Jwt authentication configuration challenge

eballou · May 14, 2020, 8:07pm

I have n8n ui working fine with no authentication. Now I’ve setup so that I’m using oauth proxy to my oidc provider with n8n using jwt. Everything works up to the point where n8n tries to look at the jwt header. Then I get error: {“code”:403,“message”:“Invalid token”}

I don’t see any error in n8n logs themselves. On that note, I didn’t see anything in docs to have more debug info, so I’ll take guidance on that too.

Update: I changed the cookie domain definition in oauth proxy and now I am in an infinite loop going back to get authenticated again.

What should jwt header be set to?

Thanks in advance!

Eric

Tephlon · May 14, 2020, 9:59pm

This sounds like a JWT question that would then guide your configuration and setup of n8n. I don’t know JWT well (read “at all”) but I’ll take a crack at it based off what is on the JWT website.

Looking at the examples provided by JWT, the only two times you need to pass information to the header is:

Returning a user profile based on the Auth0 access token (Authorization: Bearer YOUR_TOKEN_HERE)
Refreshing token (Content-Type: application/x-www-form-urlencoded)

This tells me that you may not be getting and/or storing the token information correctly.

You may also want to take a look at writing a custom node to handle this. There are NodeJS packages that support JWT which would allow you to more easily interact with it. You could install the package, create your custom node and away you go!

eballou · May 14, 2020, 10:16pm

Thanks for that input, but the docs aren’t really clear what is needed for jwt header. Is it ‘Authorization’ or ‘Authorization: Bearer’ or some other value assuming ‘default’ jwt headers.

jan · May 15, 2020, 5:38am

Thanks a lot @Tephlon for taking a crack at it!

Welcome to the community @eballou and sorry that also I not have an answer for that. This feature is currently not officially supported, for that reason is there also no documentation about it.
Also do I also have no experience at all with JWT. So can sadly also not be a big help here myself.
The feature got written by a community member a while ago. I just wrote him an email asking if he could maybe have a look at this topic and help you out.

ccakes · May 15, 2020, 6:10am

The code is expecting the token to be presented on it’s own in a header, like this:

# Like this
X-MyApp-Token: eyJhbGciOiJSUzI1Ni...

# Not this
Authorization: Bearer eyJhbGciOiJSUzI1Ni...

If you’re able to have your OIDC provider put the id_token is a custom header, then provide that to n8n in the N8N_JWT_AUTH_HEADER environment variable it should work.

Are you able to try that?

eballou · May 15, 2020, 2:46pm

That was the road I was going down. I just needed to figure out how to change that which is beyond the scope of just n8n.

tovbinm · August 5, 2020, 8:09pm

I added some more extra configuration variables you can pass - JWT extras by tovbinm · Pull Request #817 · n8n-io/n8n · GitHub

Hopefully this would get merged.

stwo · April 6, 2021, 6:35am

Hi

How do you put the id_token from the callback’s query param into the header?

I’m trying to integrate with Auth0. But I’m stuck here.