2025-06-09 11:27:23 -04:00
|
|
|
const undici = require('undici');
|
2025-10-09 08:35:22 +01:00
|
|
|
const { get } = require('lodash');
|
2024-05-17 13:03:31 -05:00
|
|
|
const fetch = require('node-fetch');
|
2023-12-14 07:49:27 -05:00
|
|
|
const passport = require('passport');
|
2025-05-30 22:18:13 -04:00
|
|
|
const client = require('openid-client');
|
2024-04-02 03:08:17 -04:00
|
|
|
const jwtDecode = require('jsonwebtoken/decode');
|
2024-06-15 15:41:34 +02:00
|
|
|
const { HttpsProxyAgent } = require('https-proxy-agent');
|
2025-05-30 22:18:13 -04:00
|
|
|
const { hashToken, logger } = require('@librechat/data-schemas');
|
2025-08-11 18:49:34 -04:00
|
|
|
const { CacheKeys, ErrorTypes } = require('librechat-data-provider');
|
2025-05-22 14:19:24 +02:00
|
|
|
const { Strategy: OpenIDStrategy } = require('openid-client/passport');
|
2025-08-27 12:59:40 -04:00
|
|
|
const {
|
|
|
|
|
isEnabled,
|
|
|
|
|
logHeaders,
|
|
|
|
|
safeStringify,
|
|
|
|
|
findOpenIDUser,
|
|
|
|
|
getBalanceConfig,
|
2025-09-27 21:20:19 -04:00
|
|
|
isEmailDomainAllowed,
|
2025-08-27 12:59:40 -04:00
|
|
|
} = require('@librechat/api');
|
2024-04-19 09:12:55 -04:00
|
|
|
const { getStrategyFunctions } = require('~/server/services/Files/strategies');
|
2025-05-30 22:18:13 -04:00
|
|
|
const { findUser, createUser, updateUser } = require('~/models');
|
2025-08-26 12:10:18 -04:00
|
|
|
const { getAppConfig } = require('~/server/services/Config');
|
2025-05-22 14:19:24 +02:00
|
|
|
const getLogStores = require('~/cache/getLogStores');
|
2023-06-24 21:45:52 -05:00
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
/**
|
|
|
|
|
* @typedef {import('openid-client').ClientMetadata} ClientMetadata
|
|
|
|
|
* @typedef {import('openid-client').Configuration} Configuration
|
|
|
|
|
**/
|
|
|
|
|
|
2025-06-09 11:27:23 -04:00
|
|
|
/**
|
|
|
|
|
* @param {string} url
|
|
|
|
|
* @param {client.CustomFetchOptions} options
|
|
|
|
|
*/
|
|
|
|
|
async function customFetch(url, options) {
|
|
|
|
|
const urlStr = url.toString();
|
|
|
|
|
logger.debug(`[openidStrategy] Request to: ${urlStr}`);
|
|
|
|
|
const debugOpenId = isEnabled(process.env.DEBUG_OPENID_REQUESTS);
|
|
|
|
|
if (debugOpenId) {
|
|
|
|
|
logger.debug(`[openidStrategy] Request method: ${options.method || 'GET'}`);
|
|
|
|
|
logger.debug(`[openidStrategy] Request headers: ${logHeaders(options.headers)}`);
|
|
|
|
|
if (options.body) {
|
|
|
|
|
let bodyForLogging = '';
|
|
|
|
|
if (options.body instanceof URLSearchParams) {
|
|
|
|
|
bodyForLogging = options.body.toString();
|
|
|
|
|
} else if (typeof options.body === 'string') {
|
|
|
|
|
bodyForLogging = options.body;
|
|
|
|
|
} else {
|
|
|
|
|
bodyForLogging = safeStringify(options.body);
|
|
|
|
|
}
|
|
|
|
|
logger.debug(`[openidStrategy] Request body: ${bodyForLogging}`);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
/** @type {undici.RequestInit} */
|
|
|
|
|
let fetchOptions = options;
|
|
|
|
|
if (process.env.PROXY) {
|
|
|
|
|
logger.info(`[openidStrategy] proxy agent configured: ${process.env.PROXY}`);
|
|
|
|
|
fetchOptions = {
|
|
|
|
|
...options,
|
2025-07-01 22:30:06 +02:00
|
|
|
dispatcher: new undici.ProxyAgent(process.env.PROXY),
|
2025-06-09 11:27:23 -04:00
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const response = await undici.fetch(url, fetchOptions);
|
|
|
|
|
|
|
|
|
|
if (debugOpenId) {
|
|
|
|
|
logger.debug(`[openidStrategy] Response status: ${response.status} ${response.statusText}`);
|
|
|
|
|
logger.debug(`[openidStrategy] Response headers: ${logHeaders(response.headers)}`);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (response.status === 200 && response.headers.has('www-authenticate')) {
|
|
|
|
|
const wwwAuth = response.headers.get('www-authenticate');
|
|
|
|
|
logger.warn(`[openidStrategy] Non-standard WWW-Authenticate header found in successful response (200 OK): ${wwwAuth}.
