OIDC Auth Gate (2-In)
Gate for OAuth2/OIDC Authorization Code (optional PKCE). Input #1: init (no code) → redirect. Input #2: callback (with code) → token exchange. Output #1: unauthenticated (302 redirect). Output #2: authenticated (tokens).
Overview
This node implements an OIDC/OAuth2 Authorization Code flow with optional PKCE support. It acts as a gate for authentication by handling two inputs: the initial request to redirect the user to the identity provider's authorization endpoint, and the callback request to exchange the authorization code for tokens. It outputs either a redirect response if the user is not authenticated or the tokens if authentication is successful. This node is useful for integrating OAuth2/OIDC authentication into workflows, enabling secure user login and token retrieval for API access.
Use Case Examples
- Redirecting a user to an OAuth2 authorization URL to initiate login.
- Handling the callback from the identity provider to exchange the authorization code for access and ID tokens.
- Using PKCE for enhanced security in public clients without client secrets.
Properties
| Name | Meaning |
|---|---|
| Authorization URL | OIDC/OAuth2 authorization endpoint URL where the user is redirected to authenticate. |
| Token URL | Token endpoint URL used to exchange the authorization code for tokens. |
| Callback URL (optional) | Redirect URI used in the OAuth2 flow; if empty, the node uses the execution resume URL automatically. |
| Client ID | OAuth2 client identifier. |
| Client Secret | OAuth2 client secret; optional if using PKCE. |
| Scopes | Space-separated list of OAuth2 scopes; 'openid' is added automatically if missing. |
| Use PKCE (S256) | Whether to use PKCE with S256 code challenge for enhanced security. |
| Advanced | Additional advanced options including extra authorization parameters to add to the authorization URL. |
Output
JSON
statusCode- HTTP status code of the response (302 for redirect, 200 for authenticated, 400 for errors).headers- HTTP headers including Location for redirects and cache control headers.bodymessage- Human-readable message describing the response state.location- Redirect URL to the identity provider (only for unauthenticated output).
metacallbackUrl- Callback URL used in the OAuth2 flow (only for unauthenticated output).usePkce- Indicates if PKCE was used (only for unauthenticated output).state- Encoded state parameter used for CSRF protection (only for unauthenticated output).
access_token- OAuth2 access token (only for authenticated output).id_token- OIDC ID token (only for authenticated output).refresh_token- OAuth2 refresh token (only for authenticated output).expires_in- Token expiration time in seconds (only for authenticated output).token_type- Type of the token issued (only for authenticated output).
Dependencies
- crypto module for generating PKCE code verifier and state tokens
Troubleshooting
- Missing or incorrect authorization code in the callback request results in a 400 error with a descriptive message.
- Ensure the callback URL matches the one registered with the identity provider to avoid redirect URI mismatches.
- If using PKCE, the code verifier and challenge must be correctly generated and sent; otherwise, token exchange will fail.
- Client secret is optional only if PKCE is used; otherwise, it must be provided.
Links
- OpenID Connect Core 1.0 Specification - Official specification for OIDC, describing the authorization code flow and tokens.
- RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE) - Specification for PKCE, enhancing OAuth2 security for public clients.