Gitpulse
Merged
Size
M
Change Breakdown
Bug Fix100%
#28159fix(core): Omit empty scope from OAuth2 client credentials token request and improve error messaging

OAuth2 credentials no longer send empty scope in token requests

BG
BGZStephen
·Apr 9, 2026

Generic OAuth2 API credentials now omit the scope parameter entirely when left blank, fixing token request failures caused by non-standard empty strings that some authorization servers reject.

When users configured a Generic OAuth2 API credential with the Client Credentials grant type and left the Scope field blank, n8n sent scope= (an empty string) in the token request body. This violated RFC 6749 §3.3, which specifies that scope is optional. Some OAuth2 servers responded with 400 invalid_scope or 401 errors, making the credential unusable despite otherwise correct configuration.

Scoping values are now split, trimmed, and filtered to remove empty tokens before the token request. When no valid scopes remain, the parameter is omitted entirely rather than sent as an empty string. Additionally, when token acquisition fails, the error is now wrapped with "Failed to acquire OAuth2 access token:" so users immediately understand the failure occurred during authentication rather than during the API request itself.

These changes affect OAuth2 credential handling in the n8n core execution engine.

View Original GitHub Description

Summary

When using a Generic OAuth2 API credential with Grant Type: Client Credentials and the Scope field left empty, n8n was sending scope= (empty string) in the token request body. This is non-standard per RFC 6749 §3.3 — scope is optional, and an explicit empty value is rejected by some OAuth2 servers with a 400 invalid_scope or 401 error, preventing the credential from working at all.

Additionally, when token acquisition fails, the error message (ResponseError: HTTP status 400) gave no indication that it was the token fetch that failed — users saw an auth error and assumed the Authorization header was never sent to the API.

Changes

  • Empty scope is no longer sent: when the Scope field is blank, the scope parameter is omitted from the token request entirely rather than sent as scope=
  • Clearer error message on token fetch failure: wraps getToken() to re-throw with "Failed to acquire OAuth2 access token: <reason>", making it immediately clear the failure happened before any API request was attempted

How to test

  1. Create a Generic OAuth2 API credential:
    • Grant Type: Client Credentials
    • Authentication: Send in Request Body
    • Scope: (leave empty)
    • Fill in a real Access Token URL, Client ID, and Client Secret
  2. Add an HTTP Request node using that credential
  3. Execute — the token request should succeed (no scope= sent), and the API request should carry Authorization: Bearer <token>

To test the error message improvement: use invalid client credentials — the resulting error should now read "Failed to acquire OAuth2 access token: ..." instead of a raw ResponseError.

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/IAM-509

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse