Description
n8n-nodes-azure-openai-ms-oauth2
This is an n8n community node that provides Azure OpenAI Chat Model and Embeddings with Microsoft OAuth2 authentication for LangChain workflows in n8n.
Azure OpenAI Service provides REST API access to OpenAI’s powerful language models including GPT-4o, GPT-4.1, o1, and embedding models like text-embedding-3-small/large. This node uses Microsoft OAuth2 for secure, enterprise-grade authentication instead of API keys.
Perfect for Azure API Management (APIM) as an AI Gateway: This node is designed to work seamlessly with Azure API Management as an AI Gateway, enabling centralized management, monitoring, rate limiting, and security policies for your Azure OpenAI deployments.
n8n is a fair-code licensed workflow automation platform.
Installation
Features
Credentials
Compatibility
Usage
Resources
Installation
⚠️ Self-Hosted n8n Required: This node requires a self-hosted n8n instance as it depends on @langchain/openai and langchain packages. n8n Cloud does not support community nodes with external dependencies.
Follow the installation guide in the n8n community nodes documentation.
For self-hosted n8n:
npm install n8n-nodes-azure-openai-ms-oauth2
Or install directly in n8n:
1. Go to Settings > Community Nodes
2. Select Install
3. Enter n8n-nodes-azure-openai-ms-oauth2
4. Agree to the risks and install
Features
LangChain Chat Model
- AI Agent Integration: Use as a language model in AI Agent workflows
- LangChain Chains: Compatible with all LangChain chain types
- Streaming Support: Real-time response streaming
- Execution Visibility: Full n8n integration with animation and data display
- Vector Embeddings: Generate embeddings for text using Azure OpenAI embedding models
- Flexible Authentication: Supports both
api-keyandAuthorization: Bearerheaders - Model Options: Configure dimensions, encoding format (float/base64), and user tracking
- APIM Compatible: Works seamlessly with Azure API Management as AI Gateway
- Tool Integration: Can be used as a tool in AI Agent workflows
- Model Parameters: Full control over temperature, max tokens, penalties, etc.
- OAuth2 Security: Enterprise-grade authentication with smart token refresh
- n8n sends JWT token → APIM validates the OAuth2 JWT in
api-keyheader - APIM authenticates to Azure OpenAI → APIM uses its own credentials (API key or managed identity)
- Centralized Management: Route requests through APIM for unified API governance
- Advanced Monitoring: Track usage, performance, and costs across all AI services
- Rate Limiting & Quotas: Implement usage policies and prevent overages
- Security Policies: JWT validation, IP filtering, and request validation at APIM layer
- Load Balancing: Distribute requests across multiple Azure OpenAI instances
- Custom OAuth2 Scopes: Use your organization’s custom API scopes (e.g.,
api://your-app-id/.default) - Self-hosted n8n only (not compatible with n8n Cloud)
- Minimum n8n version: 1.0.0
- Tested with n8n version: 1.119.1+
- Requires LangChain support in n8n
- Requires
@langchain/openaiandlangchainpackages (installed as peer dependencies)
Embeddings Node
– Execution animation during model invocation (visual progress indicator)
– Input/output data visible in n8n execution UI (not just logs)
– Token usage displayed in execution data (prompt, completion, total tokens)
– Proper integration with n8n’s connection system via N8nLlmTracing
– Error tracking and display in execution UI
– Matches behavior of built-in n8n LangChain chat model nodes
– Enabled for both streaming and non-streaming requests
– Automatically decodes JWT to check token expiry before each request
– Proactive token refresh before expiration (default: 15 minutes before)
– Prevents authentication failures from expired tokens during workflow execution
– Configurable refresh buffer in credential settings (60-3600 seconds)
– Smart strategy: Uses HTTP request for expired tokens, manual refresh for expiring tokens
Azure API Management (APIM) AI Gateway Support
This node is specifically designed for APIM AI Gateway scenarios where:
