Help with adminAuth config for OpenID based authentication

General
1

Hi,
Editing this topic as I need help in working this out, this post describes the problem I'm having, is there more documentation on adminAuth anywhere or am I just missing something?

Any help here is much appreciated

Thanks

-------------------------------------------------Old Posts-------------------------------------------------
Hi,
I'm looking at using keycloak for authenticating my logon to my node-red.

Question: has anybody done this and is willing to share?

So what I plan on doing is using ether keycloak-passport or passport-openidconnect

Current play config for :

adminAuth: {
    type:"strategy",
    strategy: {
        name: "keycloak",
        label: 'Sign in with KeyCloak',
        icon:"fa-key",
        strategy: require("keycloak-passport").Strategy,
        options: {
            host: "https://auth.example.com",
            realm: "MyRealm",
            clientID: "node-red",
            clientSecret: "433abd41-c893-48ea-aabb-ca22c8fc290c",
            callbackURL: "http://example.com/auth/strategy/callback"
            verify: function(accessToken, refreshToken, profile, done) {
                done(null, profile);
            }
        },
    },
    users: [
       { username: "*",permissions: ["*"]}
    ]
};

Disclaimer; as of writing I have not tested any of this just putting the question out there to maybe save me some pain

Thanks for any help

2

So trying to run a little test, I do run into problems

current config:

adminAuth: {
    type:"strategy",
    strategy: {
        name: "keycloak",
        label: 'Sign in with KeyCloak',
        icon:"fa-key",
        strategy: require("@exlinc/keycloak-passport"),
        options: {
            host: "https://auth.example.com",
            realm: "MyRealm",
            clientID: "node-red",
            clientSecret: "433abd41-c893-48ea-aabb-ca22c8fc290c",
            callbackURL: "https://example.com/auth/strategy/callback",
            authorizationURL: "https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect/auth",
            tokenURL: "https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect/token",
            userInfoURL: "https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect/userinfo"
        },
        verify: function(accessToken, refreshToken, profile, done) {
            done(null, profile);
        }
    },
    users: [
       { username: "me@example.com", permissions: ["*"]}
    ]
},

I get a error on the call back https://example.com/auth/strategy/callback:

Error: Unknown authentication strategy "keycloak"
    at attempt (/usr/lib/node_modules/node-red/node_modules/passport/lib/middleware/authenticate.js:186:37)
    at authenticate (/usr/lib/node_modules/node-red/node_modules/passport/lib/middleware/authenticate.js:362:7)
    at Layer.handle [as handle_request] (/usr/lib/node_modules/node-red/node_modules/express/lib/router/layer.js:95:5)
    at next (/usr/lib/node_modules/node-red/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/usr/lib/node_modules/node-red/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/usr/lib/node_modules/node-red/node_modules/express/lib/router/layer.js:95:5)
    at /usr/lib/node_modules/node-red/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/usr/lib/node_modules/node-red/node_modules/express/lib/router/index.js:335:12)
    at next (/usr/lib/node_modules/node-red/node_modules/express/lib/router/index.js:275:10)
    at SessionStrategy.strategy.pass (/usr/lib/node_modules/node-red/node_modules/passport/lib/middleware/authenticate.js:338:9)
3

Sorry for the bump, just trying to get some help.

4

I ran into basically the same issue when trying to set up the GitLab passport. The "unknown authentication strategy" is basically caused when the name property you provide does not match the name expected by the passport.authenticate() function as first argument. Note that proper capitalization matters. I don't know what your KeyCloak passport module requires, but e.g. for passport-gitlab (and passport-gitlab2!) name must be "gitlab", not "GitLab" or whatever else.

5

The name must be "Keycloak"

7

I have this working with:

adminAuth: {
    type: "strategy",
    strategy: {
        name: "Keycloak",
        label: 'Sign in with KeyCloak',
        icon: "fa-key",
        strategy: require("@exlinc/keycloak-passport"),
        options: {
            host: "https://nodered.example.com",
            realm: "myRealm",
            clientID: "node-red",
            clientSecret: "761a35f4-f2bf-48ee-b2cb-999351d0242f",
            callbackURL: "/auth/strategy/callback",
            authorizationURL: "https://auth.example.com/auth/realms/myRealm/protocol/openid-connect/auth",
            tokenURL: "https://auth.example.com/auth/realms/myRealm/protocol/openid-connect/token",
            userInfoURL: "https://auth.example.com/auth/realms/myRealm/protocol/openid-connect/userinfo"
        },
        verify: function (accessToken, refreshToken, profile, done) {
            done(null, profile);
        }
    },
    users: [
        { username: "me@example.com", permissions: ["*"] }
    ]
},

and Keycloak settings of:

image
image808Ă—899 43.8 KB

Note the http and not https in the redirect URL, as node-red was sending a redirect_uri of

https://auth.example.com/auth/realms/YendorINC/protocol/openid-connect/auth?
response_type=code&
redirect_uri=http%3A%2F%2Fnodered.example.com%2Fauth%2Fstrategy%2Fcallback&
client_id=node-red

this could be from running behind a proxy (Traefik) doing the tls for my sites.

@sarosh maybe try setting you callbackURL to just /auth/strategy/callback and your host to the host url of the nodered server [but I don't know how keycloak can call back to a localhost???]

Regards,

8

@sarosh my guess is the user you have in the users array has a username of admin - but it should be the username you are authenticating with keycloak, which I assume would more likely be an email address.

1 Like
9

@knolleary Thanks your solution worked, I actually created a user with some other username.

10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.