Secure Webhooks with OAuth2

ericfischereu · March 31, 2023, 4:50am

It would help if there was a node for:

My use case:

I’d like to build an API server application with N8N and secure the endpoints with OAuth2/OpenID Connect.

Any resources to support this?

Here’s a documentation for basic Node.js how to implement this with Keycloak: Securing Applications and Services Guide
Another thing is, that N8N is missing the allow-headers header in CORS requests, so it isn’t possible to call a webhook with an Authorization: Bearer XXXX header, which is the standard for OAuth. Since this is an preflight CORS request and the Webhook node does not support OPTIONS requests it is not simply possible to set that header in the preflight request answer.

Are you willing to work on this?

I need that so after a brief introduction why not.

Note

I’m not shure if implementing this into the Webhook node is the best idea. If you’d use the Keycloak adapter, then specific Keycloak nodes would maybe be better.

serg · March 31, 2023, 2:22pm

Hi @ericfischereu,

I started looking into n8n recently and kind of came to idea that it would interesting to have some sort of API Management for n8n webhooks (including OAuth as one of authN/authZ methods). Probably as built-in function (but this can also be built externally).
For your Request - in case of plain oAuth/OIDC requirement Im wondering whether it would not be easier to put something like caddy/traefik (with auth enabled) between webhook caller and n8n node that is hosting webhooks? Would that be ok for your use-case? What do you think?

Cheers.

ericfischereu · March 31, 2023, 2:55pm

Hey @serg,

thanks for your reply. Well, generally this would be possible, but than you’re not able to properly use the scopes, aren’t you?