Dashboard Authelia Auth

kitori · 2 August 2024 06:55

Edit /etc/hosts

  127.0.0.1  red.example.com
  127.0.0.1  auth.example.com

make ssl certs with ssl-cert (im on debian)

make-ssl-cert generate-default-snakeoil -y

set up nginx with the authelia templates

node.red.conf

server {
    listen 443 ssl http2;
    server_name red.example.com;

ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    include /etc/nginx/snippets/authelia-location.conf;

    location / {

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        include /etc/nginx/snippets/authelia-authrequest.conf;
        proxy_pass http://127.0.0.1:1880;
    }
}

authelia.conf

    listen 80;
    server_name auth.*;

    return 301 https://$server_name$request_uri;
}


server {
listen 443      ssl;
server_name auth.example.com;

ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;


 set $upstream http://127.0.0.1:9091;

    location / {
        include /etc/nginx/snippets/proxy.conf;
        proxy_pass $upstream;
    }

    location = /api/verify {
        proxy_pass $upstream;
    }

    location /api/authz/ {
        proxy_pass $upstream;
    }


}


---

compose.yml

  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./authelia:/config
    ports:
      - 9091:9091
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin

Fire up the Docker container the, then shut it down. Edit config file configuration.yml and users.yml

configuration.yml

server:
  address: 'tcp://:9091/'
logs_level: 'debug'
jwt_secret: insecure_secret
authentication_backend:
  file:
    path: /config/users.yml
totp:
  issuer: example.com
session:
  cookies:
    - domain: 'example.com'
      authelia_url: 'https://auth.example.com'
      default_redirection_url: 'https://www.red.example.com'
storage:
  encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
  local:
    path: /config/db.sqlite
access_control:
  default_policy: bypass
  rules:
    - domain: "red.example.com"
      policy: one_factor
notifier:
  filesystem:
    filename: /config/emails.txt

users.yml

# yamllint disable rule:line-length
---
###############################################################
#                         Users Database                      #
###############################################################

# This file can be used if you do not have an LDAP set up.

users:
  dummy:
    disabled: false
    displayname: "Dummy Mc DumFace"
    password: "$argon2id$v=19$m=65536,t=3,p=4$Ah5oxLLndG463TwN849ozA$D56LkvAl0jPTTlHr4ThCv4RDFWnu0lSp3yJJoUZdxA4"  
    email: authelia@authelia.com
    groups:
      - admins
      - dev
...
# yamllint enable rule:line-length

joepavitt · 2 August 2024 18:20

there will be many many more!

Pepex7 · 9 August 2024 00:47

thanks @kitori
After more than 7 days struggling with the Authelia configuration, I am stuck on an error that I cannot solve.

I think Authelia is ok, but I try to click on the dashboard 2.0 button and it shows me an error.

9 Aug 00:43:51 - [warn] Encrypted credentials not found
9 Aug 00:43:51 - [info] Server now running at http://127.0.0.1:1880/
9 Aug 00:43:51 - [info] Starting flows
9 Aug 00:43:51 - [info] [ui-base:My Dashboard] Node-RED Dashboard 2.0 (v1.14.0) started at /dashboard
9 Aug 00:43:51 - [info] [ui-base:My Dashboard] Created socket.io server bound to Node-RED port at path /dashboard/socket.io
9 Aug 00:43:51 - [info] Started flows
node-red-dashboard-2-authelia-auth: msg._client is not found, not adding user info. This sometimes happens when the editor is refreshed with stale connections to the dashboard.
node-red-dashboard-2-authelia-auth: Session is not authenticated by Authelia; no user detected. See headers: {"host":"192.168.1.101:1880","connection":"keep-alive","accept":"*/*","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","referer":"http://192.168.1.101:1880/dashboard/page1?reloadTime=17231640308560.10454975441995651","accept-encoding":"gzip, deflate","accept-language":"es-419,es;q=0.9","cookie":"authentik_csrf=Xw7UZyLJ3UhcJiaa4RkvamXJkB8zyH5K"}
9 Aug 00:44:09 - [red] Uncaught Exception:
9 Aug 00:44:09 - [error] TypeError: Cannot read properties of undefined (reading 'split')
    at Object.onAddConnectionCredentials (/root/.node-red/node_modules/@aikitori/node-red-dashboard-2-authelia-auth/index.js:42:49)
    at /root/.node-red/node_modules/@flowfuse/node-red-dashboard/nodes/utils/index.js:43:36
    at Array.forEach (<anonymous>)
    at addConnectionCredentials (/root/.node-red/node_modules/@flowfuse/node-red-dashboard/nodes/utils/index.js:41:55)
    at onAction (/root/.node-red/node_modules/@flowfuse/node-red-dashboard/nodes/config/ui_base.js:508:19)
    at Socket.emit (node:events:517:28)
    at Socket.emitUntyped (/root/.node-red/node_modules/socket.io/dist/typed-events.js:69:22)
    at /root/.node-red/node_modules/socket.io/dist/socket.js:704:39
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11)

