OAuth custom redirect URL

Feature Requests
1

The idea is:

Let users set a custom redirect URL in OAuth 2 credentials.

My use case:

N8N is located in the internal network and unavailable from the outside.
I use NGinx public gateway and map private N8N webhooks to custom public URLs.
For example, I want to map private http://localhost:5678/rest/oauth2-credential/callback to public https://mydomain.com/oauth2-callback

I think it would be beneficial to add this because:

  1. Improve the security of N8N instances: the ability to hide the whole N8N and show publicly only specific endpoints.
  2. Use a single private N8N instance with multiple public subdomains.
  3. Create beautiful structured APIs.
  4. Use N8N behind an API Gateway.

Any resources to support this?

Screenshot 2023-03-03 164556
Screenshot 2023-03-03 164556887×724 32.8 KB

Are you willing to work on this?

I’ve already implemented this in my custom N8N build and am ready to send a PR if you don’t mind.

packages/nodes-base/credentials/OAuth2Api.credentials.ts

{
	displayName: 'Custom redirect URL',
	name: 'customRedirectUrl',
	type: 'string',
	default: '',
},

packages/cli/src/credentials/oauth2Credential.api.ts

const oAuthOptions: ClientOAuth2.Options = {
	clientId: get(oauthCredentials, 'clientId') as string,
	clientSecret: get(oauthCredentials, 'clientSecret', '') as string,
	accessTokenUri: get(oauthCredentials, 'accessTokenUrl', '') as string,
	authorizationUri: get(oauthCredentials, 'authUrl', '') as string,
	redirectUri: get(
		oauthCredentials,
		'customRedirectUrl',
		`${getInstanceBaseUrl()}/${restEndpoint}/oauth2-credential/callback`,
	) as string,
	scopes: split(get(oauthCredentials, 'scope', 'openid,') as string, ','),
	state: stateEncodedStr,
};
2

Hey @dobromyslov,

I like the idea but when it comes to oauth how would your users start the oauth process? I noticed your screenshot is showing localhost which I assume is intentional but what a lot of users will do is set webhook_url so that we use their domain url then in your reverse proxy or WAF you can restrict access based on the URI which is how we do things when scaling n8n in queue mode.

What this won’t do though is allow you to have multiple domains for the same instance but depending on how your users are triggering the sign in process it might not be that much of an issue anyway. You may also need an embed license depending on what you are doing which opens some other potential options.

3

Okay, I’ll be more specific and show you the case where I use one n8n for several subdomains. And the OAuth process looks like this:

  1. User is redirected to the OAuth Authorization URL.
  2. Authorization URL contains a parameter with a custom callback URL.
  3. OAuth server does its job and redirects the user with auth code back to n8n using the custom callback URL.
  4. Public gateway routes custom callback URL to the internal n8n’s oauth callback handler.

image

One n8n instance behind the curtains implements only some APIs parts of A, B, and C services with different subdomains.
And the URLs binding table is as follows:

4

Also, I tried to add an optional fields block with type: 'collection' to the Credentials and noticed that Credentials do not render such field type in the editor.

It would be handy to have in OAuth credentials an optional fields block with a custom callback redirect URL. But seems it needs to implement support for type: 'collection' in the Credentials UI.

5

Hey @dobromyslov,

Perfect thanks, I guess now it will just be a case of seeing if the community want this as a feature or not.

I would also suggest possibly getting in touch with our license team to find out if you need an embed license or similar for what you are working on.

1 Like
6

Excellent, thank you, @Jon. I’ve implemented this feature and built my own n8n-custom Docker image. Also, thanks for the suggestion regarding the license. I found all the necessary info in the license and in the permitted usage description.

1 Like
7

We still don’t have this option?
I have a similar scenario but I am using Cloudflare Tunneling.
When I try to login from https://n8n.domain.org it redirects me to https://n8n.domain.org:5678

2 Likes
8

Yup. There is no such option… But the great news is that I’m going to share the patch on GitHub as soon as I adapt it for the latest version. Thanks to @Turn.One for poking me with a private message regarding this feature.

1 Like
9

I’ve spent some time to think about this problem and figured out that it’s actually not a problem because OAuth2 credential is created by a person who can access the n8n UI and /rest/ endpoints. If this person has access to n8n UI, then OAuth2 default redirect also works well.

The root cause of the problem was in misconfigurated infrastructure: DNS, VPN, Reverse proxy, and n8n itself.

Let’s see how n8n should be configured to make the default OAuth2 redirect URI work:

  1. You run n8n on the internal machine available over VPN.
  2. n8n UI is available at https://n8n-local.example.com only to the administrator.
  3. Your DNS server resolves:
  4. n8n deployment environment variables and endpoints environment variables should be configured like this:
  5. n8n uses N8N_EDITOR_BASE_UR and N8N_ENDPOINT_REST to generate default OAuth2 Redirect URI as https://n8n-local.example.com/rest/oauth2-credential/callback
  6. n8n generates production webhook URLs using WEBHOOK_URL and N8N_ENDPOINT_WEBHOOK as https://api.example.com/n8n/getSomething
  7. n8n production webhooks are proxied via reverse proxy and publicly available at https://api.example.com/n8n.
  8. n8n generates test webhook URLs using WEBHOOK_URL and N8N_ENDPOINT_WEBHOOK_TEST as https://api.example.com/webhook-test/getSomething

Here is how I deployed n8n and secured it:

Secured n8n
Secured n8n911×471 33.9 KB

It would be handy if n8n allowed to change webhook-tests separately via WEBHOOK_TEST_URL but it’s not possible. So you have to change api.example.com to n8n-local.example.com in the case above to access the test versions of the webhooks.

1 Like