Embedding n8n in a Portal UI with OAuth

Questions
1

Describe the problem/error/question

We’re working on integrating n8n as an iframe inside a custom portal UI and enabling secure access to downstream APIs. We’re encountering several challenges related to iframe embedding, authentication, and service reliability.

What is the error message (if any)?

  • Iframe & Cookie Restrictions
    • Blocked by CSP (frame-ancestors 'self') and X-Frame-Options.
    • OAuth login flows fail due to cookie policies (SameSite=Lax).
  • Authentication Failures
    • 401: IDX12741: JWT must have three segments → malformed or missing token.
    • 403 Forbidden → token lacks correct audience or scopes.
    • Portal UI shows permission errors, possibly due to RBAC or token claim mismatches.
  • Service Availability
    • Some API endpoints intermittently return 503 Service Unavailable, affecting notifications and dashboard features.

Please share your workflow

(Workflow not applicable for this issue — integration-level problem.)

Share the output returned by the last node

Information on your n8n setup

  • n8n version: v1.109.2
  • Database (default: SQLite): Postgres
  • n8n EXECUTIONS_PROCESS setting (default: own, main): Default
  • Running n8n via (Docker, npm, n8n cloud, desktop app): Self-hosted via docker container
  • Operating system: Linux

Relevant environment variables already set:

N8N_DISABLE_UI_SECURITY=true
N8N_INSECURE_DISABLE_WEBHOOK_IFRAME_SANDBOX=true
N8N_SECURE_COOKIE=true
N8N_SAMESITE_COOKIE=none
N8N_CORS_ENABLED=true

What We Need Help With

Iframe Security & OAuth Flow

  • Best practices for updating CSP and removing X-Frame-Options to allow embedding.
  • Handling cookies with SameSite=None; Secure and future-proofing with Partitioned cookies (CHIPS).

n8n Sandbox Behavior

  • Since n8n v1.103.0 wraps HTML responses in a sandboxed iframe, headers and localStorage aren’t available.
  • Recommended approach for securely passing tokens (e.g., short-lived token injection or server-side proxying).

Token Propagation

  • How to propagate OAuth tokens from the parent portal to n8n securely when iframes and sandboxing are involved.

Has anyone implemented a similar n8n-in-iframe integration with OAuth and strict browser security policies? Any guidance, patterns, or examples would be greatly appreciated!

2 Likes
2

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.