Could someone shed some light on the way for me?

cgjgh · 9 August 2024 03:43

Based on the headers from debug, Authelia headers seem to be missing…

This however is confusing: [quote="Pepex7, post:23, topic:89784"]
"cookie":"authentik_csrf=Xw7UZyLJ3UhcJiaa4RkvamXJkB8zyH5K"}
[/quote]

Seems to be a cookie from Authentik, not Authelia🤔

kitori · 9 August 2024 06:35

Did you set the ticks to send client data?

What are the Authelia logs say? You can try to change the logging to debug too see if there is any error

Pepex7 · 9 August 2024 13:24

I don't know why it is, I only ran Authelia in Docker.

Pepex7 · 9 August 2024 13:47

yes

Log

time="2024-08-09T01:30:35+02:00" level=info msg="Authelia v4.38.10 is starting"
time="2024-08-09T01:30:35+02:00" level=info msg="Log severity set to debug"
time="2024-08-09T01:30:35+02:00" level=info msg="Storage schema is being checked for updates"
time="2024-08-09T01:30:35+02:00" level=info msg="Storage schema is already up to date"
time="2024-08-09T01:30:36+02:00" level=debug msg="Create Server Service (metrics) skipped"
time="2024-08-09T01:30:36+02:00" level=info msg="Startup complete"
time="2024-08-09T01:30:36+02:00" level=info msg="Listening for non-TLS connections on '[::]:9091' path '/'" server=main service=server
time="2024-08-09T02:15:26+02:00" level=error msg="Error occurred retrieving user session" error="unable to retrieve session cookie domain provider: no configured session cookie domain matches the url 'http://192.168.1.101:9091/api/state'" method=GET path=/api/state remote_ip=192.168.1.85 stack="github.com/authelia/authelia/v4/internal/handlers/handler_state.go:16  StateGET\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54      handleRouter.(*BridgeBuilder).Build.func5.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:65     SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:91     SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30     SecurityHeadersBase.func1\ngithub.com/fasthttp/router@v1.5.2/router.go:441                        (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38      RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.55.0/server.go:2379                     (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:224                  (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:196                  (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695                                               goexit"
time="2024-08-09T02:19:44+02:00" level=error msg="Error occurred retrieving user session" error="unable to retrieve session cookie domain provider: no configured session cookie domain matches the url 'https://192.168.1.101/api/state'" method=GET path=/api/state remote_ip=192.168.1.85 stack="github.com/authelia/authelia/v4/internal/handlers/handler_state.go:16  StateGET\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54      handleRouter.(*BridgeBuilder).Build.func5.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:65     SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:91     SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30     SecurityHeadersBase.func1\ngithub.com/fasthttp/router@v1.5.2/router.go:441                        (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38      RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.55.0/server.go:2379                     (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:224                  (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:196                  (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695                                               goexit"
time="2024-08-09T02:22:09+02:00" level=error msg="Error occurred retrieving user session" error="unable to retrieve session cookie domain provider: no configured session cookie domain matches the url 'http://192.168.1.101:9091/api/state'" method=GET path=/api/state remote_ip=192.168.1.85 stack="github.com/authelia/authelia/v4/internal/handlers/handler_state.go:16  StateGET\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54      handleRouter.(*BridgeBuilder).Build.func5.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:65     SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:91     SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30     SecurityHeadersBase.func1\ngithub.com/fasthttp/router@v1.5.2/router.go:441                        (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38      RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.55.0/server.go:2379                     (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:224                  (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:196                  (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695                                               goexit"
time="2024-08-09T02:22:11+02:00" level=error msg="Error occurred retrieving user session" error="unable to retrieve session cookie domain provider: no configured session cookie domain matches the url 'http://192.168.1.101:9091/api/state'" method=GET path=/api/state remote_ip=192.168.1.85 stack="github.com/authelia/authelia/v4/internal/handlers/handler_state.go:16  StateGET\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54      handleRouter.(*BridgeBuilder).Build.func5.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:65     SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:91     SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30     SecurityHeadersBase.func1\ngithub.com/fasthttp/router@v1.5.2/router.go:441                        (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38      RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.55.0/server.go:2379                     (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:224                  (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:196                  (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695                                               goexit"
time="2024-08-09T02:35:44+02:00" level=error msg="Error occurred retrieving user session" error="unable to retrieve session cookie domain provider: no configured session cookie domain matches the url 'http://192.168.1.101:9091/api/state'" method=GET path=/api/state remote_ip=192.168.1.85 stack="github.com/authelia/authelia/v4/internal/handlers/handler_state.go:16  StateGET\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54      handleRouter.(*BridgeBuilder).Build.func5.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:65     SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:91     SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30     SecurityHeadersBase.func1\ngithub.com/fasthttp/router@v1.5.2/router.go:441                        (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38      RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.55.0/server.go:2379                     (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:224                  (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:196                  (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695                                               goexit"
time="2024-08-09T02:35:50+02:00" level=error msg="Request timeout occurred while handling request from client." error="read tcp 172.22.0.2:9091->192.168.1.85:50725: i/o timeout" method=GET path=/ remote_ip=192.168.1.85 stack="github.com/authelia/authelia/v4/internal/server/handlers.go:86 CreateDefaultServer.handleError.func2\ngithub.com/valyala/fasthttp@v1.55.0/server.go:2870             (*Server).writeErrorResponse\ngithub.com/valyala/fasthttp@v1.55.0/server.go:2308             (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:224          (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:196          (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695                                       goexit" status_code=408
time="2024-08-09T02:50:06+02:00" level=debug msg="Shutdown initiated due to process signal" signal=terminated
time="2024-08-09T02:50:06+02:00" level=info msg="Shutdown initiated"
time="2024-08-09T02:50:06+02:00" level=info msg="Shutdown complete"

