Help with adminAuth config for OpenID based authentication

#1

Hi,
Editing this topic as I need help in working this out, this post describes the problem I'm having, is there more documentation on adminAuth anywhere or am I just missing something?

Any help here is much appreciated

Thanks

-------------------------------------------------Old Posts-------------------------------------------------
Hi,
I'm looking at using keycloak for authenticating my logon to my node-red.

Question: has anybody done this and is willing to share?

So what I plan on doing is using ether keycloak-passport or passport-openidconnect

Current play config for :

adminAuth: {
    type:"strategy",
    strategy: {
        name: "keycloak",
        label: 'Sign in with KeyCloak',
        icon:"fa-key",
        strategy: require("keycloak-passport").Strategy,
        options: {
            host: "https://auth.example.com",
            realm: "MyRealm",
            clientID: "node-red",
            clientSecret: "433abd41-c893-48ea-aabb-ca22c8fc290c",
            callbackURL: "http://example.com/auth/strategy/callback"
            verify: function(accessToken, refreshToken, profile, done) {
                done(null, profile);
            }
        },
    },
    users: [
       { username: "*",permissions: ["*"]}
    ]
};

Disclaimer; as of writing I have not tested any of this just putting the question out there to maybe save me some pain

Thanks for any help

#2

So trying to run a little test, I do run into problems

current config:

adminAuth: {
    type:"strategy",
    strategy: {
        name: "keycloak",
        label: 'Sign in with KeyCloak',
        icon:"fa-key",
        strategy: require("@exlinc/keycloak-passport"),
        options: {
            host: "https://auth.example.com",
            realm: "MyRealm",
            clientID: "node-red",
            clientSecret: "433abd41-c893-48ea-aabb-ca22c8fc290c",
            callbackURL: "https://example.com/auth/strategy/callback",
            authorizationURL: "https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect/auth",
            tokenURL: "https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect/token",
            userInfoURL: "https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect/userinfo"
        },
        verify: function(accessToken, refreshToken, profile, done) {
            done(null, profile);
        }
    },
    users: [
       { username: "me@example.com", permissions: ["*"]}
    ]
},

I get a error on the call back https://example.com/auth/strategy/callback:

Error: Unknown authentication strategy "keycloak"
    at attempt (/usr/lib/node_modules/node-red/node_modules/passport/lib/middleware/authenticate.js:186:37)
    at authenticate (/usr/lib/node_modules/node-red/node_modules/passport/lib/middleware/authenticate.js:362:7)
    at Layer.handle [as handle_request] (/usr/lib/node_modules/node-red/node_modules/express/lib/router/layer.js:95:5)
    at next (/usr/lib/node_modules/node-red/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/usr/lib/node_modules/node-red/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/usr/lib/node_modules/node-red/node_modules/express/lib/router/layer.js:95:5)
    at /usr/lib/node_modules/node-red/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/usr/lib/node_modules/node-red/node_modules/express/lib/router/index.js:335:12)
    at next (/usr/lib/node_modules/node-red/node_modules/express/lib/router/index.js:275:10)
    at SessionStrategy.strategy.pass (/usr/lib/node_modules/node-red/node_modules/passport/lib/middleware/authenticate.js:338:9)
#3

Sorry for the bump, just trying to get some help.

#4

I ran into basically the same issue when trying to set up the GitLab passport. The "unknown authentication strategy" is basically caused when the name property you provide does not match the name expected by the passport.authenticate() function as first argument. Note that proper capitalization matters. I don't know what your KeyCloak passport module requires, but e.g. for passport-gitlab (and passport-gitlab2!) name must be "gitlab", not "GitLab" or whatever else.