Reading Data from a JWT from Credentials

Hi there,

Many (all?) OAuth2-Credentials provide a JWT that includes additional info. For example, the Microsoft Forms API requires the user in the path. The userID is part of the JWT.

Question: How can I get the JWT or the decoded JSON?

n8n Version: 1.20
Running n8n via Docker

It looks like your topic is missing some important information. Could you provide the following if applicable.

  • n8n version:
  • Database (default: SQLite):
  • n8n EXECUTIONS_PROCESS setting (default: own, main):
  • Running n8n via (Docker, npm, n8n cloud, desktop app):
  • Operating system:

Hey @Human371BetaRelease,

We don’t have an option in n8n for that but if. you were making a custom node you could possibly extract that data from the credential. I can’t even think of a way to do it from inside n8n with the nodes we have other than maybe using the execute command node to extract the decrypted credential using the cli then parsing the output to get the jwt if it is stored.

Hey Jon, a custom node might be a solution.
My idea would be a n8n node that can be used to request the JSON from the JWT. I could also add it to my advancedFlows if it doesn’t fit the normal n8n purpose. If you don’t extract the Signature, the export of the JSON is not critical. And without the Certificate you don’t have a JWT for missuse.

As I’ve already done some custom nodes, I’m quite positive I can do it. But I looked a bit through the HTTPS Node and it looks like the functions to read the Credentials are quite hidden.

Do we even have a chance to access these data or is it all encapsulated in n8n without a chance to read?

Hey @Human371BetaRelease,

You can read the credentials by getting the credential value with something like const credentials = await this.getCredentials('credentialName'); you can then reference the credential options using credentials.x if you look at some of the other nodes you can see this in the GenericFunctions.ts file

Hi Jon,

I’ve tried this yesterday and maybe I just misunderstand it, but I don’t get any credentials.

Here’s my Code:

	async execute(this: IExecuteFunctions): Promise<INodeExecutionData[][]> {
		let result: INodeExecutionData[] = [];
		let credentials :LooseObject = {};
		try {
			credentials.httpBasicAuth = await this.getCredentials('httpBasicAuth');
		} catch {}
		//... : All the other Auth-Methods
		try {
			credentials.httpCustomAuth = await this.getCredentials('httpCustomAuth');
		} catch {}
		try {
			credentials.oAuth1Api = await this.getCredentials('oAuth1Api');
		} catch {}
		try {
			credentials.	oAuth2Api = await this.getCredentials('oAuth2Api');
		} catch {}
		try {
			credentials.nodeCredentialType = this.getNodeParameter('nodeCredentialType', 0) as string;
		} catch {}


		result.push({json:credentials});
		return [result];
	}

My Result was just the name of the Credentials.

[
  {
    "nodeCredentialType": "microsoftOutlookOAuth2Api"
  }
]

I went into the other nodes code; for example the HTTPRequest-Node or the Microsoft Outlook node. In that node, we have

return await this.helpers.requestWithAuthentication.call(
			this,
			'microsoftOutlookOAuth2Api',
			options,
		);

So, to me that looks like the credentials are provided as a string and n8n reads them from the database (or its own memory). From what I was able to find, the helpers and requestWithAuthentication are part of n8n-core, which I should maybe better not touch :see_no_evil: .

Am I missing something here

I found a possible but ugly way?

I created a little Typescript-server that just echoes a call as JSON (Honestly: ChatGPT did; 1 question delivered the whole application :joy: ) and this provides me the Headers back.
So, for my custom node that might be a solution. However, I think it’s unnecessary a bit critical as it requires an additional server which can cause additional vulnerabilities.

Hey @Human371BetaRelease,

So the requestWithAuthentication is passed the credential type which will contain the credential selected in the node as the credential file has the authentication options defined in it. What we did before this and what we do some of the older nodes is handle the authentication in the node itself in the GenericFunctions.

In your example does your node have those credential types as options that can be selected from? You can check out the Active Campaign node to see how we fetch data from the credentials in that case it is the URL to connect to.