Skip to content

feat: Support dynamic credentials in oauth refresh #23225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BGZStephen merged 8 commits into from
Dec 15, 2025
Merged

feat: Support dynamic credentials in oauth refresh #23225

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b1c3161
add dynamic support for storing refreshed credentials
BGZStephen Dec 15, 2025
d0bca01
add support for dynamic credentials to oauth refresh
BGZStephen Dec 15, 2025
0c93d38
fix tests
BGZStephen Dec 15, 2025
e084a02
workflow resolver fallback
BGZStephen Dec 15, 2025
baa6b54
Merge branch 'master' of github.com:n8n-io/n8n into PAY-4235-handle-o…
BGZStephen Dec 15, 2025
6b5b926
move logic in to proxy
BGZStephen Dec 15, 2025
4788f9d
Merge branch 'master' of github.com:n8n-io/n8n into PAY-4235-handle-o…
BGZStephen Dec 15, 2025
7800225
dual di import
BGZStephen Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions packages/cli/src/__tests__/credentials-helper.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import type {
INodeProperties,
INodeTypes,
INodeCredentialsDetails,
IWorkflowExecuteAdditionalData,
} from 'n8n-workflow';
import { deepCopy, Workflow } from 'n8n-workflow';

Expand Down Expand Up @@ -340,6 +341,7 @@ describe('CredentialsHelper', () => {
nodeCredentials,
'oAuth2Api',
newOauthTokenData,
{} as IWorkflowExecuteAdditionalData,
);

expect(credentialsRepository.update).toHaveBeenCalledWith(
Expand Down
26 changes: 26 additions & 0 deletions packages/cli/src/credentials-helper.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -534,7 +534,33 @@ export class CredentialsHelper extends ICredentialsHelper {
nodeCredentials: INodeCredentialsDetails,
type: string,
data: ICredentialDataDecryptedObject,
additionalData: IWorkflowExecuteAdditionalData,
): Promise<void> {
const credentialsEntity = await this.getCredentialsEntity(nodeCredentials, type);

const resolverId =
credentialsEntity.resolverId ?? additionalData.workflowSettings?.credentialResolverId;

if (credentialsEntity.isResolvable && resolverId) {
const credentials = await this.getCredentials(nodeCredentials, type);
const staticData = credentials.getData();

await this.dynamicCredentialsProxy.storeOAuthTokenDataIfNeeded(
{
id: credentialsEntity.id,
name: credentialsEntity.name,
type: credentialsEntity.type,
isResolvable: credentialsEntity.isResolvable,
resolverId,
},
data.oauthTokenData as IDataObject,
additionalData.executionContext,
staticData,
additionalData.workflowSettings,
);
return;
}

const credentials = await this.getCredentials(nodeCredentials, type);

credentials.updateData({ oauthTokenData: data.oauthTokenData });
Expand Down
46 changes: 45 additions & 1 deletion packages/cli/src/credentials/dynamic-credentials-proxy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,22 @@
import type { Logger } from '@n8n/backend-common';
import { Container, Service } from '@n8n/di';
import { Cipher } from 'n8n-core';
import type {
CredentialStoreMetadata,
IDynamicCredentialStorageProvider,
} from './dynamic-credential-storage.interface';
import type {
ICredentialContext,
ICredentialDataDecryptedObject,
IDataObject,
IExecutionContext,
IWorkflowSettings,
} from 'n8n-workflow';
import { toCredentialContext, UnexpectedError } from 'n8n-workflow';
import type {
CredentialResolveMetadata,
ICredentialResolutionProvider,
} from './credential-resolution-provider.interface';
import { Service } from '@n8n/di';

@Service()
export class DynamicCredentialsProxy
Expand Down Expand Up @@ -79,4 +82,45 @@ export class DynamicCredentialsProxy
workflowSettings,
);
}

/**
* Stores OAuth token data for dynamic credentials, handling execution context decryption
*/
async storeOAuthTokenDataIfNeeded(
credentialStoreMetadata: CredentialStoreMetadata,
oauthTokenData: IDataObject,
executionContext: IExecutionContext | undefined,
staticData: ICredentialDataDecryptedObject,
workflowSettings?: IWorkflowSettings,
): Promise<void> {
if (!credentialStoreMetadata.isResolvable || !credentialStoreMetadata.resolverId) {
return;
}

const cipher = Container.get(Cipher);

let credentialContext: { version: 1; identity: string } | undefined;

if (executionContext?.credentials) {
const decrypted = cipher.decrypt(executionContext.credentials);
credentialContext = toCredentialContext(decrypted) as { version: 1; identity: string };
}

if (!credentialContext) {
throw new UnexpectedError('No credential context found', {
extra: {
credentialId: credentialStoreMetadata.id,
credentialName: credentialStoreMetadata.name,
},
});
}

await this.storeIfNeeded(
credentialStoreMetadata,
{ oauthTokenData } as ICredentialDataDecryptedObject,
credentialContext,
staticData,
workflowSettings,
);
}
}
3 changes: 3 additions & 0 deletions .../execution-engine/node-execution-context/utils/__tests__/request-helper-functions.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -939,6 +939,7 @@ describe('Request Helper Functions', () => {
refresh_token: 'new-refresh-token',
}),
}),
mockAdditionalData,
);
});

Expand Down Expand Up @@ -981,6 +982,7 @@ describe('Request Helper Functions', () => {
refresh_token: 'new-refresh-token',
}),
}),
mockAdditionalData,
);
});

Expand Down Expand Up @@ -1020,6 +1022,7 @@ describe('Request Helper Functions', () => {
refresh_token: 'new-refresh-token',
}),
}),
mockAdditionalData,
);
});

Expand Down
4 changes: 4 additions & 0 deletions packages/core/src/execution-engine/node-execution-context/utils/request-helper-functions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -941,6 +941,7 @@ export async function requestOAuth2(
nodeCredentials,
credentialsType,
credentials as unknown as ICredentialDataDecryptedObject,
additionalData,
);

oauthTokenData = data;
Expand Down Expand Up @@ -1022,6 +1023,7 @@ export async function requestOAuth2(
nodeCredentials,
credentialsType,
credentials as unknown as ICredentialDataDecryptedObject,
additionalData,
);
const refreshedRequestOption = newToken.sign(requestOptions as ClientOAuth2RequestObject);

Expand Down Expand Up @@ -1102,6 +1104,7 @@ export async function requestOAuth2(
nodeCredentials,
credentialsType,
credentials as unknown as ICredentialDataDecryptedObject,
additionalData,
);

this.logger.debug(
Expand Down Expand Up @@ -1268,6 +1271,7 @@ export async function refreshOAuth2Token(
nodeCredentials,
credentialsType,
credentials as unknown as ICredentialDataDecryptedObject,
additionalData,
);

this.logger.debug(
Expand Down
1 change: 1 addition & 0 deletions packages/workflow/src/interfaces.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,7 @@ export abstract class ICredentialsHelper {
nodeCredentials: INodeCredentialsDetails,
type: string,
data: ICredentialDataDecryptedObject,
additionalData: IWorkflowExecuteAdditionalData,
): Promise<void>;

abstract getCredentialsProperties(type: string): INodeProperties[];
Expand Down
Loading