OAuth custom redirect URL

dobromyslov · March 3, 2023, 1:52pm

The idea is:

Let users set a custom redirect URL in OAuth 2 credentials.

My use case:

N8N is located in the internal network and unavailable from the outside.
I use NGinx public gateway and map private N8N webhooks to custom public URLs.
For example, I want to map private http://localhost:5678/rest/oauth2-credential/callback to public https://mydomain.com/oauth2-callback

I think it would be beneficial to add this because:

Improve the security of N8N instances: the ability to hide the whole N8N and show publicly only specific endpoints.
Use a single private N8N instance with multiple public subdomains.
Create beautiful structured APIs.
Use N8N behind an API Gateway.

Any resources to support this?

Are you willing to work on this?

I’ve already implemented this in my custom N8N build and am ready to send a PR if you don’t mind.

packages/nodes-base/credentials/OAuth2Api.credentials.ts

{
	displayName: 'Custom redirect URL',
	name: 'customRedirectUrl',
	type: 'string',
	default: '',
},

packages/cli/src/credentials/oauth2Credential.api.ts

const oAuthOptions: ClientOAuth2.Options = {
	clientId: get(oauthCredentials, 'clientId') as string,
	clientSecret: get(oauthCredentials, 'clientSecret', '') as string,
	accessTokenUri: get(oauthCredentials, 'accessTokenUrl', '') as string,
	authorizationUri: get(oauthCredentials, 'authUrl', '') as string,
	redirectUri: get(
		oauthCredentials,
		'customRedirectUrl',
		`${getInstanceBaseUrl()}/${restEndpoint}/oauth2-credential/callback`,
	) as string,
	scopes: split(get(oauthCredentials, 'scope', 'openid,') as string, ','),
	state: stateEncodedStr,
};

Jon · March 3, 2023, 4:49pm

Hey @dobromyslov,

I like the idea but when it comes to oauth how would your users start the oauth process? I noticed your screenshot is showing localhost which I assume is intentional but what a lot of users will do is set webhook_url so that we use their domain url then in your reverse proxy or WAF you can restrict access based on the URI which is how we do things when scaling n8n in queue mode.

What this won’t do though is allow you to have multiple domains for the same instance but depending on how your users are triggering the sign in process it might not be that much of an issue anyway. You may also need an embed license depending on what you are doing which opens some other potential options.

dobromyslov · March 4, 2023, 9:15am

Okay, I’ll be more specific and show you the case where I use one n8n for several subdomains. And the OAuth process looks like this:

User is redirected to the OAuth Authorization URL.
Authorization URL contains a parameter with a custom callback URL.
OAuth server does its job and redirects the user with auth code back to n8n using the custom callback URL.
Public gateway routes custom callback URL to the internal n8n’s oauth callback handler.

One n8n instance behind the curtains implements only some APIs parts of A, B, and C services with different subdomains.
And the URLs binding table is as follows:

dobromyslov · March 4, 2023, 9:46am

Also, I tried to add an optional fields block with type: 'collection' to the Credentials and noticed that Credentials do not render such field type in the editor.

It would be handy to have in OAuth credentials an optional fields block with a custom callback redirect URL. But seems it needs to implement support for type: 'collection' in the Credentials UI.

Jon · March 4, 2023, 5:04pm

Hey @dobromyslov,

Perfect thanks, I guess now it will just be a case of seeing if the community want this as a feature or not.

I would also suggest possibly getting in touch with our license team to find out if you need an embed license or similar for what you are working on.

dobromyslov · March 5, 2023, 9:00pm

Excellent, thank you, @Jon. I’ve implemented this feature and built my own n8n-custom Docker image. Also, thanks for the suggestion regarding the license. I found all the necessary info in the license and in the permitted usage description.