Self hosted n8n on Docker with nginx reverse proxy. Domain app.coronaautomation.com with HTTPS. Google OAuth never opens Google account selection — just shows authorization error immediately. Client ID, Secret, and redirect URI all correct in Google Cloud Console. N8N_EDITOR_BASE_URL and WEBHOOK_URL set. What am I missing
@Charles_Hill no account selection usually means google already remembered ur prior consent and is auto-returning the same account, OR nginx is dropping query params before they reach n8n. fast test: append ?prompt=select_account to the authorize URL, that forces the picker.
if u get an immediate auth error instead of just silent skip, nginx is the likely culprit. common breaks:
- X-Forwarded-Proto: https header missing → n8n thinks its serving http → callback URL n8n builds doesnt match what u registered in Google Console
- proxy_pass with trailing slash → mangles the path on callback
- N8N_EDITOR_BASE_URL needs the full https URL not just the host
minimum nginx block for n8n OAuth:
location / {
proxy_pass http://localhost:5678;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
whats the exact error message u see when google bounces back?
The most likely reason you’re seeing an immediate error is that your Google project is still in “Testing” mode. By default, Google blocks anyone from logging into a new app unless their email address is specifically whitelisted. To fix this, you need to go into your Google Cloud Console and manually add your own email address to the “Test Users” list on the OAuth consent screen.
Another common issue is a “miscommunication” between your Nginx proxy and n8n. Even though you are using HTTPS, n8n might not realize it because Nginx isn’t telling it. You need to ensure Nginx is sending a specific “header” (called X-Forwarded-Proto) that explicitly tells n8n the connection is secure. Without this, n8n might try to tell Google to send you back via an insecure link, which Google will reject instantly.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # Crucial: Forces n8n to see HTTPS
proxy_set_header X-Forwarded-Host $host;
You should also double-check how you wrote your address settings in your configuration file. n8n is very picky about this; you must include the https:// part at the beginning of your WEBHOOK_URL and N8N_EDITOR_BASE_URL. If you just wrote the domain name without the protocol, or if you added extra folders like /webhook/ at the end, the “return address” sent to Google won’t match the one you saved in the console.
There is also a chance that the request is simply too “heavy” for your server to handle. When you click the login button, n8n sends a very long string of text to Google to explain what permissions it needs. Sometimes, Nginx sees this massive request and blocks it because it exceeds the default size limit. Adding a simple “buffer” setting to your Nginx config allows it to handle these larger login requests without crashing.
large_client_header_buffers 4 32k;
To figure out which one of these is the culprit, the best trick is to open your browser’s “Developer Tools” and watch the Network tab while you click the login button. Look for the request sent to Google and check the “redirect_uri” part of the link. If that link looks wrong (like it says http instead of https), you know the problem is with your Nginx headers or your environment variables.
Two likely causes, and they have different fixes.
If you get an immediate authorization error (not just a skipped picker), it is almost certainly nginx. The usual culprit is the X-Forwarded-Proto: https header not reaching n8n, so n8n thinks it is on http and builds a callback URL that does not match what you registered in Google Console. Make sure your nginx block passes proxy_set_header X-Forwarded-Proto $scheme, and that N8N_EDITOR_BASE_URL is the full https URL, not just the host. Watch trailing slashes on proxy_pass too, they mangle the callback path.
If the page just auto-returns an account without showing the picker, Google is remembering prior consent. Append prompt=select_account to force the chooser. That one is cosmetic, the nginx header is the real fix if you are seeing an error.