n8n Generates localhost OAuth Redirect URL Despite Correct WEBHOOK_URL Settings Behind NGINX Reverse Proxy

Below is a few points to check and adjust so that n8n uses your public domain for OAuth callbacks instead of its default localhost address:

1. Verify Which Environment Variables Are Used

n8n combines N8N_PROTOCOL, N8N_HOST, and (by default) N8N_PORT when constructing webhook URLs (including OAuth callbacks). Even though you set WEBHOOK_URL, conflicting or missing variables (such as N8N_PORT) can cause a fallback to localhost. In your docker-compose you have:

  • N8N_HOST=n8n.example.com
  • N8N_PROTOCOL=https
  • WEBHOOK_URL=https://n8n.example.com/

If you don’t override N8N_PORT explicitly, it may default to 5678. To force n8n to use your public domain you can remove the internal port by setting N8N_PORT to an empty value or to 443. For example:

YAMLCopied
environment:
  - N8N_HOST=n8n.example.com
  - N8N_PROTOCOL=https
  - WEBHOOK_URL=https://n8n.example.com/
  - N8N_PORT=

This way the generated URLs won’t automatically append “:5678.”

2. Remove Unused or Conflicting Variables

You’re also setting N8N_URL which isn’t used by n8n when constructing webhook and OAuth redirect URLs. It’s best to remove any extra variables that might cause confusion.

3. Check Your NGINX Reverse Proxy Configuration

Ensure that NGINX is forwarding the proper headers so that n8n sees the correct public host and protocol. Your NGINX configuration should include at least:

NGINXCopied
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;

If these headers aren’t passed, n8n may assume the request came from “localhost” over HTTP.

4. Restart n8n After Configuration Changes

Remember that n8n reads these values only on startup. After making changes to your docker-compose file or NGINX configuration, restart the container so the new environment variables take effect.

Summary

The issue is likely caused by n8n combining its default internal port (5678) with your host because N8N_PORT isn’t overridden and because the reverse proxy might not be passing the expected headers. Adjusting your docker-compose configuration (by removing N8N_URL and setting N8N_PORT either to an empty string or 443) and ensuring NGINX is forwarding the proper headers should resolve the problem so that your OAuth Redirect URL shows as “https://n8n.example.com/…” rather than “http://localhost:5678/…”.

Below is an explanation and some troubleshooting steps to resolve the issue.

---

Why Is the Redirect URL Still Using localhost?

n8n builds webhook and OAuth Redirect URLs by combining several environment variables. By default, it uses the values of
• N8N_PROTOCOL
• N8N_HOST
• N8N_PORT

When running behind a reverse proxy, the internal port (often 5678) does not match the externally exposed port (typically 443). In your case, even though you set N8N_HOST, N8N_PROTOCOL, and WEBHOOK_URL, you also set N8N_URL (which isn’t used in generating the webhook or OAuth callbacks) and did not override N8N_PORT. As a result, n8n is still detecting the container’s default (localhost:5678) when generating the OAuth Redirect URL.

---

Troubleshooting and Recommended Steps

1. Remove or Adjust Unnecessary Variables
   Remove the unused N8N_URL variable to avoid any confusion. The official recommendation is to use WEBHOOK_URL to override the internally generated URL.

2. Explicitly Set N8N_PORT (or Omit It)
   Since your reverse proxy uses HTTPS on port 443, you have two options:

   • Either set N8N_PORT=443 so that the generated URL becomes the public URL,
   • Or omit N8N_PORT (or set it to an empty value) so that n8n uses WEBHOOK_URL as the source of truth.

3. Recreate OAuth Credentials
   If your OAuth credentials were created before the environment variables were updated, they might still be using the old callback URL. Try removing and reconfiguring your OAuth credentials so that the new webhook URL is used.

4. Restart the Container Fully
   After updating the Docker Compose configuration, make sure you fully restart the container. This ensures that the new environment variables take effect.

---

Example Updated Environment Configuration

Below is an example snippet for your docker-compose.yml where the settings are adjusted:

YAMLCopied
environment:
  - N8N_HOST=n8n.example.com
  - N8N_PROTOCOL=https
  # Option 1: Set the port to your public port (443)
  - N8N_PORT=443
  # Option 2: Alternatively, you could comment out N8N_PORT if WEBHOOK_URL is properly defined
  - WEBHOOK_URL=https://n8n.example.com/

---

Recap

• n8n by default uses N8N_PROTOCOL, N8N_HOST, and N8N_PORT to generate webhook and OAuth Redirect URLs.
• In reverse proxy setups, the container’s port (5678) may leak into these URLs if not overridden.
• Removing unused variables (like N8N_URL) and explicitly setting or omitting N8N_PORT while using WEBHOOK_URL should resolve the mismatch.
• Remember to reconfigure your OAuth credentials if they were created before these changes.

Following these steps should help n8n generate the correct OAuth Redirect URL corresponding to your public domain (https://n8n.example.com/).