|
|
|
|
|
This violates RFC 7235 and may cause issues with strict OAuth clients. Removing header for compatibility.`);
|
|
|
|
|
|
|
|
|
|
/** Cloned response without the WWW-Authenticate header */
|
|
|
|
|
const responseBody = await response.arrayBuffer();
|
|
|
|
|
const newHeaders = new Headers();
|
|
|
|
|
for (const [key, value] of response.headers.entries()) {
|
|
|
|
|
if (key.toLowerCase() !== 'www-authenticate') {
|
|
|
|
|
newHeaders.append(key, value);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return new Response(responseBody, {
|
|
|
|
|
status: response.status,
|
|
|
|
|
statusText: response.statusText,
|
|
|
|
|
headers: newHeaders,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return response;
|
|
|
|
|
} catch (error) {
|
|
|
|
|
logger.error(`[openidStrategy] Fetch error: ${error.message}`);
|
|
|
|
|
throw error;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
/** @typedef {Configuration | null} */
|
|
|
|
|
let openidConfig = null;
|
|
|
|
|
|
|
|
|
|
//overload currenturl function because of express version 4 buggy req.host doesn't include port
|
|
|
|
|
//More info https://github.com/panva/openid-client/pull/713
|
|
|
|
|
|
|
|
|
|
class CustomOpenIDStrategy extends OpenIDStrategy {
|
|
|
|
|
currentUrl(req) {
|
|
|
|
|
const hostAndProtocol = process.env.DOMAIN_SERVER;
|
|
|
|
|
return new URL(`${hostAndProtocol}${req.originalUrl ?? req.url}`);
|
|
|
|
|
}
|
2025-08-16 17:14:01 +00:00
|
|
|
|
2025-05-25 23:40:37 -04:00
|
|
|
authorizationRequestParams(req, options) {
|
|
|
|
|
const params = super.authorizationRequestParams(req, options);
|
|
|
|
|
if (options?.state && !params.has('state')) {
|
|
|
|
|
params.set('state', options.state);
|
|
|
|
|
}
|
2025-08-05 02:49:36 +08:00
|
|
|
|
|
|
|
|
if (process.env.OPENID_AUDIENCE) {
|
|
|
|
|
params.set('audience', process.env.OPENID_AUDIENCE);
|
|
|
|
|
logger.debug(
|
|
|
|
|
`[openidStrategy] Adding audience to authorization request: ${process.env.OPENID_AUDIENCE}`,
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2025-08-16 17:14:01 +00:00
|
|
|
/** Generate nonce for federated providers that require it */
|
|
|
|
|
const shouldGenerateNonce = isEnabled(process.env.OPENID_GENERATE_NONCE);
|
|
|
|
|
if (shouldGenerateNonce && !params.has('nonce') && this._sessionKey) {
|
|
|
|
|
const crypto = require('crypto');
|
|
|
|
|
const nonce = crypto.randomBytes(16).toString('hex');
|
|
|
|
|
params.set('nonce', nonce);
|
|
|
|
|
logger.debug('[openidStrategy] Generated nonce for federated provider:', nonce);
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-25 23:40:37 -04:00
|
|
|
return params;
|
|
|
|
|
}
|
2023-06-24 21:45:52 -05:00
|
|
|
}
|
2024-10-27 11:41:48 -04:00
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
/**
|
|
|
|
|
* Exchange the access token for a new access token using the on-behalf-of flow if required.
|
|
|
|
|
* @param {Configuration} config
|
|
|
|
|
* @param {string} accessToken access token to be exchanged if necessary
|
|
|
|
|
* @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
|
|
|
|
|
* @param {boolean} fromCache - Indicates whether to use cached tokens.
|
|
|
|
|
* @returns {Promise<string>} The new access token if exchanged, otherwise the original access token.
