Jwt authentication configuration challenge

I have n8n ui working fine with no authentication. Now I’ve setup so that I’m using oauth proxy to my oidc provider with n8n using jwt. Everything works up to the point where n8n tries to look at the jwt header. Then I get error: {“code”:403,“message”:“Invalid token”}

I don’t see any error in n8n logs themselves. On that note, I didn’t see anything in docs to have more debug info, so I’ll take guidance on that too.

Update: I changed the cookie domain definition in oauth proxy and now I am in an infinite loop going back to get authenticated again.

What should jwt header be set to?

Thanks in advance!

Eric

This sounds like a JWT question that would then guide your configuration and setup of n8n. I don’t know JWT well (read “at all”) but I’ll take a crack at it based off what is on the JWT website.

Looking at the examples provided by JWT, the only two times you need to pass information to the header is:

  1. Returning a user profile based on the Auth0 access token (Authorization: Bearer YOUR_TOKEN_HERE)
  2. Refreshing token (Content-Type: application/x-www-form-urlencoded)

This tells me that you may not be getting and/or storing the token information correctly.

You may also want to take a look at writing a custom node to handle this. There are NodeJS packages that support JWT which would allow you to more easily interact with it. You could install the package, create your custom node and away you go!

Thanks for that input, but the docs aren’t really clear what is needed for jwt header. Is it ‘Authorization’ or ‘Authorization: Bearer’ or some other value assuming ‘default’ jwt headers.

Thanks a lot @Tephlon for taking a crack at it!

Welcome to the community @eballou and sorry that also I not have an answer for that. This feature is currently not officially supported, for that reason is there also no documentation about it.
Also do I also have no experience at all with JWT. So can sadly also not be a big help here myself.
The feature got written by a community member a while ago. I just wrote him an email asking if he could maybe have a look at this topic and help you out.

:wave:
The code is expecting the token to be presented on it’s own in a header, like this:

# Like this
X-MyApp-Token: eyJhbGciOiJSUzI1Ni...

# Not this
Authorization: Bearer eyJhbGciOiJSUzI1Ni...

If you’re able to have your OIDC provider put the id_token is a custom header, then provide that to n8n in the N8N_JWT_AUTH_HEADER environment variable it should work.

Are you able to try that?

1 Like

That was the road I was going down. I just needed to figure out how to change that which is beyond the scope of just n8n.