n8n-Oidc

If you self-host n8n and want single sign-on, you’ve probably discovered the harsh reality: SSO requires a Startup license that starts at $400/mo (billed annually). That’s a very significant cost, just to use your existing identity provider. This is the [SSO Tax](https://ssotax.org), and n8n is one of the worst offenders on the Wall of Shame at a 1567% markup over the base plan (and an obvious infinite markup over the self-hosted community edition).Today, I’m releasing n8n-oidc – a drop-in solution that enables OpenID Connect authentication for self-hosted n8n, no enterprise license required.The problemYou’re running n8n self-hosted for yourself and maybe a couple of friends or family members. You already have an identity provider – maybe PocketID or Keycloak. You want your users to log in with their existing credentials, managed centrally with proper security controls, but n8n says no. Not unless you pay enterprise pricing.This isn’t a technical limitation. SSO via OIDC is a straightforward, standardized protocol. The code to implement it is minimal. The real reason it’s locked behind enterprise pricing is because vendors know organizations *need* centralized authentication, and they’re willing to exploit that need.As the folks at ssotax.org put it: “Imagine buying a car and the manufacturer asks for an extra payment to unlock 100% of the braking power. Not offering security features if they already exist in your product means a vendor doesn’t care about your security.”The solutionn8n-oidc uses n8n’s external hooks system to inject OIDCc support at runtime. No patches, no forks, no license violations: just a javascript file and some environment variables.FeaturesStandard OIDC authorization code flow: works with any compliant identity providerJust-in-time user provisioning: Users are created automatically on first loginAutomatic role assignment: First user becomes owner, subsequent users become members.Clean login experience: SSO button replaces the default login form.Fallback access: Append ?showLogin=true for email/password login when neededHow it worksThe hooks.js file registers custom routes that handle the OIDC flow:/auth/oidc/login – Redirects users to your identity provider/auth/oidc/callback – Handles the authorization code exchange and creates the n8n session.A frontend script replaces the login form with a clean “Sign in with SSO” button. Users click it, authenticate with your IdP, and land in n8n fully authenticated with a proper session.Who is this for?Homelab enthusiasts who want proper authentication without enterprise pricingSmall teams self-hosting n8n who already have an identity providerOrganizations evaluating n8n who need SSO but can’t justify enterprise costs for a proof-of-conceptAnyone who believes security features shouldn’t be paywalledWho is this NOT for?If you need enterprise support, SLAs, or are running n8n at scale in a regulated environment, the enterprise license probably makes sense for you. This project is for the rest of us.Technical notesUses only built-in Node.js modules (no additional dependencies)Caches OIDC discovery documents for performanceImplements proper state/nonce validation to prevent CSRF and replay attacksCreates secure session cookies using n8n’s JWT serviceWorks with n8n’s Docker image out of the boxThe project is available on GitHub under the MIT license:github.com/cweagans/n8n-oidcIssues, PRs, and feedback welcome.