Node-Red SSO with Authentik
Following my last post regarding SSO with Authentik I thought I should post my passportjs configuration for Node-Red and OpenidConnect. Currently User accounts work, however I haven't gotten group based permissions setup yet.
Note This guide is based off the Gitea integration guide from the Authentik docs.
Preparation
The following placeholders will be used:
authentik.company
is the FQDN of authentik.
nodered.company
is the FQDN of nodered.
Step 1
In authentik, create an OAuth2/OpenID Provider (under Resources/Providers) with these settings:
note
Only settings that have been modified from default have been listed.
Protocol Settings
Name: nodered Signing Key: Select any available key
note
Take note of the Client ID and Client Secret, you'll need to give them to nodered in Step 3.
Step 2
In authentik, create an application (under Resources/Applications) which uses this provider. Optionally apply access restrictions to the application using policy bindings. note
Only settings that have been modified from default have been listed.
Name: nodered Slug: nodered-slug Provider: nodered
Step 3
note
We are assuming node-red is installed under docker
Navigate to the node-red data volume data/node_modules/
. Alternatively enter the docker container sudo docker exec -it nodered bash
and cd /data/node_modules
Use npm to install passport-openidconnect npm install passport-openidconnect
Edit the node-red settings.js file /data/settings.js
adminAuth: { type:"strategy", strategy: { name: "openidconnect", label: 'Sign in with authentik', icon:"fa-cloud", strategy: require("passport-openidconnect").Strategy, options: { issuer: 'https://authentik.company/application/o/<application-slug>/', authorizationURL: 'https://authentik.company/application/o/authorize/', tokenURL: 'https://authentik.company/application/o/token/', userInfoURL: 'https://authentik.company/application/o/userinfo/', clientID: '<Client ID (Key): Step 2>', clientSecret: '<Client Secret: Step 2>', callbackURL: 'https://nodered.company/auth/strategy/callback/', scope: ['email', 'profile', 'openid'], proxy: true, verify: function(issuer, profile, done) { done(null, profile) } } }, users: function(user) { return Promise.resolve({ username: user, permissions: "*" }); } },
Comments