Available for hire

Announcing n8n-oidc

If you self-host n8n and want single sign-on, you’ve probably discovered the harsh reality: SSO requires a Startup license that starts at $400/mo (billed annually). That’s a very significant cost, just to use your existing identity provider. This is the [SSO Tax](https://ssotax.org), and n8n is one of the worst offenders on the Wall of Shame at a 1567% markup over the base plan (and an obvious infinite markup over the self-hosted community edition).

Today, I’m releasing n8n-oidc – a drop-in solution that enables OpenID Connect authentication for self-hosted n8n, no enterprise license required.

The problem

You’re running n8n self-hosted for yourself and maybe a couple of friends or family members. You already have an identity provider – maybe PocketID or Keycloak. You want your users to log in with their existing credentials, managed centrally with proper security controls, but n8n says no. Not unless you pay enterprise pricing.

This isn’t a technical limitation. SSO via OIDC is a straightforward, standardized protocol. The code to implement it is minimal. The real reason it’s locked behind enterprise pricing is because vendors know organizations *need* centralized authentication, and they’re willing to exploit that need.

As the folks at ssotax.org put it: “Imagine buying a car and the manufacturer asks for an extra payment to unlock 100% of the braking power. Not offering security features if they already exist in your product means a vendor doesn’t care about your security.”

The solution

n8n-oidc uses n8n’s external hooks system to inject OIDCc support at runtime. No patches, no forks, no license violations: just a javascript file and some environment variables.

Features

  • Standard OIDC authorization code flow: works with any compliant identity provider
  • Just-in-time user provisioning: Users are created automatically on first login
  • Automatic role assignment: First user becomes owner, subsequent users become members.
  • Clean login experience: SSO button replaces the default login form.
  • Fallback access: Append ?showLogin=true for email/password login when needed

How it works

The hooks.js file registers custom routes that handle the OIDC flow:

  1. /auth/oidc/login – Redirects users to your identity provider
  2. /auth/oidc/callback – Handles the authorization code exchange and creates the n8n session.

A frontend script replaces the login form with a clean “Sign in with SSO” button. Users click it, authenticate with your IdP, and land in n8n fully authenticated with a proper session.

Who is this for?

  • Homelab enthusiasts who want proper authentication without enterprise pricing
  • Small teams self-hosting n8n who already have an identity provider
  • Organizations evaluating n8n who need SSO but can’t justify enterprise costs for a proof-of-concept
  • Anyone who believes security features shouldn’t be paywalled

Who is this NOT for?

If you need enterprise support, SLAs, or are running n8n at scale in a regulated environment, the enterprise license probably makes sense for you. This project is for the rest of us.

Technical notes

  • Uses only built-in Node.js modules (no additional dependencies)
  • Caches OIDC discovery documents for performance
  • Implements proper state/nonce validation to prevent CSRF and replay attacks
  • Creates secure session cookies using n8n’s JWT service
  • Works with n8n’s Docker image out of the box

The project is available on GitHub under the MIT license:

github.com/cweagans/n8n-oidc

Issues, PRs, and feedback welcome.