Custom node PKCE connection issue

Describe the issue/error/question

Hello,

I am building a custom node (programatic style) and trying to create the connection for my application which requires OAuth2.0 & OpenID connect authentication flow (PKCE).

How can I build this in n8n? Is PKCE supported in n8n’s OAuth2 Credentials? If not, can I hardcode the nonce, code_challenge, code_verifier somehow to get the connection working?

Here is an example for the 1st request, the Authorization Request:

The Access Token Request:

image

For now, it just gives me this error:

503 Insufficient parameters for OAuth2 callback. Received following query parameters: {“error”:“invalid_request”,“error_description”:“Request schema validation failed”,“state”:“eyJ0b2tlbiI6InBEa0tLQWRpLTNxWC13UlpfWTJWbThGdnZBVmNnZFBvQzExRSIsImNpZCI6IjE4In0=”}

Or this one:

503 Insufficient parameters for OAuth2 callback. Received following query parameters: {“error”:“invalid_request”,“error_description”:“Transform algorithm not supported”,“state”:“eyJ0b2tlbiI6InlhdFlmUzhhLVZLWVBCLW5NUm1Xams1OHNCaDFvTzlfakxkdyIsImNpZCI6IjE2In0=”}

Thank you and wish you a Happy New Year!

Hi @alexnemes, have a happy new year as well :tada:

I believe there currently is no PKCE support built into n8n, but work is currently underway: Anybody able to implement Twitter's Oauth2 w/ PKCE integration? - #3 by RicardoE105

As for possible workarounds for your custom node, perhaps @marcus can help with this?

Hi @alexnemes,
have a happy new year :tada:

As @MutedJam mentioned n8n is currently not supporting PKCE but we are working on it and will hopefully release PKCE support soon, since other internal node development efforts are also waiting for it.

Sadly I am no specialist in terms of PKCE so I am not sure if a possible workaround exists that you could achieve inside your custom node development. Looking at @RicardoE105 previous work it looks like server callback customizations are necessary to make PKCE work.

1 Like

@marcus @MutedJam thank you for your help, let’s wait until PKCE support is released then.

Hi @marcus, @MutedJam,

Sadly I am blocked with my project due to the PKCE support issue.

Is there a way I can provide my own implementation in the credentials.ts file? What if I don’t want to use the library and implement the request flow myself, is that possible? Can I make http calls in that credentials file and pull them with this.getCredentials() later on?

Thank you!

Hi @alexnemes,
you can make http requests inside the credentials files using the authenticate method.

The authenticate function will be executed each time your descriptive node makes an api request. You have access to the credentials and you can manipulate the requestOptions, i. e. setting headers or query parameters. Since personio seems to require requesting an access token before each api request, you could also do this inside the authenticate function.

Here are some n8n credential examples using the authenticate function:

That being said I am not sure if this will enable you to workaround PKCE support. We will soon continue our PKCE development but I can’t make any promises since the developer was out of office for a longer period of time.