|
|
|
|
|
*/
|
|
|
|
|
const exchangeAccessTokenIfNeeded = async (config, accessToken, sub, fromCache = false) => {
|
|
|
|
|
const tokensCache = getLogStores(CacheKeys.OPENID_EXCHANGED_TOKENS);
|
2025-06-26 19:10:21 -04:00
|
|
|
const onBehalfFlowRequired = isEnabled(process.env.OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED);
|
2025-05-22 14:19:24 +02:00
|
|
|
if (onBehalfFlowRequired) {
|
|
|
|
|
if (fromCache) {
|
|
|
|
|
const cachedToken = await tokensCache.get(sub);
|
|
|
|
|
if (cachedToken) {
|
|
|
|
|
return cachedToken.access_token;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
const grantResponse = await client.genericGrantRequest(
|
|
|
|
|
config,
|
|
|
|
|
'urn:ietf:params:oauth:grant-type:jwt-bearer',
|
|
|
|
|
{
|
2025-06-26 19:10:21 -04:00
|
|
|
scope: process.env.OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE || 'user.read',
|
2025-05-22 14:19:24 +02:00
|
|
|
assertion: accessToken,
|
|
|
|
|
requested_token_use: 'on_behalf_of',
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
await tokensCache.set(
|
|
|
|
|
sub,
|
|
|
|
|
{
|
|
|
|
|
access_token: grantResponse.access_token,
|
|
|
|
|
},
|
|
|
|
|
grantResponse.expires_in * 1000,
|
|
|
|
|
);
|
|
|
|
|
return grantResponse.access_token;
|
|
|
|
|
}
|
|
|
|
|
return accessToken;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* get user info from openid provider
|
|
|
|
|
* @param {Configuration} config
|
|
|
|
|
* @param {string} accessToken access token
|
|
|
|
|
* @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
|
|
|
|
|
* @returns {Promise<Object|null>}
|
|
|
|
|
*/
|
|
|
|
|
const getUserInfo = async (config, accessToken, sub) => {
|
|
|
|
|
try {
|
|
|
|
|
const exchangedAccessToken = await exchangeAccessTokenIfNeeded(config, accessToken, sub);
|
|
|
|
|
return await client.fetchUserInfo(config, exchangedAccessToken, sub);
|
|
|
|
|
} catch (error) {
|
2025-09-05 03:12:17 -04:00
|
|
|
logger.error('[openidStrategy] getUserInfo: Error fetching user info:', error);
|
2025-05-22 14:19:24 +02:00
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2024-04-19 09:12:55 -04:00
|
|
|
/**
|
|
|
|
|
* Downloads an image from a URL using an access token.
|
|
|
|
|
* @param {string} url
|
2025-05-22 14:19:24 +02:00
|
|
|
* @param {Configuration} config
|
|
|
|
|
* @param {string} accessToken access token
|
|
|
|
|
* @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
|
|
|
|
|
* @returns {Promise<Buffer | string>} The image buffer or an empty string if the download fails.
|
2024-04-19 09:12:55 -04:00
|
|
|
*/
|
2025-05-22 14:19:24 +02:00
|
|
|
const downloadImage = async (url, config, accessToken, sub) => {
|
|
|
|
|
const exchangedAccessToken = await exchangeAccessTokenIfNeeded(config, accessToken, sub, true);
|
2024-04-19 09:12:55 -04:00
|
|
|
if (!url) {
|
|
|
|
|
return '';
|
|
|
|
|
}
|
2023-06-24 21:45:52 -05:00
|
|
|
|
|
|
|
|
try {
|
2024-07-05 17:23:06 +03:00
|
|
|
const options = {
|
2024-04-19 09:12:55 -04:00
|
|
|
method: 'GET',
|
2023-06-24 21:45:52 -05:00
|
|
|
headers: {
|
2025-05-22 14:19:24 +02:00
|
|
|
Authorization: `Bearer ${exchangedAccessToken}`,
|
2023-06-24 21:45:52 -05:00
|
|
|
},
|
2024-07-05 17:23:06 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if (process.env.PROXY) {
|
|
|
|
|
options.agent = new HttpsProxyAgent(process.env.PROXY);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const response = await fetch(url, options);
|
2023-07-14 09:36:49 -04:00
|
|
|
|
2024-04-19 09:12:55 -04:00
|
|
|
if (response.ok) {
|
|
|
|
|
const buffer = await response.buffer();
|
|
|
|
|
return buffer;
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error(`${response.statusText} (HTTP ${response.status})`);
|
|
|
|
|
}
|
2023-06-24 21:45:52 -05:00
|
|
|
} catch (error) {
|
2023-12-14 07:49:27 -05:00
|
|
|
logger.error(
|
|
|
|
|
`[openidStrategy] downloadImage: Error downloading image at URL "${url}": ${error}`,
|
|
|
|
|
);
|
2023-06-24 21:45:52 -05:00
|
|
|
return '';
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2024-10-27 11:41:48 -04:00
|
|
|
/**
|
|
|
|
|
* Determines the full name of a user based on OpenID userinfo and environment configuration.
|
|
|
|
|
*
|
|
|
|
|
* @param {Object} userinfo - The user information object from OpenID Connect
|
|
|
|
|
* @param {string} [userinfo.given_name] - The user's first name
|
|
|
|
|
* @param {string} [userinfo.family_name] - The user's last name
|
|
|
|
|
* @param {string} [userinfo.username] - The user's username
|
|
|
|
|
* @param {string} [userinfo.email] - The user's email address
|
|
|
|
|
* @returns {string} The determined full name of the user
|
|
|
|
|
*/
|
|
|
|
|
function getFullName(userinfo) {
|
|
|
|
|
if (process.env.OPENID_NAME_CLAIM) {
|
|
|
|
|
return userinfo[process.env.OPENID_NAME_CLAIM];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (userinfo.given_name && userinfo.family_name) {
|
|
|
|
|
return `${userinfo.given_name} ${userinfo.family_name}`;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (userinfo.given_name) {
|
|
|
|
|
return userinfo.given_name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (userinfo.family_name) {
|
|
|
|
|
return userinfo.family_name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return userinfo.username || userinfo.email;
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-12 12:39:11 -04:00
|
|
|
/**
|
|
|
|
|
* Converts an input into a string suitable for a username.