Pepex7 · 9 August 2024 14:00

/etc/nginx/sites-available/auth.conf

server {
listen 443      ssl;
listen [::]:443 ssl;
server_name auth.*;

#ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

ssl_certificate /etc/ssl/certs/localserver.crt;
ssl_certificate_key /etc/ssl/private/localserver.key;

 set $upstream http://127.0.0.1:9091;

    location / {
        include /etc/nginx/snippets/proxy.conf;
        proxy_pass $upstream;
    }

    location = /api/verify {
        proxy_pass $upstream;
    }

    location /api/authz/ {
        proxy_pass $upstream;
    }
}

/etc/nginx/sites-available/red.conf

server {
    listen 443 ssl http2;
    server_name red.local.server;

#    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_certificate /etc/ssl/certs/localserver.crt;
ssl_certificate_key /etc/ssl/private/localserver.key;


    include /etc/nginx/snippets/authelia-location.conf;

    location / {
        include /etc/nginx/snippets/proxy.conf;
        include /etc/nginx/snippets/authelia-authrequest.conf;
        proxy_pass http://127.0.0.1:1880;
    }
}

nano /etc/hosts

127.0.0.1       localhost
127.0.0.1       red.local.server
127.0.0.1       auth.local.server

I don't know what else to do... what could it be that I'm missing?

kitori · 13 August 2024 07:06

Hmm...
i looks like you access authelia via ip, and not by domain name.
Check the authelia configuration.
What happen when you ping (auth|red).example.com?

access_control:
  default_policy: deny
  rules:
    - domain:
        - "auth.example.net"
      policy: bypass

session:
  cookies:
    - domain: 'example.com'
      authelia_url: 'https://auth.example.com'
      default_redirection_url: 'https://www.red.example.com'

Pepex7 · 13 August 2024 22:40

Apparently it is a problem in the new Authelia update. I was talking to Authelia support and they were doing some testing.

