OAuth/OpenID logout with Keycloak

This is not a question, but a simple note for others using Keycloak to authenticate node-red users.

I followed the hints at OAuth/OpenID login with Keycloak and got my login working very fast. I decided to go with keycloack roles instead of groups but overall the logic remains the same.

The only problem i encountered was the logout. After a successful login i clicked logout, got the Node-Red-sign-in modal but after clicking that button i was immediately logged in with the previews used account because my keycloak session was still active.

Passport exposes a logout() that should be attached to the logout route but i could not find a usable hook in node-red to use it. I went through the code and found the solution in @node-red/editor-api/lib/auth/index.js. By setting settings.editorTheme.logout. redirect to
http://{KEYCLOAK_URL}/auth/realms/{REALM_NAME}/protocol/openid-connect/logout?redirect_uri={NODE-RED-EDITOR-URL-URIENCODED}
you can loop through the session invalidation of keycloak and everything works as expected.

On request i could add an keycloak integration manual for the documentation. Would that be of interest? What documentation entrypoint should be used (@knolleary )? Is there someone who could review and correct my none-native-english?

Regards,
Mario

1 Like

Thanks for sharing @mw75

It would be helpful to add a bit about the logout property to Securing Node-RED : Node-RED

It would also be very helpful to have a page of examples for different auth providers.

I would suggest creating a new page: docs/user-guide/runtime/security/examples.md and adding a section for Keycloak.

We can then add links to that from the appropriate places in the 'securing node-red' page.

I just started to document the over all process and discovered an other problem: When i try to login with a valid user who is not assigned to the required role, the revoke function is not triggered and i can not leave the wrong user context.

I have no access to the express res-resource inside the passport-verify function to redirect myself and i don't see an option to configure the session destroy loop on strategy errors. The handleStrategyError function in @node-red/editor-api/lib/auth/index.js just redirects to settings.httpAdminRoot. Any hint how to get the logout-loop integrated would be appreciated.

BTW: The err argument of the verify-done() callback is interpreted as a string and attached to the session_message queryparameter of the settings.httpAdminRoot redirection. A string of "not authorized" will be URI encoded and becomes "not%20authorized" on the sign-in modal. How to bypass that? I tried "not authorized" but the ampersand is not quoted in the process and messes up the query-string what results in the message "not" on the modal.

@quarfie as known keycloak user: Have you discovered the same issue? Do you have any suggestions or workarounds?

I do not seem to be having this issue.

When I click logout, it takes me to the Node-RED sign-in page, like so:

I am definitely logged out at this time. I cannot get back to the editor by clicking back or refreshing, etc.

When I click the sign in button, I get taken to my Keycloak login, which includes a "login with Google" button. Depending on how recently I last logged in with Google, this might complete the process and sign me in or I might have to provide my Google credentials.

Ok, that means you bypass the hole keycloak sso session by the google delegation. So you are not affected by that behavior.

@knolleary would it be an option to apply

$ diff node_modules/@node-red/editor-api/lib/auth/index.js ~/red/node_modules/@node-red/editor-api/lib/auth/index.js 
188c188
<             options.verify.apply(null,args);
---
>             options.verify.apply(this,args);

that would allow a this.redirect call with http://{KEYCLOAK_URL}/auth/realms/{REALM_NAME}/protocol/openid-connect/logout?redirect_uri={NODE-RED-EDITOR-URL-URIENCODED - even with "?session_message=Unauthorized" appended} inside the verify function and solve the problem without side effects. this is the Strategy object in this case.

It's hard to review a proposed code change out of context in a forum post.

Please raise a PR with enough detail to explain what this does. This isn't an area of the code base I can comment in with spending time reminding myself how it all works.

OAuth/OpenID logout with Keycloak - Forum 57492 by mw75 · Pull Request #3388 · node-red/node-red · GitHub also filled with more context

Any feedback, here or on the PR, would be appreciated @knolleary and @all!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.