|
|
|
|
|
* If the input is a string, it will be returned as is.
|
|
|
|
|
* If the input is an array, elements will be joined with underscores.
|
|
|
|
|
* In case of undefined or other falsy values, a default value will be returned.
|
|
|
|
|
*
|
|
|
|
|
* @param {string | string[] | undefined} input - The input value to be converted into a username.
|
|
|
|
|
* @param {string} [defaultValue=''] - The default value to return if the input is falsy.
|
|
|
|
|
* @returns {string} The processed input as a string suitable for a username.
|
|
|
|
|
*/
|
|
|
|
|
function convertToUsername(input, defaultValue = '') {
|
|
|
|
|
if (typeof input === 'string') {
|
|
|
|
|
return input;
|
|
|
|
|
} else if (Array.isArray(input)) {
|
|
|
|
|
return input.join('_');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return defaultValue;
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
/**
|
|
|
|
|
* Sets up the OpenID strategy for authentication.
|
|
|
|
|
* This function configures the OpenID client, handles proxy settings,
|
|
|
|
|
* and defines the OpenID strategy for Passport.js.
|
|
|
|
|
*
|
|
|
|
|
* @async
|
|
|
|
|
* @function setupOpenId
|
|
|
|
|
* @returns {Promise<Configuration | null>} A promise that resolves when the OpenID strategy is set up and returns the openid client config object.
|
|
|
|
|
* @throws {Error} If an error occurs during the setup process.
|
|
|
|
|
*/
|
2023-07-22 07:29:17 -07:00
|
|
|
async function setupOpenId() {
|
|
|
|
|
try {
|
2025-08-16 17:14:01 +00:00
|
|
|
const shouldGenerateNonce = isEnabled(process.env.OPENID_GENERATE_NONCE);
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
/** @type {ClientMetadata} */
|
2025-01-21 21:49:27 -05:00
|
|
|
const clientMetadata = {
|
2023-06-24 21:45:52 -05:00
|
|
|
client_id: process.env.OPENID_CLIENT_ID,
|
|
|
|
|
client_secret: process.env.OPENID_CLIENT_SECRET,
|
2025-01-21 21:49:27 -05:00
|
|
|
};
|
2025-05-22 14:19:24 +02:00
|
|
|
|
2025-08-16 17:14:01 +00:00
|
|
|
if (shouldGenerateNonce) {
|
|
|
|
|
clientMetadata.response_types = ['code'];
|
|
|
|
|
clientMetadata.grant_types = ['authorization_code'];
|
|
|
|
|
clientMetadata.token_endpoint_auth_method = 'client_secret_post';
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
/** @type {Configuration} */
|
|
|
|
|
openidConfig = await client.discovery(
|
|
|
|
|
new URL(process.env.OPENID_ISSUER),
|
|
|
|
|
process.env.OPENID_CLIENT_ID,
|
|
|
|
|
clientMetadata,
|
2025-06-09 11:27:23 -04:00
|
|
|
undefined,
|
|
|
|
|
{
|
|
|
|
|
[client.customFetch]: customFetch,
|
|
|
|
|
},
|
2025-05-22 14:19:24 +02:00
|
|
|
);
|
2025-06-09 11:27:23 -04:00
|
|
|
|
2024-04-02 03:08:17 -04:00
|
|
|
const requiredRole = process.env.OPENID_REQUIRED_ROLE;
|
|
|
|
|
const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
|
|
|
|
|
const requiredRoleTokenKind = process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND;
|
2025-05-22 14:19:24 +02:00
|
|
|
const usePKCE = isEnabled(process.env.OPENID_USE_PKCE);
|
2025-08-16 17:14:01 +00:00
|
|
|
logger.info(`[openidStrategy] OpenID authentication configuration`, {
|
|
|
|
|
generateNonce: shouldGenerateNonce,
|
|
|
|
|
reason: shouldGenerateNonce
|
|
|
|
|
? 'OPENID_GENERATE_NONCE=true - Will generate nonce and use explicit metadata for federated providers'
|
|
|
|
|
: 'OPENID_GENERATE_NONCE=false - Standard flow without explicit nonce or metadata',
|
|
|
|
|
});
|
|
|
|
|
|
2025-10-09 08:35:22 +01:00
|
|
|
// Set of env variables that specify how to set if a user is an admin
|
|
|
|
|
// If not set, all users will be treated as regular users
|
|
|
|
|
const adminRole = process.env.OPENID_ADMIN_ROLE;
|
|
|
|
|
const adminRoleParameterPath = process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH;