These days they published something about node-red, but they are still looking into it.

kitori · 14 August 2024 07:31

Cool This is for the Admin Auth, so not the Dashboard. I Use it like so:

Set the Admin on a seperat path /admin:

httpAdminRoot: '/admin',

So i have these two path:

http://board.example.com/admin
http://board.example.com/dashboard

and these ACL roules:

access_control:
  default_policy: deny
  rules:
    - domain:
        - "auth.example.com"
      policy: bypass
    - domain:
        - "board.example.com"
      policy: one_factor
      subject:
        - ['group:admins']
      resources:
       - '^/admin/.*$'
       - '^/admin$'
       - '^/admin/'
    - domain:
        - "board.example.com"
      policy: one_factor
      subject:
        - ['group:admins']
        - ['group:test']
      resources:
       - '^/dashboard/.*$'
       - '^/dashboard$'
       - '^/dashboard/'

Pepex7 · 23 August 2024 22:51

I had a hard time (4 weeks ) configuring Authelia to use with node-red, although I have not yet been able to transfer user data to Dashboard 2.

I am not an expert but I am leaving it here because it may be useful to someone.

I'm on Debian

First update.

apt-get update && apt-get upgrade

edit file /etc/hosts

nano /etc/hosts
127.0.0.1       red.local.server
127.0.0.1       auth.local.server

Create the certificates
I initially created them with openssl, but it didn't work for me (it gave me problems later).

I did it like this:

wget https://dl.smallstep.com/cli/docs-cli-install/latest/step-cli_amd64.deb
sudo dpkg -i step-cli_amd64.deb

step-cli certificate create "Smallstep Root CA" ca-cert.pem ca-key.pem \
  --no-password --insecure \
  --profile root-ca \
  --not-before "2024-01-01T00:00:00+00:00" \
  --not-after "2034-01-01T00:00:00+00:00" \
  --kty EC --crv P-256

step-cli certificate create "Smallstep Leaf" cert.pem key.pem \
  --no-password --insecure \
  --profile leaf \
  --ca ca-cert.pem \
  --ca-key ca-key.pem \
  --not-before "2024-01-01T00:00:00+00:00" \
  --not-after "2034-01-01T00:00:00+00:00" \
  --san "local.server" \
  --san "*.local.server" \
  --kty EC --crv P-256

This will create the certificates in the current directory.

ca-cert.pem  ca-key.pem  cert.pem  key.pem  step-cli_amd64.deb

Then, when nginx is installed, they must be copied to the corresponding directory.

Install nginx

apt-get install nginx

copy the certificate and key files created earlier.

cp cert.pem /etc/ssl/certs/
cp key.pem /etc/ssl/private/

create the configuration files for node-red and authelia

nano /etc/nginx/sites-available/red.conf

server {
    listen 443 ssl http2;
    server_name red.server.local;

ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;

    location / {
        #include /etc/nginx/snippets/proxy.conf;
        #include /etc/nginx/snippets/authelia-authrequest.conf;
        proxy_pass http://127.0.0.1:1880;
    }
}

nano /etc/nginx/sites-available/auth.conf

server {
listen 443      ssl;
listen [::]:443 ssl;
server_name auth.*;

ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;

 set $upstream http://127.0.0.1:9091;
 #set $upstream http://192.168.1.101:9091;
    location / {
        include /etc/nginx/snippets/proxy.conf;
        proxy_pass $upstream;
    }

    location = /api/verify {
        proxy_pass $upstream;
    }

    location /api/authz/ {
        proxy_pass $upstream;
    }
}

Check syntax in nginx

nginx -t

Install Docker
Install Docker Engine on Debian | Docker Docs

apt install ca-certificates curl gnupg
apt install docker
apt install docker-compose

Install Authelia (with docker)

nano docker-compose.yml

copy this

services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./authelia:/config
    ports:
      - 9091:9091
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin

run docker-compose

docker-compose up -d

Config Authelia
create a backup of authelia/configuration.yml and in a new file copy this, replace as appropriate:

nano authelia/configuration.yml

server:
  address: 'tcp://:9091/'
logs_level: 'debug'
jwt_secret: insecure_secret
authentication_backend:
  file:
    path: /config/users.yml
totp:
  issuer: local.server
session:
  cookies:
    - domain: 'local.server'
      authelia_url: 'https://auth.local.server'
      default_redirection_url: 'https://red.local.server:1880'
storage:
  encryption_key: 'p1FV3ic10gP578miGW2WAbvNvUlx776tJPr1lCbfhWupHgVaEstxkNdVu9ZsUMRa'
  local:
    path: /config/db.sqlite
access_control:
  default_policy: bypass
  rules:
    - domain: "local.server"
      policy: one_factor
notifier:
  filesystem:
    filename: /config/emails.txt

identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc

    jwks:
      - key_id: 'example'
        algorithm: 'RS256'
        use: 'sig'
        key: |
          -----BEGIN PRIVATE KEY-----
          MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCGMIKnLKo+wn6P
          dMrMHOfeCtImn7X25dwP+XSVY6rN0fgAJWVyO7lJg2B1X4JHS+Ea1ihQupHR6ko/
          0mcv62cMMql/b3BD8LExD8dfK/STGhUFc2DvVwoepiohGRoQqesl8Xwon4be4jc3
          /h7baxF3DxRT43DJHAswa0tEQYKbBoigzTj2pkwvfjMH50eapgRBACUFloi+OSRB
          zDsLj/g7FN/6jsZI0oKkvtsXj9SeEUFj5aSGBHv+oz9DCPbni7hbSdNf4h6cTJf/
          bs4i/oP70rojzUghmXg2lx+QotoGiy+GMOG8a+SLa4niy1qXg83iLNaRPR9C1bJF
          Gub4YVyjgxujPB9i7zVqxzimDqTGLqCJ+O+1zP9EupuXa6HWRwxS7BhDrjT97AQ/
          hyXGfYqvw4pGw1ncfh73kf4+okJ01txCtdAk0O7SgjmNbs7BEXHgAABT1RvGlBiL
          KihsSEOMZ/o/MCck/qzfwraAQ4L6o56dioBTGd/8lLEzi7z4XXbl925D7ThCR/ba
          h6hj8Fi4+sisJ5vKrt9p0gxZXBtUCt7LnzpFC7iPjqkVjS/T0aide1CvkJR+t9Jd
          nRXtBEWiQIhj3NoqtlLHd2StNFdXRtePJCiH1h/yDdk7kkakCBi3z5mTQUCF3tss
          gSiasD171GwZFqeyRysRmN29XmWRLQIDAQABAoICACd1zHXspIOgHieBaMFtHqIk
          /HdvL8tS/MuVx7rGfEvaGtuwI4zcEziS8aKSW3Ur0x5ZK7HRq1/XTc5GySFGUB8+
          Jqna02CnPvP2d+J8wocffF8F9tNq/QbWRj1FbGzKCuQ1hxVLFBYm36YPjHNpoNEq
          Fgg1Mc1x+bhbVN7VhNqhqTvgHYgqjuzIZ6lDUcMgXs/egwSJp9yIYSkYLaTQyWZW
          VScRJS30+YYIudTL7vIskNYXibH/T5cp2kiUMkcUxznRE992VxoPTANJSkTwI0/C
          QAqXK0b2ImurNRULTqHt/COx7C/Eaoi1Lu8KbbFwiPKhzNcY6kB1Jt87cgBIYT0n
          JQiTmj7rWojfwMKd62VNIVoQHHKgyjuWC9Tr6iEPTPWbdpI0NJ7Peno+MpwgxEY4
          g5odiEywDfIfe+yxotldL40jGfKXbJnLjC86oYMA/avoR995TDOEjmp4z7ZU7jVk
          wEt+ZOyeNscYIcPfXMwNo586v5+O8wo4BK3uPL3fGUU6GsJfal8xtyFOawUr+/vF
          Mh+fBlbw24fpLiGincxQeUG8e5ZP3veic1XAu9WFMxOI8rT7E4timKcQSTCnRqFC
          qnpIp5b5gxmFr09ciShSOfEG27YxIvTqakQAuxC6KkoliOkZdi1d1SvhYiMq3r86
          l+UsAjPerW/7C5oeR4LhAoIBAQC7gpRNYSJ1CDQaUVbcuGu9c46EWz2CJGvDdEtP
          DMU++aL6QA7r4hfZGT+PpqHbkJiik9SvgU2i8NCyfyK3K99z6zCIQFU6Fq84MGC5
