Verify credentials from auth0 users (JWT) in a wekhook

nukeador · May 21, 2025, 5:22pm

I’ve been digging through doc and search for a long time now, and I’m unable to find a guide to validate from a webhook credentials from auth0

I have a site that allows people to sign-in using auth0, now I want to call a n8n webhook.

You would initially think the easiest way is to send the webhook request using the JWT Token from the logged in users…

Well, I could find a way to verify this JWT token. The JWT node can only verify if you have a private key, and in this case, you don’t.

Is it possible to verify auth0 JWT tokens in n8n? Code node lacks the necessary crypto libraries I think.

Thanks!

mohamed3nan · May 21, 2025, 5:38pm

Hi @nukeador

This is covered nicely by @Jim_Le here:

nukeador · May 21, 2025, 6:53pm

Yes thanks, I saw that, but unfortunately the JWT credentials do not support only adding your public key, which is how auth0 works.

When you setup a JWT credential you can only pick between Passphrase or a Public and Private key.

I was expecting also another option to provide the JWKS URi where auth exposes the public keys.

Jim_Le · May 23, 2025, 2:33pm

Hey @nukeador

So I’ve found a way to validate Auth0 tokens using JWKS URI but this solution only works on self-hosted n8n. This is because you need access to jsonwebtoken and jwks-rsa libraries.

jsonwebtoken is already installed in n8n so you just need to make sure your env vars allow it to be used in workflow
jwks-rsa needs to be manually installed. Recommendation would be to build a custom docker image but you could ssh into the container as root and npm i -g jwks-rsa for instant satisfaction!

I also came across an alternative solution using the signing certificate. This solution doesn’t require installing additional dependencies.

How it works

Use JWT libraries to validate the token
Invalid tokens cause the libraries to throw errors
The code node settings are configured so that errors don’t stop the workflow but are instead redirected to the error branch
This means we can redirect invalid requests to the respond to webhook node
Valid requests will forward the webhook json with additional jwtPayload property which includes the decoded token value.

Let me know if this works for you!

nukeador · May 23, 2025, 4:37pm

Thanks!

I first tried the certificate one, but I’m always getting Invalid token.

Then I tried and installed jwks-rsa, added the ENV and restarted the n8n docker.

For some reason I can’t still use it

"Cannot find module 'jwks-rsa' [line 2, for item 0]"

So I’m not sure if I installed it wrong (I just logged in as root inside and run npm i -g).

PS: On your node code I had to change Authorization to authorization (lowercase) since that’s how it’s usually received by webhooks.

Jim_Le · May 23, 2025, 4:45pm

“Cannot find module ‘jwks-rsa’ [line 2, for item 0]”

You may need to restart the container after the install.

re: always getting invalid token, this is a bit tricky to debug but just so you know, I used the “Application > APIs > Auth0 Management API > Test” to generate the token I tested with. You might want to do the same just to validate the template.

Some things you could try

make sure the issuer and audience are the same for token and verify code. If you have a JWT token, stick it in jwt.io to take a look at what these values are.
generate a fresh token to rule out expiration.

nukeador · May 23, 2025, 5:31pm

Yep, I did that. From where did you exactly installed the module, I did:

$ docker compose exec -u root n8n /bin/sh

Then:


# npm i -g jwks-rsa

added 23 packages in 3s

And:

$ docker compose down && docker compose build && docker compose up -d --force-recreate

I suspect the packages might be lost after container restart and I need to add that to a Dockerfile?

nukeador · May 23, 2025, 5:39pm

Wait, I might be using the wrong audience for the certificate code node, I’ll report back.

Update: Using a different audience from my auth0 apis I was able to validate the token!

Using https://mysite.us.auth0.com/userinfo

I might need to better understand how audiences work in my case because I was getting confused

@Jim_Le I also assume I’ll have to validate the token expiration to avoid replay attacks.

nukeador · May 23, 2025, 6:21pm

The alternative I was testing, in order to get if the user had the email validated and which email, was to pass the JWT to a HTTP Request node

GET

https://mysite.us.auth0.com/userinfo

With the token in the Authorization header, so if the JWT is valid you get back the full user info, but you can’t check permissions for your specific app I assume.

You will get something like:

[
  {
    "sub": "auth0|XXXXXX",
    "nickname": "TheName",
    "name": "Name"
    "picture": "https://s.gravatar.com/avatar/XXXX.png",
    "updated_at": "2025-05-23T12:08:41.381Z",
    "email": "[email protected]",
    "email_verified": true
  }
]

Jim_Le · May 24, 2025, 9:51am

Cool! Glad you got it to work.

Hmm your install steps seem fine and it should persist after you restart the container. Perhaps try setting both N8N_FUNCTION_ALLOW_BUILTIN and N8N_FUNCTION_ALLOW_EXTERNAL and set them to * (wildcard)?

Regarding the token’s actual contents, I think you can add custom scopes but I’ve never used Auth0 long enough to figure it out Maybe someone with more Auth0 experience can chip in here?