OAuth Callback URL Returns 401

[lawfulsoftware]

Bug Description

The authentication process appears to be blocked by this check.

I am trying to authenticate with the [Zoho Mail API] (https://www.zoho.com/mail/help/api/using-oauth-2.html). I see the pop-up asking for approval of the requested permissions. Once granted, the request is redirected to n8n https://{your_domain}.com/{your_redirect_page}?code={authorization_code}&location={domain}&accounts-server={accounts_url} but I receive:

{
    "status": "error",
    "message": "Unauthorized"
}

If I try to access the redirect URL directly (i.e., without any query parameters), I receive the same error message.

The process breaks at this point and I cannot move to step 3 of Zoho's documentation.

To Reproduce

Try to authenticate following Zoho's documentation.

Expected behavior

Authentication should work seamlessly

Operating System

Docker

n8n Version

1.49.0

Node.js Version

20.14.0

Database

PostgreSQL

Execution mode

main (default)

[Joffcom]

Hey @lawfulsoftware

Are other oauth services working ok?

Did you also set the offline access_type option?

[lawfulsoftware]

Thanks for the quick response, @Joffcom.

I have tried different approaches, including setting access_type=offline.

I don't use OAuth with many services. I just tried to connect Nextcloud and experienced the same issue. It also happens if I use the built-in Zoho Oauth2 API which only works with Zoho CRM.

I have logging set to debug however I do not see any issues. I also don't see any issues with my configuration. I am using Traefik in case that is relevant.

I used basic auth at one point but I commented it out a long time ago.

[netroy]

Since the oauth2 callback url is excluded from the browserId check, the only way for that url to return a 401 is when the request is missing the auth cookie.

1. Are you using Firefox containers or some other browser extension that might be messing with cookies?
2. Does the callback popup also log you out from n8n?
3. Have you tried to reproduce this on another browser?

[lawfulsoftware]

I am using Edge. I only had two extensions however I disabled both. There is no change in behaviour.

I will add the following:

When I add prompt=consent, it still shows the same { "status": "error", "message": "Unauthorized" } message however it does not return a 401 and, when I close out of the credential manager and open it again, it shows a green Account connected message. If, however, I execute a GET request on https://mail.zoho.com/api/organization, I receive the following response: The resource you are requesting could not be found 404 - "{\"data\":{\"errorCode\":\"INVALID_OAUTHTOKEN\"},\"status\":{\"code\":404,\"description\":\"Invalid Input\"}}"

Also, the auth token is contained in the query string of the page displaying the error. Here are screenshots of the network requests.

I just tried in Chrome Canary (no extensions) with the same result. I am using Edge 126.0.2592.102 (Official build) (64-bit).

The callback popup has no effect on my n8n session.

[netroy]

The callback popup has no effect on my n8n session.

Can you please check if the domain for the popup and the domain you are accessing n8n over are the same?

[lawfulsoftware]

That was it! Thank you!

The domain is the same but I was using a different subdomain for the UI. I accessed the UI using the webhook subdomain and it worked correctly.

Ideally, it should be possible to use different subdomains for the UI and webhooks but I can confirm that this solution works and persists even if I revert to the UI subdomain.

[lawfulsoftware]

Quick thought. If it's difficult to permit authentication when using a different subdomain for the UI, could a warning be displayed when trying to connect the account?