Custom Node - Is it possible to avoid client_secret?

Shyamal_Parikh · March 14, 2025, 4:27pm

We are trying to build an internal custom node utilizing Azure AD B2C for authentication.

But am getting this error when trying to utilize client_secret.

{“error”:“invalid_request”,“error_description”:“AADB2C90084: Public clients should not send a client_secret when redeeming a publicly acquired grant.\r\nCorrelation ID: 3f648574-0d08-4dbd-9a1c-343682bd5a9d\r\nTimestamp: 2025-03-14 16:17:52Z\r\n”}

Seems like the flow would work out without client_secret property. Can we do a PKCE flow instead given its a public client?

Here’s the current properties setup in credentials file:

properties: INodeProperties[] = [
		{
			displayName: 'Grant Type',
			name: 'grantType',
			type: 'hidden',
			default: 'authorizationCode',
		},
		{
			displayName: 'Authorization URL',
			name: 'authUrl',
			type: 'hidden',
			default: `${globals.identity_base_url}${globals.auth.tenant_id}/${globals.auth.signup_signin_policy}/oauth2/v2.0/authorize`,
		},
		{
			displayName: 'Access Token URL',
			name: 'accessTokenUrl',
			type: 'hidden',
			default: `${globals.identity_base_url}${globals.auth.tenant_id}/${globals.auth.signup_signin_policy}/oauth2/v2.0/token`,
		},
		{
			displayName: 'Auth URI Query Parameters',
			name: 'authQueryParameters',
			type: 'hidden',
			default: '',
		},
		{
			displayName: 'Authentication',
			name: 'authentication',
			type: 'hidden',
			default: 'body',
		},
		{
			displayName: 'Scope',
			name: 'scope',
			type: 'hidden',
			default: globals.auth.scope,
		},
		{
			displayName: 'Client ID',
			name: 'clientId',
			type: 'hidden',
			default: globals.auth.client_id
		},
		{
			displayName: 'Client Secret',
			name: 'clientSecret',
			type: 'hidden',
			default: globals.auth.client_secret,
		}
	];

Information on your n8n setup

n8n version:
Database (default: SQLite):
n8n EXECUTIONS_PROCESS setting (default: own, main):
Running n8n via (Docker, npm, n8n cloud, desktop app):
Operating system:

Dandy_Dow · March 30, 2025, 12:29am

Hey Shyamal,

That Azure B2C error is pretty common when you’re trying to use a client_secret in a flow that’s meant for public clients. In the Authorization Code with PKCE flow, you’re not supposed to send the client_secret — Azure sees that as a security risk and blocks it.

If you’re aiming for a PKCE flow (which is the right move for public clients), then yeah, you can and should drop the client_secret.

Looking at your credentials setup, a few things to adjust:

Remove the clientSecret field entirely from the node config.
Make sure your flow is actually set up for PKCE (not the regular auth code with secret).
n8n doesn’t support PKCE out of the box in credential nodes right now, so you’ll need to handle it manually in your custom node:

Generate code_verifier and code_challenge.
Include them in the auth and token requests.
Manage the flow using a raw HTTP Request node or inside the custom logic.

Alternatively, you can handle the PKCE flow externally (like in a small middleware or script), get the access token there, and just pass it to your custom node as a raw token.

Let me know how locked down your environment is and I can share an example of doing PKCE manually inside a custom node.

system · June 28, 2025, 12:29am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.