Hi there
Yesterday I create this post.
If I follow my strategy above, any user that is in the correct group will get read-write access to node-RED.
What I want to do now is have two groups: one for read-write access (the AD_Admin group) and one for read-only access (the AD_ReadOnly group).
I added the 2 groups to Azure and tested with another user, so I know that both groups will get read-write access to Node-RED.
To achieve a read-only result, my initial code that I worked with was this:
adminAuth: {
type: "strategy",
strategy: {
name: "azuread-openidconnect",
label: 'Sign in with Azure',
icon: "fa-windows",
strategy: require("passport-azure-ad").OIDCStrategy,
options: {
identityMetadata: "https://login.microsoftonline.com/###YOUR AZURE TENANT ID###/v2.0/.well-known/openid-configuration",
clientID: "###YOUR AZURE CLIENT ID###",
clientSecret: "###YOU AZURE CLIENT SECRET###",
responseType: "code",
responseMode: "query",
redirectUrl: "###URL to Node-RED###/auth/strategy/callback",
allowHttpForRedirectUrl: true,
scope: ['email', 'profile'],
verify: function (profile, done) {
// Custom logic to verify group membership
const adminGroup = 'AD_Admin';
const readOnlyGroup = 'AD_ReadOnly';
// Check if the user belongs to the required group
if (profile._json.groups && profile._json.groups.includes(adminGroup)){
// User is in the required group
profile.username = profile._json.preferred_username;
done(null, profile);
}
else if (profile._json.groups && profile._json.groups.includes(readOnlyGroup)){
// User didn't match the 'admin' group above, but is in the read-only group
profile.username = profile._json.preferred_username;
profile.readOnly = true;
done(null, profile);
}
else {
//User is not in the required group
done(new Error('User is not in the correct AD Group.'));
}
}
},
},
users: function (user) {
//Check if user is in the Read-only group
if (user.readOnly){
return Promise.resolve({ username: user.username, permissions: "read"});
}
else {
return Promise.resolve({ username: user, permissions: "*" });
}
},
},
Now, I know that this code will not work. I initially thought that "profile" (that is returned in the verify section) was equal to "user" in the users section.
Later I learned that "user" in the users section only contains the username of the person trying to log in.
What is needed here is to pass the readOnly variable (which can be true or false) from the verify section to the users section.
How can I do that?
