Add client_credentials grant type feature for oauth2

I need to do app2app authentication with client_credentials grant type for an http request node.
I try to use OAuth2 credentials but i have to set authorization url which is not desired in my case.
I need only access token url with client_credentials grant type.
Maybe there is already a way to do this but i not found how to do
If not, is it possible to have this feature in next release ?

Hey @mxmorin!

Welcome to the community :tada:

Thank you for opening the Feature Request. It is on the roadmap to add more flexibility to the HTTP Request node.

In the meantime, if your API allows, can you pass on these values via Header parameters or Body parameters? If yes, I would suggest you to pass these values via the parameters.

Thanks for your reponse.
I use Keycloak as oauth2 provider with client_credentials grant_type
As workaround, i have created first an http request to retrieve token and passed it to header of my api. This works well but should be great if oauth2 (or new oauth2 app2app credentals) manage it. We do not need authorization url.
Oauth credentials could be modified by setting an grant_type and require authorization url only if not client_credentials

This one will be useful for Microsoft services where you want to leverage application permissions over delegated ones :+1:

I had a look at the requestOAuth2 function in packages/core/src/NodeExecuteFunctions.ts, while adding support there shouldnā€™t be too difficult, getting to that code path and supporting it in the frontend is another thing again.

I wrote a small blog on a workaround (outlined by mxmorin) for using ā€œclient_credentialsā€ grant type with services that has an example in it - Using Client Credential OAuth in n8n | by Tuckner | Feb, 2022 | Medium

Hi John, I know this has been a while, how do you handle token refresh in this configuration? Do you have an interval node before that node or do you have other nodes/functions to trigger this on an interval?
For the system I am connecting to, the access token is valid for 3600 seconds and I would like to trigger this node every 3200 seconds to have some buffer.

It actually ignores the refresh timer as each time you would invoke the Node, it would fetch a brand new token for use. I can understand situations where that might not be ideal, so there are definitely ways of storing the token and then only running the Node is the refresh timer has expired.

The workflow I use this in does run on a 15 minute interval prior to the authentication node, so Iā€™m refreshing my token every 15 minutes when I believe the expiration is 60 minutes.

Hope that was what you were asking!

I really need this for some software called XAP to interface with.

They have an API here
Swagger UI (kidsxap.com.au)

However, the login is a form, so i canā€™t generate new tokens automatically like in Twitter, Iā€™m not sure how to automate this login process?

Vote!
We need the client credential grant flow too.

I am also in need of this feature for use with VMWare Workspace ONE UEM.

3 Likes

Would you mind giving it a try and provide feedback. I only tested it with the Paypal API. You can use the docker image bellow to test it real quick.

docker run -it --rm --name n8n -p 5678:5678 -e N8N_DIAGNOSTICS_ENABLED=false -e N8N_DEPLOYMENT_TYPE=n8n-internal -v ~/.n8n:/home/node/.n8n n8nio/n8n:PR-3489-feature-oauth2-client-credentials

1 Like

:tada: works a treat using it against https://management.azure.com and https://graph.microsoft.com!!

Is it possible to cache the access token and only refresh when itā€™s expired or X mins from expiry?
Edit: looks like it does in the code!

1 Like

Brilliant, I can read AAD via the management API, and get threat indicators via the graph API :milky_way:

Ahh, great that it works. It refreshes the token automatically when it expires. Iā€™m waiting for my Paypal access token to expire so I can adequately test it, but since we are using the same code we use for refreshing the OAuth2 credentials with authentication code grant, it should not be an issue.

1 Like

would you be able to add docker image for linux/arm/v7 ?

What do you mean by add? You should be able to run that in any OS with Docker installed.

I mean the OS / ARCH for your [PR-3489-feature-oauth2-client-credentials] build does not contain options for ARMv7.

Ah yes, our nightly build setup which does get used to build this preview-images does not build multi arch docker images (only amd64) and is currently also sadly not planned to change that. You would either have to wait till it got merged or build an image yourself.

1 Like

Got released with [email protected]

1 Like