n8nworkflows.io
Sign in

Authenticate a user in a workflow with openid connect

Download [17.7KB]

Nodes

9dd572aa-e531-4ffe-a66c-58ac7003ac5d2e3e39e3-0e17-4fae-9ac5-9ee31f9711ed3b9f1b78-6b80-4575-aa6c-9669870003892cf69bf8-d025-41db-983e-898d5f3acf5aa97f27bd-6185-4b9b-bade-f7020a7a1885

Categories

Security & Compliance

Tags

#OpenID Connect

Created by

plplease-open.it

Last edited 38 days ago

Intro

This workflow needs a user to authenticate by using an openid connect provider in order to call the webhook.

If the user is not authenticated, it starts a login process by using an Authorization Code with PKCE https://datatracker.ietf.org/doc/html/rfc7636, a standard way to authenticate users with openid connect.

Then, after the user logs in, the webhook is refreshed and gets the user's token from a cookie. With this token, all details about the user are requested through the userinfo endpoint on the identity provider.

How to set up with Keycloak

Keycloak Keycloak is an open source identity and access management solution.

Feel free to get a demo realm at https://please-open.it or get your own Keycloak server up and running.

After creating a realm, go to "Realm Settings" and click on "OpenID Endpoint Configuration"

Retrieve authorization_endpoint, token_endpoint and userinfo_endpoint values. Set those variables in the "Set variables" node.

In Keycloak, create a new client (name it as you want)

Disable the client authentication, check only "standard flow" :

At the third step, put the webhook url in "valid redirect URIs", fill "Web origins" with a "+".

You're done, open the webhook and it asks you to authenticate.

Usage

User informations

The userinfo node returns this structure about the user has logged in :

[
  {
    "sub":"73a6543f-f420-4fa6-9811-209e903c348b",
    "email_verified":true,
    "preferred_username": "mathieu.passenaud@please-open.it",
    "email": "mathieu.passenaud@please-open.it"
  }
]

I can use those infos in my workflow for custom operations.

APIs calls

the "code" node returns me a cookie named "n8n-custom-auth" which is the access_token returned by the identity provider. This access_token can be used to call APIs connected to this identity provider (for example, we call userinfo API with this token).

Example : asks a user to log in with his Google account then call an API (Gmail, drive...) with his own token.

How it works

We published a blog post about this flow, how it works and how you can use it : https://blog.please-open.it/n8n-openid-client/

You may also like

User verification and login using Auth0

User verification and login using Auth0

JaJay Hartley
547
44
Secure API Endpoint with Bearer Token Authentication and Field Validation

Secure API Endpoint with Bearer Token Authentication and Field Validation

AuAudun
852
59
Validate Auth0 JWT Tokens using JWKS or Signing Cert

Validate Auth0 JWT Tokens using JWKS or Signing Cert

JiJimleuk
543
31

New to n8n?

Need help building new n8n workflows? Process automation for you or your company will save you time and money, and it's completely free!

Trending

Translate cocktail instructions using DeepL

Translate cocktail instructions using DeepL

HaHarshil Agrawal
366
17
Receive transfer updates from Wise and add to Airtable

Receive transfer updates from Wise and add to Airtable

HaHarshil Agrawal
712
55
Manage transfers automatically in Wise

Manage transfers automatically in Wise

HaHarshil Agrawal
151
19