          b8fsID1GeUKLgAxJ1keJ0jsPkswjUf0sTbcyKHuVCeTEcaPBGfIkeJZxgydr/Bwp
          HUcw7lCdQyp3PNnh56AJpNzOLQBQsGN5IXREkM06sNAPh6MixbsAzrtUnBZDllMW
          8ptNBtSshRxdWqtGvnk7yzI4ed+85wRTX/3rx9qCX3cH88+14WYXgYv5+oR9sLv5
          3naxZm+lL+SlMO8pZfvn1bvxdKgbxNvelO/942MvJV+dwl7HAoIBAQC3NBt2uprx
          fxcVV+wQeaWsR1jzskt74t2jNZqlrkrSikewpYwTGm4mIqlZaVPFW97Za4SozUOd
          Fa5mKgn9zCfuCNgezXohpCgRvZTCwD1xZd4n49fH6Y7sL5LpofkM2P7tVeWUQyAu
          c4fK8JDaxKy3lxhziqDwzZFRvdUkNXnB2gibvGoyHrUR6tg6DQtYI8EmdOLBUH6z
          mWoNIPH2nQ6NRVlxSqn5kKGoBLrBqyAQDEFeYwjeT4ZsB4r+/ZEGyMb10ajSCJRI
          H8RaLTUqeBTAbvGsT3VCks3FTZtl1e7Ik2gnm/cNkJ0jTiqqxyxcWs/Fhfr2TTVB
          t7StJyKkdGxrAoIBAQCLrXqxpYDYcxL049BzvMEtMA5i0+CeuGi6AUA0E4w/HBBm
          oB89YX9oTiGF7Ze2iiDZQov1bLmbfg3IWWJP1lOu8uyFIn8aNVmy3n6+w+DGKUHb
          5GpIpksBGajSppMuR6jfSqzwOrgTmgps/CC4oPpd1ukEd/uBdTSBgRytF803St8s
          NqNEjUS0vij95hxBTU5lzO9chSoqBT+Lz7g9SUmhlm9164mqPldrY2hjuLctCsCT
          /tghRnA905dVjkjLvyWGfwQ+40uwPoCsC1cMynbYwp2dNvhBb3cQdf2g5TG/dlIG
          WAXXc/tD+F9M1G8bL04m2V77kDCyDJeOwCVYzDhzAoIBABWRyPn9lmiAchNNOrnl
          2J+j9tEaWNDJMRcaJI8FKkIHjdE6bHeDURykUBP61qYR3vbyNbg6Eo/YEaRtpqd+
          9eSMngViY9K6JQ2RqIYVZCaJu9IufSVIVk9wenePXmco1TrUNidyj8NoTsCR+jwH
          k945p+NSmwg+67EYDJQqx58PMJxFXqtv+hmV8MdE6eUCsKb6dAgWlhRHJ7lL+7Dx
          ZNk1JQa1p7V+VcoWZHaQ00GQb9HRDyY9brIhYTgMWprV4LbobFvuLqcfNlr3n57U
          bH0LkuCaqk+gQSHNtVIUEf0DfevL7RZnxFh3x4Y71Pk6p+O1loqRJIgMPPV1+hoq
          qukCggEAeKevvz2R6+zbsihf+cUM8mjTNPnuWD+1BV7XK/pn1p2o3CWVycGPAgTz
          rcIQZBu7Qt9Rzs2jHk+StYUU6AB4vkSqMN+Np9HQzjPoLmgiPGjqJESb/lvEDf8G
          Hewb2RAv3hjSG0cSnpP0xahPRuKpHIn0Jh156iDgEsRUwMooDzuxp1S6e4T6kfqj
          q8zZe96sXrueTsBw2FO4DNnaCS7iQTC6nnjqCmh4IDrXHoEgLolVa3sK5bIbRb8m
          7kFjn8oicHcPObwsS615tTqaF1mGnZBxqDFucpcHNzfkthn9kRpK4lRCO827zmqq
          F+yGFKHafzBYyQjrQPFjTu0FbiYywQ==
          -----END PRIVATE KEY-----

