Question About Azure SSO Authentication

Hi there

Yesterday I create this post.

If I follow my strategy above, any user that is in the correct group will get read-write access to node-RED.

What I want to do now is have two groups: one for read-write access (the AD_Admin group) and one for read-only access (the AD_ReadOnly group).

I added the 2 groups to Azure and tested with another user, so I know that both groups will get read-write access to Node-RED.

To achieve a read-only result, my initial code that I worked with was this:

adminAuth: {
	type: "strategy",
	strategy: {
		name: "azuread-openidconnect",
		label: 'Sign in with Azure',
		icon: "fa-windows",
		strategy: require("passport-azure-ad").OIDCStrategy,
		options: {
			identityMetadata: " AZURE TENANT ID###/v2.0/.well-known/openid-configuration",
			clientID: "###YOUR AZURE CLIENT ID###",
			clientSecret: "###YOU AZURE CLIENT SECRET###",
			responseType: "code",
			responseMode: "query",
			redirectUrl: "###URL to Node-RED###/auth/strategy/callback",
			allowHttpForRedirectUrl: true,
			scope: ['email', 'profile'],
			verify: function (profile, done) {
				// Custom logic to verify group membership
				const adminGroup = 'AD_Admin';
				const readOnlyGroup = 'AD_ReadOnly';
				// Check if the user belongs to the required group
				if (profile._json.groups && profile._json.groups.includes(adminGroup)){
					// User is in the required group
					profile.username = profile._json.preferred_username;
					done(null, profile);
				else if (profile._json.groups && profile._json.groups.includes(readOnlyGroup)){
					// User didn't match the 'admin' group above, but is in the read-only group
					profile.username = profile._json.preferred_username;
					profile.readOnly = true;
					done(null, profile);
				else {
					//User is not in the required group
					done(new Error('User is not in the correct AD Group.'));
	users: function (user) {
		//Check if user is in the Read-only group
		if (user.readOnly){
			return Promise.resolve({ username: user.username, permissions: "read"});
		else {
			return Promise.resolve({ username: user, permissions: "*" });

Now, I know that this code will not work. I initially thought that "profile" (that is returned in the verify section) was equal to "user" in the users section.
Later I learned that "user" in the users section only contains the username of the person trying to log in.

What is needed here is to pass the readOnly variable (which can be true or false) from the verify section to the users section.

How can I do that?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.