Credentials
To use this node, you need:
Prerequisites
1. An Azure subscription
2. Azure OpenAI resource created in Azure Portal
3. A deployed model (e.g., GPT-4o, GPT-4.1, o1)
4. Azure AD app registration with appropriate permissions
Setting up Microsoft OAuth2 credentials
1. Register an Azure AD Application:
– Go to Azure Portal > Azure Active Directory > App registrations
– Create a new registration
– Note the Application (client) ID and Directory (tenant) ID
2. Expose an API:
– In your app registration, go to “Expose an API”
– Add an Application ID URI (e.g., api://12345678-1234-1234-1234-123456789abc)
– Add a scope (e.g., user_impersonation) or use the default .default scope
– This creates the scope: api://
3. Create Client Secret:
– In your app registration, go to Certificates & secrets
– Create a new client secret and save it securely
4. Configure n8n Credentials:
– Credential Type: Azure OpenAI MS OAuth2 API
– API Scope: Your Azure AD application scope in format api://
– Example: api://12345678-1234-1234-1234-123456789abc/.default
– This must match the API exposed in your Azure AD app registration
– The JWT token’s aud (audience) claim will be set to this value
– Endpoint: Your APIM gateway base URL (without trailing slash)
– Example: https://your-apim.azure-api.net/aiProject
– This is your APIM API path, NOT the Azure OpenAI endpoint
– APIM will rewrite this to the actual Azure OpenAI backend endpoint
– API Version: 2025-03-01-preview (default, or use your preferred version)
– Client ID: Your Azure AD application ID
– Client Secret: Your Azure AD client secret
– Tenant ID: Your Azure AD tenant ID
5. APIM Configuration:
– Configure APIM to validate the JWT token in the api-key header
– Set up APIM policies to validate the aud claim matches your API scope
– Configure APIM backend to point to your Azure OpenAI resource
– APIM will rewrite the URL from your APIM path to the Azure OpenAI endpoint
– Example flow:
– n8n calls: https://your-apim.azure-api.net/aiProject/deployments/gpt-4o/chat/completions
– n8n sends: api-key:
– APIM extracts and validates JWT from api-key header
– APIM rewrites to: https://your-resource.openai.azure.com/openai/deployments/gpt-4o/chat/completions
– APIM replaces api-key header with actual Azure OpenAI credentials
– APIM validates the JWT and forwards requests to Azure OpenAI with its own credentials
Compatibility
Usage
Using with AI Agent
1. Add an AI Agent node to your workflow
2. In the AI Agent configuration, add a Language Model
3. Select Azure OpenAI Chat Model (MS OAuth2)
4. Configure your credentials
5. Select the Model using one of two methods:
– From List: Select from predefined models (configured via AZUREOPENAIMODELS environment variable)
– By ID: Enter the deployment name manually (e.g., gpt-4o-deployment)
– This is the deployment name configured in your Azure OpenAI resource, NOT the model name
6. Adjust options as needed:
– Frequency Penalty: Reduces repetition (-2 to 2, default: 0)
– Maximum Number of Tokens: Max tokens to generate (default: -1 for model default, max: 128000)
– Max Retries: Number of retry attempts on failure (default: 2)
– Presence Penalty: Encourages new topics (-2 to 2, default: 0)
– Response Format: Choose between Text or JSON output
– Text: Regular text response (default)
– JSON: Enables JSON mode for structured output (requires “json” in prompt, use with models post-Nov 2023)
– Temperature: Controls randomness (0-2, default: 0.7)
– Timeout (Ms): Request timeout in milliseconds (default: 60000)
– Top P: Nucleus sampling (0-1, default: 1)
Using with LangChain Chains
1. Add a Chain node (e.g., “Conversation Chain”, “Question and Answer Chain”)
2. Connect the Azure OpenAI Chat Model (MS OAuth2) as the language model
3. Configure your chain logic
4. The model will be used for all LLM operations in the chain
Example: Simple AI Agent
[Manual Trigger] → [AI Agent]
↓
[Azure OpenAI Chat Model (MS OAuth2)]
↓
[Output]
The AI Agent can use your Azure OpenAI deployment with OAuth2 authentication for secure, enterprise-grade AI workflows.