|
|
|
|
|
const adminRoleTokenKind = process.env.OPENID_ADMIN_ROLE_TOKEN_KIND;
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
const openidLogin = new CustomOpenIDStrategy(
|
2023-06-24 21:45:52 -05:00
|
|
|
{
|
2025-05-22 14:19:24 +02:00
|
|
|
config: openidConfig,
|
|
|
|
|
scope: process.env.OPENID_SCOPE,
|
|
|
|
|
callbackURL: process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL,
|
2025-08-16 17:14:01 +00:00
|
|
|
clockTolerance: process.env.OPENID_CLOCK_TOLERANCE || 300,
|
2025-05-22 14:19:24 +02:00
|
|
|
usePKCE,
|
2023-06-24 21:45:52 -05:00
|
|
|
},
|
2025-09-23 14:46:53 -04:00
|
|
|
/**
|
|
|
|
|
* @param {import('openid-client').TokenEndpointResponseHelpers} tokenset
|
|
|
|
|
* @param {import('passport-jwt').VerifyCallback} done
|
|
|
|
|
*/
|
2025-05-22 14:19:24 +02:00
|
|
|
async (tokenset, done) => {
|
2023-06-24 21:45:52 -05:00
|
|
|
try {
|
2025-05-22 14:19:24 +02:00
|
|
|
const claims = tokenset.claims();
|
2025-09-11 01:01:58 -04:00
|
|
|
const userinfo = {
|
|
|
|
|
...claims,
|
|
|
|
|
...(await getUserInfo(openidConfig, tokenset.access_token, claims.sub)),
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const appConfig = await getAppConfig();
|
2025-10-29 12:57:43 -04:00
|
|
|
/** Azure AD sometimes doesn't return email, use preferred_username as fallback */
|
|
|
|
|
const email = userinfo.email || userinfo.preferred_username || userinfo.upn;
|
|
|
|
|
if (!isEmailDomainAllowed(email, appConfig?.registration?.allowedDomains)) {
|
2025-09-11 01:01:58 -04:00
|
|
|
logger.error(
|
2025-10-29 12:57:43 -04:00
|
|
|
`[OpenID Strategy] Authentication blocked - email domain not allowed [Email: ${email}]`,
|
2025-09-11 01:01:58 -04:00
|
|
|
);
|
|
|
|
|
return done(null, false, { message: 'Email domain not allowed' });
|
|
|
|
|
}
|
|
|
|
|
|
2025-08-27 12:59:40 -04:00
|
|
|
const result = await findOpenIDUser({
|
2025-09-23 14:46:53 -04:00
|
|
|
findUser,
|
2025-10-29 12:57:43 -04:00
|
|
|
email: email,
|
2025-09-23 14:46:53 -04:00
|
|
|
openidId: claims.sub,
|
|
|
|
|
idOnTheSource: claims.oid,
|
2025-08-27 12:59:40 -04:00
|
|
|
strategyName: 'openidStrategy',
|
|
|
|
|
});
|
|
|
|
|
let user = result.user;
|
|
|
|
|
const error = result.error;
|
|
|
|
|
|
|
|
|
|
if (error) {
|
2025-08-11 18:49:34 -04:00
|
|
|
return done(null, false, {
|
|
|
|
|
message: ErrorTypes.AUTH_FAILED,
|
|
|
|
|
});
|
|
|
|
|
}
|
2025-09-11 01:01:58 -04:00
|
|
|
|
2024-10-27 11:41:48 -04:00
|
|
|
const fullName = getFullName(userinfo);
|
2023-07-14 09:36:49 -04:00
|
|
|
|
2024-04-02 03:08:17 -04:00
|
|
|
if (requiredRole) {
|
2025-09-23 16:39:34 +02:00
|
|
|
const requiredRoles = requiredRole
|
|
|
|
|
.split(',')
|
|
|
|
|
.map((role) => role.trim())
|
|
|
|
|
.filter(Boolean);
|
2024-04-02 03:08:17 -04:00
|
|
|
let decodedToken = '';
|
|
|
|
|
if (requiredRoleTokenKind === 'access') {
|
|
|
|
|
decodedToken = jwtDecode(tokenset.access_token);
|
|
|
|
|
} else if (requiredRoleTokenKind === 'id') {
|
|
|
|
|
decodedToken = jwtDecode(tokenset.id_token);
|
|
|
|
|
}
|
2025-10-09 08:35:22 +01:00
|
|
|
|
|
|
|
|
let roles = get(decodedToken, requiredRoleParameterPath);
|
|
|
|
|
if (!roles || (!Array.isArray(roles) && typeof roles !== 'string')) {
|
2024-05-30 10:48:03 -04:00
|
|
|
logger.error(
|
2025-10-09 08:35:22 +01:00
|
|
|
`[openidStrategy] Key '${requiredRoleParameterPath}' not found or invalid type in ${requiredRoleTokenKind} token!`,
|
2024-04-02 03:08:17 -04:00
|
|
|
);
|
2025-10-09 08:35:22 +01:00
|
|
|
const rolesList =
|
|
|
|
|
requiredRoles.length === 1
|
|
|
|
|
? `"${requiredRoles[0]}"`
|
|
|
|
|
: `one of: ${requiredRoles.map((r) => `"${r}"`).join(', ')}`;
|
|
|
|
|
