This is not a question, but a simple note for others using Keycloak to authenticate node-red users.
I followed the hints at OAuth/OpenID login with Keycloak and got my login working very fast. I decided to go with keycloack roles instead of groups but overall the logic remains the same.
The only problem i encountered was the logout. After a successful login i clicked logout, got the Node-Red-sign-in modal but after clicking that button i was immediately logged in with the previews used account because my keycloak session was still active.
Passport exposes a logout() that should be attached to the logout route but i could not find a usable hook in node-red to use it. I went through the code and found the solution in @node-red/editor-api/lib/auth/index.js. By setting settings.editorTheme.logout. redirect to
http://{KEYCLOAK_URL}/auth/realms/{REALM_NAME}/protocol/openid-connect/logout?redirect_uri={NODE-RED-EDITOR-URL-URIENCODED}
you can loop through the session invalidation of keycloak and everything works as expected.
On request i could add an keycloak integration manual for the documentation. Would that be of interest? What documentation entrypoint should be used (@knolleary )? Is there someone who could review and correct my none-native-english?
I just started to document the over all process and discovered an other problem: When i try to login with a valid user who is not assigned to the required role, the revoke function is not triggered and i can not leave the wrong user context.
I have no access to the express res-resource inside the passport-verify function to redirect myself and i don't see an option to configure the session destroy loop on strategy errors. The handleStrategyError function in @node-red/editor-api/lib/auth/index.js just redirects to settings.httpAdminRoot. Any hint how to get the logout-loop integrated would be appreciated.
BTW: The err argument of the verify-done() callback is interpreted as a string and attached to the session_message queryparameter of the settings.httpAdminRoot redirection. A string of "not authorized" will be URI encoded and becomes "not%20authorized" on the sign-in modal. How to bypass that? I tried "not authorized" but the ampersand is not quoted in the process and messes up the query-string what results in the message "not" on the modal.
I am definitely logged out at this time. I cannot get back to the editor by clicking back or refreshing, etc.
When I click the sign in button, I get taken to my Keycloak login, which includes a "login with Google" button. Depending on how recently I last logged in with Google, this might complete the process and sign me in or I might have to provide my Google credentials.
that would allow a this.redirect call with http://{KEYCLOAK_URL}/auth/realms/{REALM_NAME}/protocol/openid-connect/logout?redirect_uri={NODE-RED-EDITOR-URL-URIENCODED - even with "?session_message=Unauthorized" appended} inside the verify function and solve the problem without side effects. this is the Strategy object in this case.
It's hard to review a proposed code change out of context in a forum post.
Please raise a PR with enough detail to explain what this does. This isn't an area of the code base I can comment in with spending time reminding myself how it all works.