Back to templates
HTTP Request node
Webhook node
+4

Authenticate a user in a workflow with openid connect

Published 5 months ago

Categories

Building Blocks
SecOps
Use workflow FREE

Template description

Intro

This workflow needs a user to authenticate by using an openid connect provider in order to call the webhook.

If the user is not authenticated, it starts a login process by using an Authorization Code with PKCE https://datatracker.ietf.org/doc/html/rfc7636, a standard way to authenticate users with openid connect.

Then, after the user logs in, the webhook is refreshed and gets the user's token from a cookie. With this token, all details about the user are requested through the userinfo endpoint on the identity provider.

How to set up with Keycloak

Keycloak Keycloak is an open source identity and access management solution.

Feel free to get a demo realm at https://please-open.it or get your own Keycloak server up and running.

After creating a realm, go to "Realm Settings" and click on "OpenID Endpoint Configuration"

image.png

Retrieve authorization_endpoint, token_endpoint and userinfo_endpoint values. Set those variables in the "Set variables" node.

In Keycloak, create a new client (name it as you want)

image.png

Disable the client authentication, check only "standard flow" :

image.png

At the third step, put the webhook url in "valid redirect URIs", fill "Web origins" with a "+".

image.png

You're done, open the webhook and it asks you to authenticate.

Usage

User informations

The userinfo node returns this structure about the user has logged in :

[
  {
    "sub":"73a6543f-f420-4fa6-9811-209e903c348b",
    "email_verified":true,
    "preferred_username": "[email protected]",
    "email": "[email protected]"
  }
]

I can use those infos in my workflow for custom operations.

APIs calls

the "code" node returns me a cookie named "n8n-custom-auth" which is the access_token returned by the identity provider. This access_token can be used to call APIs connected to this identity provider (for example, we call userinfo API with this token).

Example : asks a user to log in with his Google account then call an API (Gmail, drive...) with his own token.

How it works

We published a blog post about this flow, how it works and how you can use it :
https://blog.please-open.it/n8n-openid-client/

Share Template

Implement complex processes faster with n8n

Get started
red icon yellow icon red icon yellow icon

Automate without limits

Impressum & Legal

Report a vulnerability

© 2024 n8n | All rights reserved.