Using the Embeddings Node
1. Add Azure OpenAI Embedding (MS OAuth2) node to your workflow
2. Configure your credentials (same as chat model)
3. Set the Deployment Name parameter to your Azure OpenAI embedding deployment name (e.g., text-embedding-3-small)
4. Enter the Text to generate embeddings for
5. Optionally configure:
– Dimensions: Number of dimensions for the output embeddings (text-embedding-3 models only)
– Encoding Format: Float (default) or Base64
– User: Unique identifier for tracking and abuse monitoring
Example: Generate Embeddings for Vector Database
[Manual Trigger] → [Azure OpenAI Embedding (MS OAuth2)] → [Pinecone/Qdrant/etc.]
The embedding node generates vector embeddings that can be stored in vector databases for semantic search, RAG (Retrieval Augmented Generation), and similarity matching.
Configuration
Dynamic Model Selection
The chat model node supports dynamic model selection via environment variables, allowing you to configure available models centrally.
#### Setting Up Model List
Set the AZUREOPENAIMODELS environment variable before starting n8n:
export AZUREOPENAIMODELS="gpt-4o-deployment,*gpt-4-deployment,gpt-35-turbo-deployment"
n8n start
Format:
* to mark it as the default"model1,*model2,model3" makes model2 the defaultIn the n8n UI:
– Default model appears first with “(default)” label
– Searchable/filterable list
Without environment variable:
*gpt-4o,gpt-4,gpt-35-turboToken Refresh Buffer
#### Why This Matters
OAuth2 access tokens have an expiration time (typically 60 minutes). If your workflow takes a long time to execute, the token might expire in the middle of the workflow, causing authentication failures and workflow errors.
The Token Refresh Buffer setting allows you to proactively refresh the token before it expires, ensuring your workflow completes successfully even if it runs for an extended period.
#### How It Works
Token issued at: 10:00 AM
Token expires at: 11:00 AM (60 minutes later)
Buffer time: 15 minutes (900 seconds)Timeline:
10:00 AM ──────────────────────────────── 10:45 AM ──────── 11:00 AM
↑ ↑ ↑
Token issued Refresh point Token expires
(15 min before)
Example 1 - Workflow starts at 10:30 AM (30 min remaining):
✅ Token valid period: 30 minutes > Buffer: 15 minutes
Node checks token: 30 min remaining, sufficient for workflow
No refresh needed
Workflow runs successfully Example 2 - Workflow starts at 10:59 AM (1 min remaining):
⚠️ Token valid period: 1 minute < Buffer: 15 minutes
Node checks token: only 1 min remaining → triggers refresh
New token issued, valid until 11:59 AM (60 min validity)
Workflow continues safely
Without refresh: Token expires in 1 minute → mid-workflow failure!
#### Configuration Steps
1. Go to Credentials → Azure OpenAI MS OAuth2 API
2. Set Token Refresh Buffer (seconds) field
Settings:
900 (15 minutes)60 to 3600 (1 minute to 60 minutes)#### When to Adjust
| Workflow Type | Buffer Time | Reason |
|————–|————-|——–|
| Quick workflows (< 5 min) | 300-600 sec (5-10 min) | Minimize unnecessary refreshes |
| Medium workflows (5-20 min) | 900-1200 sec (15-20 min) | Default, suitable for most cases |
| Long workflows (20-60 min) | 1800-3600 sec (30-60 min) | Ensure token stays valid throughout |
Example scenarios:
Troubleshooting
Token Refresh Issues
If you experience token expiration issues:
1. Verify offlineaccess scope: The credential automatically adds offlineaccess to your API scope to enable refresh tokens. Check your Azure AD app registration allows this scope.
2. Check refresh token: Ensure your Azure AD app is configured to issue refresh tokens. The node logs will show if a refresh token is missing.
3. Adjust buffer time: If your workflows take longer than expected, increase the Token Refresh Buffer (seconds) in your credential settings (default: 900 seconds / 15 minutes).
4. Check logs: Enable n8n logging to see token refresh attempts. Look for messages like:
– ✅ SUCCESS: Token refreshed via HTTP request (n8n OAuth2)
– ✅ SUCCESS: Token refreshed via manual refresh_token grant
– ✓ Token still valid, expires in X minutes