    clients:
      - client_id: 'node-red'
        client_name: 'Node-RED'
        client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
        authorization_policy: 'one_factor'
        #require_pkce: true
        #pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://red.local.server:1880/auth/strategy/callback/'
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
          - 'groups'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'

configure users

nano authelia/users.yml

# yamllint disable rule:line-length
---
###############################################################
#                         Users Database                      #
###############################################################

# This file can be used if you do not have an LDAP set up.

users:
  admin:
    disabled: false
    displayname: "Administrador"
    password: "$argon2id$v=19$m=65536,t=3,p=4$6xP4KjN/4bocHuf2k3p8Ug$EXMEJt4W/qKjS9O4rGYFt4eU5mKrMzkcMeOdGE0IlUQ" # is admin in this case.
    email: authelia@authelia.com
    groups:
      - admins
      - dev
...
# yamllint enable rule:line-length

generate hash password
docker run -it authelia/authelia:latest authelia crypto hash generate argon2

Down docker compose and up

docker-compose down
docker-compose up -d

At this point it is important to see the Authelia logs to know if it is running correctly and the configuration is correct (I didn't know this haha)

docker logs authelia -f

if all goes well, it will look something like this.

time="2024-08-24T00:25:52+02:00" level=info msg="Authelia v4.38.10 is starting"
time="2024-08-24T00:25:52+02:00" level=info msg="Log severity set to debug"
time="2024-08-24T00:25:52+02:00" level=debug msg="Registering client node-red with policy one_factor (one_factor)"
time="2024-08-24T00:25:52+02:00" level=info msg="Storage schema is being checked for updates"
time="2024-08-24T00:25:52+02:00" level=info msg="Storage schema is already up to date"
time="2024-08-24T00:25:52+02:00" level=debug msg="Create Server Service (metrics) skipped"
time="2024-08-24T00:25:52+02:00" level=info msg="Startup complete"
time="2024-08-24T00:25:52+02:00" level=info msg="Listening for non-TLS connections on '[::]:9091' path '/'" server=main service=server

Install Node-RED

apt install nodejs
apt install npm

check versions

nodejs -v
v18.19.0
npm -v   
9.2.0

npm install -g --unsafe-perm node-red

then enter the address created in hosts

https://red.local.server:1880/

The logs de authelia (docker logs authelia -f) will look something like this

time="2024-08-24T00:25:52+02:00" level=info msg="Authelia v4.38.10 is starting"
time="2024-08-24T00:25:52+02:00" level=info msg="Log severity set to debug"
time="2024-08-24T00:25:52+02:00" level=debug msg="Registering client node-red with policy one_factor (one_factor)"
time="2024-08-24T00:25:52+02:00" level=info msg="Storage schema is being checked for updates"
time="2024-08-24T00:25:52+02:00" level=info msg="Storage schema is already up to date"
time="2024-08-24T00:25:52+02:00" level=debug msg="Create Server Service (metrics) skipped"
time="2024-08-24T00:25:52+02:00" level=info msg="Startup complete"
time="2024-08-24T00:25:52+02:00" level=info msg="Listening for non-TLS connections on '[::]:9091' path '/'" server=main service=server
time="2024-08-24T00:40:52+02:00" level=debug msg="Authorization Request with id 'f3a3327c-d5ea-48c2-bd11-efab0c96a4dc' on client with id 'node-red' is being processed" method=GET path=/api/oidc/authorization remote_ip=192.168.1.84
time="2024-08-24T00:41:13+02:00" level=debug msg="Mark 1FA authentication attempt made by user 'admin'" method=POST path=/api/firstfactor remote_ip=192.168.1.84
time="2024-08-24T00:41:13+02:00" level=debug msg="Successful 1FA authentication attempt made by user 'admin'" method=POST path=/api/firstfactor remote_ip=192.168.1.84
time="2024-08-24T00:41:14+02:00" level=debug msg="Authorization Request with id '253ec8c9-baf3-4352-bb70-d6dbf9d752b6' on client with id 'node-red' is being processed" method=GET path=/api/oidc/authorization remote_ip=192.168.1.84
time="2024-08-24T00:41:14+02:00" level=debug msg="Authorization Request with id '253ec8c9-baf3-4352-bb70-d6dbf9d752b6' on client with id 'node-red' using consent mode 'explicit' proceeding to generate a new consent session" method=GET path=/api/oidc/authorization remote_ip=192.168.1.84
time="2024-08-24T00:41:14+02:00" level=debug msg="Authorization Request with id '253ec8c9-baf3-4352-bb70-d6dbf9d752b6' on client with id 'node-red' using consent mode 'explicit' authentication level 'one_factor' is sufficient for client level 'one_factor'" method=GET path=/api/oidc/authorization remote_ip=192.168.1.84
time="2024-08-24T00:41:14+02:00" level=debug msg="Authorization Request with id '253ec8c9-baf3-4352-bb70-d6dbf9d752b6' on client with id 'node-red' using consent mode 'explicit' is being redirected to 'https://auth.local.server/consent?id=e9231d68-2f03-4730-b7d4-512971f6acc6'" method=GET path=/api/oidc/authorization remote_ip=192.168.1.84
time="2024-08-24T00:41:17+02:00" level=debug msg="Authorization Request with id 'ae1efea8-4019-4932-8618-a96beffbb03b' on client with id 'node-red' is being processed" method=GET path=/api/oidc/authorization remote_ip=192.168.1.84
time="2024-08-24T00:41:17+02:00" level=debug msg="Authorization Request with id 'ae1efea8-4019-4932-8618-a96beffbb03b' on client with id 'node-red' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=192.168.1.84
time="2024-08-24T00:41:18+02:00" level=debug msg="Access Request with id 'ae1efea8-4019-4932-8618-a96beffbb03b' on client with id 'node-red' is being processed" method=POST path=/api/oidc/token remote_ip=127.0.0.1
time="2024-08-24T00:41:18+02:00" level=debug msg="Access Request with id 'ae1efea8-4019-4932-8618-a96beffbb03b' on client with id 'node-red' has successfully been processed" method=POST path=/api/oidc/token remote_ip=127.0.0.1

