I have tried to follow a couple of sites about enabling "adminAuth" section in Node Red settings.js for a self-hosted Gitea instance. I use this as an IDP for a variety of other self-hosted tools.
I am stuck. The flow seems to be happening ok but Node Red gives the following message after successfully logging into my gitea account and returning to Node Red sign in page.
ID token not issued by expected OpenID provider.
AuthenticationError: Forbidden
I am using passport-openidconnect strategy and have installed this in the node_modules folder.
Gitea logs dont show any errors...
2025/01/23 15:20:28 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?response_type=code&client_id=563e40f5-559c-4d9b-a150-7b2c1dfb422f&redirect_uri=https%3A%2F%2Fnodered.my-domain%2Fauth%2Fstrategy%2Fcallback%2F&scope=openid%20user&state=iV2EWTs19o2xTb%2FXX1jx6Uzh for IPADDR:0, 303 See Other in 0.1ms @ web/web.go:139(web.registerRoutes.verifyAuthWithOptions)
2025/01/23 15:20:28 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/login for IPADDR:0, 200 OK in 2.0ms @ auth/auth.go:164(auth.SignIn)
2025/01/23 15:20:33 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/login for IPADDR:0, 303 See Other in 82.5ms @ auth/auth.go:196(auth.SignInPost)
2025/01/23 15:20:33 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/two_factor for IPADDR:0, 200 OK in 1.8ms @ auth/2fa.go:26(auth.TwoFactor)
2025/01/23 15:20:38 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/two_factor for IPADDR:0, 303 See Other in 15.0ms @ auth/2fa.go:43(auth.TwoFactorPost)
2025/01/23 15:20:38 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?response_type=code&client_id=563e40f5-559c-4d9b-a150-7b2c1dfb422f&redirect_uri=https%3A%2F%2Fnodered.my-domain%2Fauth%2Fstrategy%2Fcallback%2F&scope=openid%20user&state=iV2EWTs19o2xTb%2FXX1jx6Uzh for IPADDR:0, 303 See Other in 12.0ms @ auth/oauth.go:364(auth.AuthorizeOAuth)
2025/01/23 15:20:38 ...eb/routing/logger.go:102:func1() [I] router: completed POST /login/oauth/access_token for IPADDR:0, 200 OK in 112.4ms @ auth/oauth.go:638(auth.AccessTokenOAuth)
This is my adminAuth section in settings.js...
adminAuth: {
type:"strategy",
strategy: {
name: "openidconnect",
label: 'Sign in with gitea',
icon:"fa-cloud",
strategy: require("passport-openidconnect").Strategy,
options: {
issuer: 'https://gitea.<my-domain>',
authorizationURL: 'https://gitea.<my-domain>/login/oauth/authorize',
tokenURL: 'https://gitea.<my-domain>/login/oauth/access_token',
userInfoURL: 'https://gitea.<my-domain>/login/oauth/userinfo',
clientID: 'XXXXXXX',
clientSecret: 'XXXXXX',
callbackURL: 'https://nodered.<my-domain>/auth/strategy/callback/',
scope: ['user', 'profile', 'openid','offline_access'],
proxy: true,
verify: function(issuer, profile, done) {
done(null, profile)
}
}
},
users: function(user) {
return Promise.resolve({ username: user, permissions: "*" });
}
},
I have created a Gitea Integrations/Application and use those credentials in the settings.js file.
Both nodered and gitea are behind a NGINX proxy. This is the nodered nginx proxy configuration. (I have noticed in some other applications that this can influence success). This example works for Harbor registry OAuth which is also hosted behind same NGINX proxy.
server {
listen 443 ssl;
server_name nodered.my-domain;
client_max_body_size 0M;
location / {
proxy_intercept_errors on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://192.168.42.7:1880/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem;
}
I would appreciate any help or advice on how to enable more debugging, or additional steps I may be missing on gitea side. I just dont know what "forbidden" means.
