I would like to authenticate to the Node-RED editor against my Keycloak server.
I used npm to install passport
and passport-keycloak-oauth2-oidc
When I click the button to login, it goes to Keycloak and I login, then it redirects back to Node-RED where I see this error:
InternalOAuthError: Failed to obtain access token
at Strategy.OAuth2Strategy._createOAuthError (/home/ubuntu/.node-red/node_modules/passport-oauth2/lib/strategy.js:423:17)
at /home/ubuntu/.node-red/node_modules/passport-oauth2/lib/strategy.js:177:45
at /home/ubuntu/.node-red/node_modules/oauth/lib/oauth2.js:191:18
at ClientRequest.<anonymous> (/home/ubuntu/.node-red/node_modules/oauth/lib/oauth2.js:162:5)
at ClientRequest.emit (events.js:314:20)
at Socket.socketErrorListener (_http_client.js:427:9)
at Socket.emit (events.js:314:20)
at emitErrorNT (internal/streams/destroy.js:92:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
at processTicksAndRejections (internal/process/task_queues.js:84:21)
The URL is https://node-red.mydomain.com/auth/strategy/callback?session_state=removed&code=removed
(replaced the codes with "removed")
I wonder if the problem has to do with the verify
function in the strategy
object in settings.js
. I'm not really clear on what's going on here. I left it the same as in the Node-RED example, which is different from the example for passport-keycloak-oauth2-oidc
...
adminAuth: {
type:"strategy",
strategy: {
name: "keycloak",
label: 'Sign in',
icon:"fa-lock",
strategy: require("passport-keycloak-oauth2-oidc").Strategy,
options: {
clientID: "node-red",
realm: 'myrealm',
publicClient: "false",
clientSecret: "[deleted]",
sslRequired: "external",
authServerURL: "http://keycloak.mydomain.com/auth",
callbackURL: "https://node-red.mydomain.com/auth/strategy/callback",
verify: function(token, tokenSecret, profile, done) {
done(null, profile);
}
},
},
users: [
{ username: "jason@mydomain.com",permissions: ["*"]}
]
}
For bonus points... I'd rather not have to supply the usernames in settings.js. I would rather provide a group name, and it would let in any user that belongs to that group... possible?