return done(null, false, {
|
|
|
|
|
message: `You must have ${rolesList} role to log in.`,
|
|
|
|
|
});
|
2024-04-02 03:08:17 -04:00
|
|
|
}
|
|
|
|
|
|
2025-09-23 16:39:34 +02:00
|
|
|
if (!requiredRoles.some((role) => roles.includes(role))) {
|
|
|
|
|
const rolesList =
|
|
|
|
|
requiredRoles.length === 1
|
|
|
|
|
? `"${requiredRoles[0]}"`
|
|
|
|
|
: `one of: ${requiredRoles.map((r) => `"${r}"`).join(', ')}`;
|
2024-04-02 03:08:17 -04:00
|
|
|
return done(null, false, {
|
2025-09-23 16:39:34 +02:00
|
|
|
message: `You must have ${rolesList} role to log in.`,
|
2024-04-02 03:08:17 -04:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-27 11:41:48 -04:00
|
|
|
let username = '';
|
|
|
|
|
if (process.env.OPENID_USERNAME_CLAIM) {
|
|
|
|
|
username = userinfo[process.env.OPENID_USERNAME_CLAIM];
|
|
|
|
|
} else {
|
|
|
|
|
username = convertToUsername(
|
2025-07-30 14:43:42 -04:00
|
|
|
userinfo.preferred_username || userinfo.username || userinfo.email,
|
2024-10-27 11:41:48 -04:00
|
|
|
);
|
|
|
|
|
}
|
2024-04-12 12:39:11 -04:00
|
|
|
|
2023-06-24 21:45:52 -05:00
|
|
|
if (!user) {
|
2024-06-07 21:06:47 +02:00
|
|
|
user = {
|
2023-06-24 21:45:52 -05:00
|
|
|
provider: 'openid',
|
|
|
|
|
openidId: userinfo.sub,
|
2024-04-12 12:39:11 -04:00
|
|
|
username,
|
2025-10-29 12:57:43 -04:00
|
|
|
email: email || '',
|
2023-06-24 21:45:52 -05:00
|
|
|
emailVerified: userinfo.email_verified || false,
|
2023-07-14 09:36:49 -04:00
|
|
|
name: fullName,
|
2025-06-23 10:22:27 -04:00
|
|
|
idOnTheSource: userinfo.oid,
|
2024-06-07 21:06:47 +02:00
|
|
|
};
|
2025-05-30 22:18:13 -04:00
|
|
|
|
2025-08-26 12:10:18 -04:00
|
|
|
const balanceConfig = getBalanceConfig(appConfig);
|
2025-05-30 22:18:13 -04:00
|
|
|
user = await createUser(user, balanceConfig, true, true);
|
2023-06-24 21:45:52 -05:00
|
|
|
} else {
|
|
|
|
|
user.provider = 'openid';
|
|
|
|
|
user.openidId = userinfo.sub;
|
2024-04-12 12:39:11 -04:00
|
|
|
user.username = username;
|
2023-06-24 21:45:52 -05:00
|
|
|
user.name = fullName;
|
2025-06-23 10:22:27 -04:00
|
|
|
user.idOnTheSource = userinfo.oid;
|
2025-10-29 12:57:43 -04:00
|
|
|
if (email && email !== user.email) {
|
|
|
|
|
user.email = email;
|
2025-09-23 14:46:53 -04:00
|
|
|
user.emailVerified = userinfo.email_verified || false;
|
|
|
|
|
}
|
2023-06-24 21:45:52 -05:00
|
|
|
}
|
|
|
|
|
|
2025-10-09 08:35:22 +01:00
|
|
|
if (adminRole && adminRoleParameterPath && adminRoleTokenKind) {
|
|
|
|
|
let adminRoleObject;
|
|
|
|
|
switch (adminRoleTokenKind) {
|
|
|
|
|
case 'access':
|
|
|
|
|
adminRoleObject = jwtDecode(tokenset.access_token);
|
|
|
|
|
break;
|
|
|
|
|
case 'id':
|
|
|
|
|
adminRoleObject = jwtDecode(tokenset.id_token);
|
|
|
|
|
break;
|
|
|
|
|
case 'userinfo':
|
|
|
|
|
adminRoleObject = userinfo;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
logger.error(
|
|
|
|
|
`[openidStrategy] Invalid admin role token kind: ${adminRoleTokenKind}. Must be one of 'access', 'id', or 'userinfo'.`,
|
|
|
|
|
);
|
|
|
|
|
return done(new Error('Invalid admin role token kind'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const adminRoles = get(adminRoleObject, adminRoleParameterPath);
|
|
|
|
|
|
|
|
|
|
// Accept 3 types of values for the object extracted from adminRoleParameterPath:
|
|
|
|
|
// 1. A boolean value indicating if the user is an admin
|
|
|
|
|
// 2. A string with a single role name
|
|
|
|
|
// 3. An array of role names
|
|
|
|
|
|
|
|
|
|
if (
|
|
|
|
|
adminRoles &&
|
|
|
|
|
(adminRoles === true ||
|
|
|
|
|
adminRoles === adminRole ||
|
|
|
|
|
(Array.isArray(adminRoles) && adminRoles.includes(adminRole)))
|
|
|
|
|
) {
|
|
|
|
|
user.role = 'ADMIN';
|
|
|
|
|
logger.info(
|
|
|
|
|