This is as far as I go, I'm sure there are things that can be done much better.
thanks to @kitori @joepavitt for all help.

I still can't get the user data to dashboard 2 with the plugins.
@aikitori/node-red-dashboard-2-authelia-auth/node-red-dashboard-2-authelia-auth

Pepex7 · 28 August 2024 03:07

I can't get user data to reach node-red (dashboard 2).
I have added the proxy_set_header to my /etc/nginx/sites-available/red.conf file

server {
    listen 443 ssl http2;
    server_name red.server.local;

#ssl_certificate /etc/ssl/certs/localserver.crt;
#ssl_certificate_key /etc/ssl/private/localserver.key;

ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;

    include /etc/nginx/snippets/authelia-location.conf;

    location / {
        #include /etc/nginx/snippets/proxy.conf;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        include /etc/nginx/snippets/authelia-authrequest.conf;
        proxy_pass http://127.0.0.1:1880;
    }
}

node-red says:
node-red-dashboard-2-authelia-auth: Session is not authenticated by Authelia; no user detected.

node-red-dashboard-2-authelia-auth: Session is not authenticated by Authelia; no user detected. See headers: {"host":"red.local.server:1880","connection":"keep-alive","sec-ch-ua":"\"Not)A;Brand\";v=\"99\", \"Google Chrome\";v=\"127\", \"Chromium\";v=\"127\"","accept":"*/*","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"macOS\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://red.local.server:1880/dashboard/page1","accept-encoding":"gzip, deflate, br, zstd","accept-language":"es-419,es;q=0.9"}

debug

msg : Object
object
_event: object
_client: object
user: object
host: "red.local.server:1880"
agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
userId: null
name: null
email: null
groups: null
provider: "Authelia"
socketId: "iy1kNPeA0sN07CnwAAAD"
socketIp: "192.168.1.86"
topic: ""
payload: "Hola"
_msgid: "909eb5e327bfbf89"

kitori · 28 August 2024 07:15

Use the location really using Authelia? if you are logged out, do you get redirect to the authelia log-in site?

Pepex7 · 28 August 2024 13:12

yes, go back there.

Pepex7 · 29 August 2024 21:58

someone light my way?

Topic		Replies	Views
Dashboard 2 HTTP Basic Auth Share Your Nodes dashboard-2	4	165	27 August 2024
Changes to Multi Tenancy in Dashboard 2.0 Dashboard dashboard-2	1	102	24 July 2024
Implementing Multi-User and Multi-Tenant Management in Node-RED Dashboard Without Enable FlowFuse User Authentication Dashboard dashboard-2	5	159	26 September 2024
Survey on a New User Management Application for Node-RED General node-red-dashboard , security , docker	12	621	24 October 2023
Dashboard auth via node-red-contrib-users Dashboard	1	497	13 July 2020

Dashboard Authelia Auth

Related topics