWT tokens generated after the API authentication in the node-red front end to perform some API calls to the API which we are authenticating to via node-red. I'm looking for some sample code to perform the replacement of the node-red generated tokens. Anyone knows a way to do it, like using localStorage or sessionStorage or cookies, any method would be fine?

Hi and welcome to the forum.

It is a little bit unclear what your end goal is.

Do you have an external API that generates a JWT?

Then you want to store that token (in node-red) and re-use it for future calls to an external API?

PS, I must point out, localstorage/cookie storage are client side mechanisms (node-red is server side & has no access to these)

Are you aware that JWT tokens aren't really a security mechanism? Also, they are meant to be very short lived since they are susceptible to replay attacks.

Honestly, if I were doing an API that I needed to secure, I would put the security layer separate to Node-RED.

1 Like

Yes I have an API service running which is generating the tokens for me. I was able to obtain the token after logging in to node-red but what I'm noticing is node-red is generating its own token when it's sending the response back. I would like to replace the token with the JWT token I just obtained after logging into the API. Is it possible?

In Node-RED 1.1.0 we introduced the ability to use custom tokens when authenticating the editor.

That explains how to provide a custom function in the settings file to verify the access token used by the editor.

When you redirect a user to the Node-RED editor, if you include ?access_token=ABCDEF in the url, then the editor will use that as the token and the user won't have to log-in separately to the editor.

Yes, I get this. I had success in implementing the same too. Now I want to use the same token for my front end to use in my custom nodes to authenticate to another API which will return the JSON payload for the drop-down I had built in the custom node. If I pass the token I can pretty much access the same using

localStorage.getItem("auth-tokens"))["access_token"]

How can I do the same when I pass the User Name and Password? I mean when I pass the User Name and Password and authenticate to the API which returns me the token, how can reuse the same token instead of a node-red created token. Here is the flow diagram to simplify the ask -

Do you mean you want the user to login to Node-RED using its own login dialog, but to get back a custom token that you can then use with your own APIs?

That isn't an authentication flow we support today because it isn't one that anyone has asked for...

We can put something on the backlog to add support for that flow, but unless someone is interested in helping design/implement it, then it'll have to wait until we have the bandwidth to do.

I should also highlight that we'll stop using localStorage for holding the token in the near future as it prevents you from running multiple node-red instances on the same domain... there's an issue on the backlog for that.

Oh, Thanks very much for the heads-up. Thanks very much for your quick response.

I'll point out again, that this type of scenario is easily achieved by putting Node-RED behind a reverse proxy that handles the authentication. You get a single authentication mechanism, single user logon page and any/all back-end urls that you want are protected.

We don't have to make Node-RED do everything. It would surely be better to focus on more important developments.

1 Like