`[openidStrategy] User ${username} is an admin based on role: ${adminRole}`,
|
|
|
|
|
);
|
|
|
|
|
} else if (user.role === 'ADMIN') {
|
|
|
|
|
user.role = 'USER';
|
|
|
|
|
logger.info(
|
|
|
|
|
`[openidStrategy] User ${username} demoted from admin - role no longer present in token`,
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
if (!!userinfo && userinfo.picture && !user.avatar?.includes('manual=true')) {
|
2024-04-19 09:12:55 -04:00
|
|
|
/** @type {string | undefined} */
|
2023-06-24 21:45:52 -05:00
|
|
|
const imageUrl = userinfo.picture;
|
|
|
|
|
|
|
|
|
|
let fileName;
|
|
|
|
|
if (crypto) {
|
2024-08-04 23:59:45 -04:00
|
|
|
fileName = (await hashToken(userinfo.sub)) + '.png';
|
2023-06-24 21:45:52 -05:00
|
|
|
} else {
|
|
|
|
|
fileName = userinfo.sub + '.png';
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
const imageBuffer = await downloadImage(
|
|
|
|
|
imageUrl,
|
|
|
|
|
openidConfig,
|
|
|
|
|
tokenset.access_token,
|
|
|
|
|
userinfo.sub,
|
|
|
|
|
);
|
2024-04-19 09:12:55 -04:00
|
|
|
if (imageBuffer) {
|
2025-09-05 11:09:32 -04:00
|
|
|
const { saveBuffer } = getStrategyFunctions(
|
|
|
|
|
appConfig?.fileStrategy ?? process.env.CDN_PROVIDER,
|
|
|
|
|
);
|
2024-04-19 09:12:55 -04:00
|
|
|
const imagePath = await saveBuffer({
|
|
|
|
|
fileName,
|
|
|
|
|
userId: user._id.toString(),
|
|
|
|
|
buffer: imageBuffer,
|
|
|
|
|
});
|
|
|
|
|
user.avatar = imagePath ?? '';
|
|
|
|
|
}
|
2023-06-24 21:45:52 -05:00
|
|
|
}
|
2023-07-14 09:36:49 -04:00
|
|
|
|
2024-06-07 21:06:47 +02:00
|
|
|
user = await updateUser(user._id, user);
|
2023-07-14 09:36:49 -04:00
|
|
|
|
2024-05-30 10:48:03 -04:00
|
|
|
logger.info(
|
2024-06-07 21:06:47 +02:00
|
|
|
`[openidStrategy] login success openidId: ${user.openidId} | email: ${user.email} | username: ${user.username} `,
|
2024-05-30 10:48:03 -04:00
|
|
|
{
|
|
|
|
|
user: {
|
|
|
|
|
openidId: user.openidId,
|
|
|
|
|
username: user.username,
|
|
|
|
|
email: user.email,
|
|
|
|
|
name: user.name,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
|
🆔 feat: Add OpenID Connect Federated Provider Token Support (#9931)
* feat: Add OpenID Connect federated provider token support
Implements support for passing federated provider tokens (Cognito, Azure AD, Auth0)
as variables in LibreChat's librechat.yaml configuration for both custom endpoints
and MCP servers.
Features:
- New LIBRECHAT_OPENID_* template variables for federated provider tokens
- JWT claims parsing from ID tokens without verification (for claim extraction)
- Token validation with expiration checking
- Support for multiple token storage locations (federatedTokens, openidTokens)
- Integration with existing template variable system
- Comprehensive test suite with Cognito-specific scenarios
- Provider-agnostic design supporting Cognito, Azure AD, Auth0, etc.
Security:
- Server-side only token processing
- Automatic token expiration validation
- Graceful fallbacks for missing/invalid tokens
- No client-side token exposure
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: Add federated token propagation to OIDC authentication strategies
Adds federatedTokens object to user during authentication to enable
federated provider token template variables in LibreChat configuration.
Changes:
- OpenID JWT Strategy: Extract raw JWT from Authorization header and
attach as federatedTokens.access_token to enable {{LIBRECHAT_OPENID_TOKEN}}
placeholder resolution
- OpenID Strategy: Attach tokenset tokens as federatedTokens object to
standardize token access across both authentication strategies
This enables proper token propagation for custom endpoints and MCP
servers that require federated provider tokens for authorization.
