Issue Station
Sign In
Tools hereToolbox

n8n - 💡(How to fix) Fix Missing audit events for OIDC SSO: no login.success on successful login, no login.failed when password login is blocked by SSO [2 comments, 3 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
n8n-io/n8n#29512Fetched 2026-04-30 06:44:04
View on GitHub
Comments
2
Participants
3
Timeline
7
Reactions
0
Author
tzachish1tzachish1
Participants
bkauto3bkauto3n8n-assistant[bot]n8n-assistant[bot]tzachish1tzachish1
Timeline (top)
labeled ×3commented ×2mentioned ×1subscribed ×1

Error Message

  • error: all
RAW_BUFFERClick to expand / collapse

Bug Description

Two audit logging gaps exist when OIDC SSO is enabled, making login activity invisible to log streaming destinations:

  1. Successful OIDC login does not emit n8n.audit.user.login.success. The OIDC callback handler in
    oidc.controller.ee.ts issues the auth cookie and redirects but never calls eventService.emit('user-logged-in',
    ...). This is inconsistent with SAML SSO, which correctly emits the event in saml.controller.ee.ts.

  2. Failed password login under SSO does not emit n8n.audit.user.login.failed. When SSO (OIDC or SAML) is
    enabled and a user attempts to log in with email/password, the validateSsoRestrictions method in auth.controller.ts throws an AuthError before the code that emits user-login-failed is reached. This means brute-force attempts against the password login endpoint are completely invisible to log streaming.

  3. Both gaps affect organizations relying on log streaming for security monitoring (SIEM integration, brute- force detection, compliance auditing).

To Reproduce

Scenario 1 -- Missing login success:

  1. Enable OIDC SSO on an n8n instance with an enterprise license
  2. Configure a log streaming destination and subscribe to n8n.audit.user.login.success
  3. Log in via OIDC SSO with valid credentials
  4. Check the log streaming destination -- no event is received

Scenario 2 -- Missing login failure:

  1. Enable OIDC (or SAML) SSO on an n8n instance
  2. Configure a log streaming destination and subscribe to n8n.audit.user.login.failed
  3. Attempt to log in via POST /login with incorrect email/password credentials
  4. Check the log streaming destination -- no event is received

Expected behavior

  • A successful OIDC login should emit n8n.audit.user.login.success with authenticationMethod: 'oidc', matching SAML and email/password login behavior.
  • A failed password login attempt when SSO is enabled should emit n8n.audit.user.login.failed with the user's email and the reason for failure, so brute-force attempts are visible to security monitoring.

Actual Behavior:

  • Successful OIDC logins produce no audit event.
  • Failed password logins under SSO produce no audit event. The SSO restriction check in auth.controller.ts short-circuits the login flow before the user-login-failed event emission is reached.

Affected Files:

  1. packages/cli/src/modules/sso-oidc/oidc.controller.ee.ts -- missing user-logged-in event
  2. packages/cli/src/controllers/auth.controller.ts -- validateSsoRestrictions throws without emitting user-login-failed

Debug Info

Debug info

core

  • n8nVersion: 2.17.7
  • platform: docker (self-hosted)
  • nodeJsVersion: 24.14.1
  • nodeEnv: production
  • database: postgres
  • executionMode: regular
  • concurrency: -1
  • license: enterprise (production)
  • consumerId: 817c2c43-d5cf-47ec-840f-41001cc56362

storage

  • success: all
  • error: all
  • progress: false
  • manual: true
  • binaryMode: filesystem

pruning

  • enabled: true
  • maxAge: 336 hours
  • maxCount: 10000 executions

client

  • userAgent: mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/147.0.0.0 safari/537.36
  • isTouchDevice: false

security

  • secureCookie: false

Generated at: 2026-04-29T13:21:05.904Z

Operating System

macOS 26.4.1

n8n Version

2.17.7

Node.js Version

v24.14.1

Database

PostgreSQL

Execution mode

main (default)

Hosting

self hosted

extent analysis

TL;DR

To fix the audit logging gaps, modify the oidc.controller.ee.ts and auth.controller.ts files to emit the missing events for successful OIDC logins and failed password logins under SSO.

Guidance

  • In oidc.controller.ee.ts, add a call to eventService.emit('user-logged-in', ...) after issuing the auth cookie and redirecting to emit the n8n.audit.user.login.success event for successful OIDC logins.
  • In auth.controller.ts, modify the validateSsoRestrictions method to emit the n8n.audit.user.login.failed event before throwing the AuthError for failed password logins under SSO.
  • Verify the fix by reproducing the scenarios and checking the log streaming destination for the expected events.
  • Review the saml.controller.ee.ts file for a working example of emitting the user-logged-in event.

Example

// In oidc.controller.ee.ts
eventService.emit('user-logged-in', {
  userId: userId,
  authenticationMethod: 'oidc',
});

// In auth.controller.ts
if (validateSsoRestrictions()) {
  eventService.emit('user-login-failed', {
    email: email,
    reason: 'SSO restriction',
  });
  throw new AuthError('SSO restriction');
}

Notes

The fix requires modifying the oidc.controller.ee.ts and auth.controller.ts files, which may have unintended consequences. Thorough testing is recommended to ensure the changes do not introduce new issues.

Recommendation

Apply the workaround by modifying the oidc.controller.ee.ts and auth.controller.ts files to emit the missing events, as this is the most direct way to address the audit logging gaps.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

  • A successful OIDC login should emit n8n.audit.user.login.success with authenticationMethod: 'oidc', matching SAML and email/password login behavior.
  • A failed password login attempt when SSO is enabled should emit n8n.audit.user.login.failed with the user's email and the reason for failure, so brute-force attempts are visible to security monitoring.

Actual Behavior:

  • Successful OIDC logins produce no audit event.
  • Failed password logins under SSO produce no audit event. The SSO restriction check in auth.controller.ts short-circuits the login flow before the user-login-failed event emission is reached.

Affected Files:

  1. packages/cli/src/modules/sso-oidc/oidc.controller.ee.ts -- missing user-logged-in event
  2. packages/cli/src/controllers/auth.controller.ts -- validateSsoRestrictions throws without emitting user-login-failed
#api#ssr#memory leak#API versioning#request timeout

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

n8n - 💡(How to fix) Fix Missing audit events for OIDC SSO: no login.success on successful login, no login.failed when password login is blocked by SSO [2 comments, 3 participants]