Custom Node Credentials - can't change 'scope' from default value

I created a custom node with its own credential type. (For this, I am going off the Box node as reference because it’s an oauth2 request I wish to make).
In the properties, I define my properties as follows:

export class ODataOAuth2Api implements ICredentialType	{
	name = 'oDataOAuth2Api';
	displayName	= 'oData OAuth2 API';
	extends = ['oAuth2Api'];

    properties: INodeProperties[] = [
		{
			displayName: 'Grant Type',
			name: 'grantType',
			type: 'hidden',
			default: 'authorizationCode',
		},
		{
			displayName: 'Scope',
			name: 'scope',
			type: 'string',
			default: 'testA',
			required: true,
		},
		{
			displayName: 'Authorization URL',
			name: 'authUrl',
			type: 'string',
			default: '',
			placeholder: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
			required: true,
		},
		{
			displayName: 'Access Token URL',
			name: 'accessTokenUrl',
			type: 'string',
			default: '',
			placeholder: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
			required: true,
		},
		{
			displayName: 'Scope2',
			name: 'scope2',
			type: 'string',
			default: 'bla',
			required: true,
		},
		{
			displayName: 'Auth URI Query Parameters',
			name: 'authQueryParameters',
			type: 'hidden',
			default: '',
		},
		{
			displayName: 'Authentication',
			name: 'authentication',
			type: 'hidden',
			default: 'body',
		},
	];

Now, I press ‘Connect my Account’ to connect with these values:
144139!!n8n!! — Mozilla Firefox

It will popup a login window at this url:

https://webhook.site/5c9e95c6-3a23-4b74-96dc-83c2b86115f2?client_id=4d7a47f0-0f8f-42fd-a9c4-ff91ec54b2b6&redirect_uri=http%3A%2F%2Flocalhost%3A5678%2Frest%2Foauth2-credential%2Fcallback&response_type=code&state=eyJ0b2tlbiI6Im8zZG5lR0gyLUdUWVAwX1hCY0JzLS1sSzRNZ0dzcTNlc29oQSIsImNpZCI6IjV3NURDWTljSDlRN0pVdGwifQ%3D%3D&scope=testA

(Notice, that ‘scope’ is given automatically as “testA” as a parameter in the URL).

Now, if I change the value of scope:
144159!!n8n!! — Mozilla Firefox

It retains its default value of ‘testA’ in the query:

...VdGwifQ%3D%3D&scope=testA

Thus, only the default value is ever used instead of the current value. This seems like a bug to me, but maybe I am doing something wrong.

Additionally, I changed Authorization URL, and the popup indeed went to a different URL, so it seems to be just the Scope parameter that is affected. Also, this happens regardless of setting Scope’s required field to true or false.

n8n Version: 1.58.2 on npm running on Node 18, SQLite

It looks like your topic is missing some important information. Could you provide the following if applicable.

  • n8n version:
  • Database (default: SQLite):
  • n8n EXECUTIONS_PROCESS setting (default: own, main):
  • Running n8n via (Docker, npm, n8n cloud, desktop app):
  • Operating system:

I found this comment in n8n/packages/nodes-base/credentials/OAuth2Api.credentials.ts which I believe is relevant:
// WARNING: if you are extending from this credentials and allow user to set their own scopes // you HAVE TO add it to GENERIC_OAUTH2_CREDENTIALS_WITH_EDITABLE_SCOPE in packages/cli/src/constants.ts // track any updates to this behavior in N8N-7424

I’m not sure how this applies in the context of creating a custom node, however, so any advice would be appreciated!

Browsing through the other nodes that extend from oauth2api, it seems they predefine the scopes by hardcoding them and then set the default as default: scopes.join(' ') in the code. However, this option is not available to me because the node has to support multiple different servers which could each potentially have need for different scopes. Is there a workaround?

Hi @JayF

Did you check if it was just cached perhaps?

Thanks for the reply. Where would an INodeProperty be cached? This seems unusual due to the fact that Authorization URL can be changed on the fly from default and the next time i hit Connect my account it’s changed. It seems like the value of scope is simply not being read at all. I supplied a picture that clearly shows the difference in behavior.

I’m guessing the answer is in n8n/packages/cli/src/constants.ts
The custom node name must be added to this list to edit the scope:
image

Yep, just tested adding my custom node’s name and it works:
image

It seems like instead of doing it via credentials, the correct way to proceed will be to use Generic Authentication, as I can connect with the right scope to Azure using that menu.

1 Like

Just adding another comment here now that I understand this problem better.

The original reason I even tried to do this through Credentials and not Authentication was because setting Authentication was giving me a ‘Credentials not found’ error. ApplicationError: Node type "CUSTOM.odataNode" does not have any credentials of type "oDataOAuth2Api" defined

That didn’t make any sense, since you shouldn’t need Credentials if using the Authentication route. And you don’t need to do this on a HTTP Request.
Here is the root of that strangeness, in packages/core/src/NodeExecuteFunctions.ts:

It’s a hardcoded patch that makes the nodes not work as expected. This is probably unnecessary, but since the code does it, the only thing to do is work around it. Well, the solution is to set Credentials up in your INodeType.description.credentials. (In this case, for the type oauth2), even though the Credentials are never actually used, because the token is gotten through Authentication.

image

Maybe this will be of use to someone in future.

1 Like