Secure Webhooks with OAuth2

It would help if there was a node for:

My use case:

I’d like to build an API server application with N8N and secure the endpoints with OAuth2/OpenID Connect.

Any resources to support this?

Here’s a documentation for basic Node.js how to implement this with Keycloak: Securing Applications and Services Guide
Another thing is, that N8N is missing the allow-headers header in CORS requests, so it isn’t possible to call a webhook with an Authorization: Bearer XXXX header, which is the standard for OAuth. Since this is an preflight CORS request and the Webhook node does not support OPTIONS requests it is not simply possible to set that header in the preflight request answer.

Are you willing to work on this?

I need that so after a brief introduction why not.


I’m not shure if implementing this into the Webhook node is the best idea. If you’d use the Keycloak adapter, then specific Keycloak nodes would maybe be better.

Hi @ericfischereu,

I started looking into n8n recently and kind of came to idea that it would interesting to have some sort of API Management for n8n webhooks (including OAuth as one of authN/authZ methods). Probably as built-in function (but this can also be built externally).
For your Request - in case of plain oAuth/OIDC requirement Im wondering whether it would not be easier to put something like caddy/traefik (with auth enabled) between webhook caller and n8n node that is hosting webhooks? Would that be ok for your use-case? What do you think?


Hey @serg,

thanks for your reply. Well, generally this would be possible, but than you’re not able to properly use the scopes, aren’t you?

1 Like

Hi, it would be great to have the logic implemented in a separate node or in the webhook node maybe.

Today we are implementing the authentication/authorization process (against Keycloak OIDC) with a separate workflow in n8n that handles all the redirect, etc., using webhook, respond to webhook, code nodes with handling of jwt using nodejs, based on cookies, but it is something that maybe could be implemented in just one node and it could be great as it also supports role checking like for authorization process to some role-based access (RBAC) to API/Web services built with n8n.