Custom authorization logic for self hosted queue instance

maurimuchico · March 18, 2023, 12:05am

Describe the question

Hi all, I have to implement the following auth scheme:

Provide a custom external login website which generates a JavaScript Web Token (JWT) once the user is logged in (solved)
Redirect the logged user to the n8n self hosted instance (solved using this documentation: JWT - n8n Documentation) running under the queue mode (Configuring queue mode - n8n Documentation)
Pull information (from an external endpoint ) based on the logged user for its use in the core of a private full versioned node (is part of the question)
Define users and groups for team work as follows (is part of the question)

Admin users with access to all workflows and credentials
Member accounts with access to team workflows (can be more than one)
For example:
Member A1 with access to workflows W1, W2, W3
Member A2 with access to workflows W1, W2, W3
Member B with access to workflows W4,W5,W6
And A1 shouldn’t be able to access neither delete W4.

So here is the question:
As far as I’ve learned from the docs, I can combine JWT auth with n8n user management but the workflow roles and permissions (Sharing - n8n Documentation) don’t accomplish this requirement because I need:
*multiple groups inside member accounts as shown in the previous example.
*member accounts need to able to delete flows.
*I also need to disable the user management feature in the settings panel because I have another app to manage users.

So is it possible to plug a custom authorization logic without editing the n8n core?

Information on your n8n setup

**n8n version: 0.219.1
**Database you’re using: PostgreSQL
**Running n8n with the execution process [own(default), main]: main
**Running n8n via [Docker, npm, n8n.cloud, desktop app]: AWS EKS

Thanks and Regards

Jon · March 20, 2023, 11:53am

Hey @maurimuchico,

Welcome to the community

I guess the real quick answer to this one is any changes to the authorisation process would need a fork, I don’t think JWT works with user management either like you have noticed so this probably won’t be a quick chance.

Have you looked through the embed docs to see if there is anything there that may be useful?

maurimuchico · April 4, 2023, 11:32am

Hi @Jon , good morning, thanks for your welcome and sorry for the delay, i was off. I researched the embed docs but as your colleague says here there is no functional difference between n8n and n8n embed.
Do you plan to add multiple teamwork support (as shown in my previous example) or provide a way to write a custom auth logic in the future?
Thanks and Regards

Jon · April 4, 2023, 12:49pm

Hey @maurimuchico,

There is no funtional differences but the embed docs do have some extra bits that are not in the regular docs becase they would be more suited to embedded environments.

At the moment I am not aware of any plans to allow adding custom auth plugins so a fork would be needed if you wanted to do anything that falls outside of the User Management feature, Although depending on your IDP we may have other options which will be available soon like OIDC and SAML

system · July 3, 2023, 12:49pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.