That looks interesting but I found the root cause of my error. When talking about using external authenticators there are two distinct use cases....
Protecting the Node-Red flow editor using native adminAuth in the settings.js file (doesn't protect the dashboards). This does not use a reverse-proxy with middleware.
Protecting the Node-Red Dashboard 2.0 pages using the multi-tenant with auth pluig-in feature. This requires a reverse-proxy and middleware.
The other option you have here is to use FlowFuse if it's for professional/industrial use cases. Comes with multi-user security included in all your Node-RED instances and Dashboards.
In my view, you will always be better off using an external proxy to handle authentications and user management. I would never recommend using Node-RED for that except for very simple, mostly home, use cases.
Yeah. I think I have it now. The two different ways of using Authentik (native via authAdmin and Traefik-Middleware) had me confused a bit when I started. Also the ability in node red to change the editor root path to something other than "/" makes this easier.
Now I can use the Traefik reverse proxy with path rewriting to get me where dashboard users hitting ( Path(/) || PathPrefix(/dashboard) || PathPrefix(/outpost) ) ('outpost' being the auth urls) get sent to the dashboard with user auth
and administrators wanting to edit the flows can use a newly defined editor path PathPrefix(/editor) can use an alternate auth scheme. This is currently using native authAdmin but I can switch it to Traefik pretty easily I think.
Using Dashboard 2 I even get access in NodeRed to the username who is authenticated which was the original real goal of this whole exercise. I wanted to log who did which button presses.