Protect pages and forms with secure sign in backed by your identity provider. Users land on a login screen, then return with their profile so you can show a welcome page or continue to your app. Ideal for teams that need simple access control without building a full backend.

A webhook receives the request and stores key endpoints and client details in a variables node. A code node reads cookies to find any saved token. If the URL has a code and PKCE is off, the flow swaps the code for an access token using the token endpoint. When a token is present, an HTTP request pulls user details from the user info endpoint. An If check decides which HTML page to return. The login form builds the authorize URL. The welcome page shows the user email. Two response nodes send the right page back to the browser.

Setup needs an OpenID Connect provider such as Keycloak. Add your authorization, token, and user info endpoints, client id, scopes, and optional client secret and redirect URI. Expected result is a clean single sign on path that saves build time and avoids manual checks. Good for gating internal tools, admin panels, and quick demos where you need verified users before they interact with data.

• Webhook entry point that serves the login or welcome page on request
• Variables node to store authorization, token, and user info endpoints plus client settings
• Code node that parses cookies to read any existing access token
• If check that detects code in the URL and PKCE mode to control the token exchange path
• HTTP request that exchanges the code for an access token at the token endpoint
• HTTP request that calls the user info endpoint with a Bearer token to fetch profile details
• HTML nodes for a ready to use login form and a welcome page that shows the user email
• Respond to Webhook nodes that return the correct HTML back to the browser

• Reduce setup time from 8 hours to 30 minutes
• Eliminate manual user checks by relying on the identity provider
• Improve data accuracy by pulling verified emails at login
• Support hundreds of concurrent sign ins with a stateless webhook flow
• Connect n8n pages with Keycloak without custom backend code

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with Keycloak. See the Tools Required section above for links to create accounts with these services.
3. In your Keycloak admin, create an OpenID Connect client. Add the n8n Webhook URL of this workflow to the valid redirect URIs. Copy the authorization endpoint, token endpoint, and user info endpoint from the realm OpenID configuration.
4. Open the Set variables node in n8n and paste the three endpoints. Enter the client id, scopes at least openid, and if you use non PKCE mode, also set client secret and the same redirect URI as your Webhook URL.
5. Optional credentials: double click the HTTP Request nodes, and in the Credential to connect with dropdown, click Create new credential. If you prefer, set up an OAuth2 API credential with your Keycloak endpoints and scopes, then attach it. Otherwise leave as is since the nodes send headers and body directly.
6. Check the If we have code in URI and not in PKCE mode node. Set the PKCE flag in the variables node to match your client settings. For public clients use PKCE true. For confidential clients with a secret use PKCE false.
7. Activate the workflow. Visit the Webhook URL in your browser. You should see the login form. After sign in, you should be redirected back and see the welcome page with your email.
8. Validate in n8n execution logs that the token exchange returns status 200 and the user info call returns an email. If you land back on the login page, the email may be missing or the token might be invalid.
9. Troubleshoot common issues: if you get a 401, confirm the Authorization header includes Bearer and a valid access token. If you loop back to login, check the redirect URI and client id. If PKCE is on, make sure client authentication is disabled in Keycloak.
10. Customize the HTML nodes for branding and layout. Keep the variable names and script parts that build the authorize URL so the sign in continues to work.