Eugenio Tampieri's blog

NodeRED Single Sign On with Keycloak

This morning I was struggling to get NodeRED to accept users from Keycloak. This is what acomplished my goals.

Preliminary steps

You have to npm install strategy-openidconnect.


You have to configure the adminAuth section inside your settings.js:

    adminAuth: {
        strategy: {
            name: "openidconnect",
            label: 'Log in using Keycloak',
            strategy: require("passport-openidconnect").Strategy,
            options: {
                issuer: "",
                authorizationURL: "",
                tokenURL: "",
                userInfoURL: "",
                clientID: "nodered",
                clientSecret: "<yourClientSecret>",
                callbackURL: "",
                verify: function(token, tokenSecret, profile, done) {
                    done(null, {username: tokenSecret.username});
        users: function(user) {
            let username = user;
            return new Promise(function(resolve) {
               if(username === undefined){
               var user = { username: username, permissions: ["*"] };

There are two things worth noticing:

  1. We call done with tokenSecret instead of with profile. I guess that by adding an issuer parameter at the beginning of the parameters it will be fixed.
  2. We have to bind the username to a local variable before returning the promise. This is how JS works. but I'd forgotten.