Custom Authentication/storing own token


I have the same needs of this person:

We have two different UIs. One for the entire system and Node-RED.
Basically, the idea is to delegate the authentication entirely to an external API (same that works for the main UI).
That way, if you come through the main UI, or login via Node-RED, you end up with the same token and authentication methods.

There are 2 possible flows, i.e:

1 - noderedwebserver:1880/?access_token=<ACCESS_TOKEN>
token gets check via settings.adminAuth.tokens()

2- noderedwebserver:1880 --> login via Node-RED editor
Credentials get checked via settings.adminAuth.authenticate()
A token is received (from the external API) and returned back via settings.adminAuth.authenticate() resolve(possibly) for subsequent checks via settings.adminAuth.tokens()

All that is needed is to store the token when the settings.adminAuth.authenticate() resolves. I'm not entirely sure, but it should be possible to send a token together with username and permissions, that then get stored (on localStorage.auth-tokens) instead of the Node-RED token, and used in settings.adminAuth.tokens().

I'm willing to make the changes myself, if possible, with a little guidance. It should not be a breaking change, as if the return from settings.adminAuth.authenticate() resolves no token, life goes on as it is today.

Thanks for your help and guidance.

Yesterday I tried it out and the solution seems fairly easy, and non-breaking.

What I've done is returning a token with user, on settings.adminAuth.authenticate()

    const user = { username: "admin", permissions: '*', token:token };

Then, I changed
-> Users.authenticate(username,password) function to check for the token. If found, call done with the user.token instead of calling Tokens.create().

In addition, this solution is future proof, if you decide to change where the token is stored (since @knolleary mentioned this was something they would planning on changing in the near future), as it uses the same mechanism to save the token as it is done today.

Please let me know if this could be a solution so I can work on it, test it more, and open a PR.


There is a very easy way to do this without needing any changes to Node-RED. Use an external reverse proxy to do the authentication. I've been writing some documentation on using NGINX to do this recently and I've already shared drafts in this forum. My doc is aimed at uibuilder but it equally works for any Node-RED installation along with Dashboard, uibuilder and other non-NR web apps.

Thank you, I've seen your comments in the past and given some thought to it.

This is a different approach to what we are trying to achieve, and it seems natural for Node-RED to work the way I'm proposing.

  • You can authenticate via external API with user/pass.
  • You can validate a token via external API.
  • But you can't save your token when you authenticate via external API, so you can then validate the token via external API.

IMO, it's just a part of Node-RED that is missing, although there are other (maybe better?) ways to put your system under token/password protection.

It's something that we know needs improving, but I'm unlikely to be able to dedicate time to figure out the necessary changes as I don't have a personal use for it.

If you wanted to propose a PR with an explanation of what it enables that would be welcome.

Please target the dev branch.

Thanks, will do.

To be clear, my proposal is for storing user Token instead of Node-RED own token when needed, not to tackle the where to store the token (which is a different story entirely).

PR opened:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.