Resolves missing token issue reported by @ramden in PR #9931
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Denis Ramic <denis.ramic@nfon.com>
Co-Authored-By: Claude <noreply@anthropic.com>
* test: Add federatedTokens validation tests for OIDC strategies
Adds comprehensive test coverage for the federated token propagation
feature implemented in the authentication strategies.
Tests added:
- Verify federatedTokens object is attached to user with correct structure
(access_token, refresh_token, expires_at)
- Verify both tokenset and federatedTokens are present in user object
- Ensure tokens from OIDC provider are correctly propagated
Also fixes existing test suite by adding missing mocks:
- isEmailDomainAllowed function mock
- findOpenIDUser function mock
These tests validate the fix from commit 5874ba29f that enables
{{LIBRECHAT_OPENID_TOKEN}} template variable functionality.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* docs: Remove implementation documentation file
The PR description already contains all necessary implementation details.
This documentation file is redundant and was requested to be removed.
* fix: skip s256 check
* fix(openid): handle missing refresh token in Cognito token refresh response
When OPENID_REUSE_TOKENS=true, the token refresh flow was failing because
Cognito (and most OAuth providers) don't return a new refresh token in the
refresh grant response - they only return new access and ID tokens.
Changes:
- Modified setOpenIDAuthTokens() to accept optional existingRefreshToken parameter
- Updated validation to only require access_token (refresh_token now optional)
- Added logic to reuse existing refresh token when not provided in tokenset
- Updated refreshController to pass original refresh token as fallback
- Added comments explaining standard OAuth 2.0 refresh token behavior
This fixes the "Token is not present. User is not authenticated." error that
occurred during silent token refresh with Cognito as the OpenID provider.
Fixes: Authentication loop with OPENID_REUSE_TOKENS=true and AWS Cognito
* fix(openid): extract refresh token from cookies for template variable replacement
When OPENID_REUSE_TOKENS=true, the openIdJwtStrategy populates user.federatedTokens
to enable template variable replacement (e.g., {{LIBRECHAT_OPENID_ACCESS_TOKEN}}).
However, the refresh_token field was incorrectly sourced from payload.refresh_token,
which is always undefined because:
1. JWTs don't contain refresh tokens in their payload
2. The JWT itself IS the access token
3. Refresh tokens are separate opaque tokens stored in HTTP-only cookies
This caused extractOpenIDTokenInfo() to receive incomplete federatedTokens,
resulting in template variables remaining unreplaced in headers.
**Root Cause:**
- Line 90: `refresh_token: payload.refresh_token` (always undefined)
- JWTs only contain access token data in their claims
- Refresh tokens are separate, stored securely in cookies
**Solution:**
- Import `cookie` module to parse cookies from request
- Extract refresh token from `refreshToken` cookie
- Populate federatedTokens with both access token (JWT) and refresh token (from cookie)
**Impact:**
- Template variables like {{LIBRECHAT_OPENID_ACCESS_TOKEN}} now work correctly
- Headers in librechat.yaml are properly replaced with actual tokens
- MCP server authentication with federated tokens now functional
**Technical Details:**
- passReqToCallback=true in JWT strategy provides req object access
- Refresh token extracted via cookies.parse(req.headers.cookie).refreshToken
- Falls back gracefully if cookie header or refreshToken is missing
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: re-resolve headers on each request to pick up fresh federatedTokens
- OpenAIClient now re-resolves headers in chatCompletion() before each API call
- This ensures template variables like {{LIBRECHAT_OPENID_TOKEN}} are replaced
with actual token values from req.user.federatedTokens
- initialize.js now stores original template headers instead of pre-resolved ones
- Fixes template variable replacement when OPENID_REUSE_TOKENS=true
The issue was that headers were only resolved once during client initialization,
before openIdJwtStrategy had populated user.federatedTokens. Now headers are
re-resolved on every request with the current user's fresh tokens.
* debug: add logging to track header resolution in OpenAIClient
* debug: log tokenset structure after refresh to diagnose missing access_token
* fix: set federatedTokens on user object after OAuth refresh
- After successful OAuth token refresh, the user object was not being
updated with federatedTokens
- This caused template variable resolution to fail on subsequent requests
- Now sets user.federatedTokens with access_token, id_token, refresh_token
and expires_at from the refreshed tokenset
- Fixes template variables like {{LIBRECHAT_OPENID_TOKEN}} not being
replaced after token refresh
- Related to PR #9931 (OpenID federated token support)
* fix(openid): pass user object through agent chain for template variable resolution
Root cause: buildAgentContext in agents/run.ts called resolveHeaders without
the user parameter, preventing OpenID federated token template variables from
being resolved in agent runtime parameters.
Changes:
- packages/api/src/agents/run.ts: Add user parameter to createRun signature
- packages/api/src/agents/run.ts: Pass user to resolveHeaders in buildAgentContext
- api/server/controllers/agents/client.js: Pass user when calling createRun
- api/server/services/Endpoints/bedrock/options.js: Add resolveHeaders call with debug logging
- api/server/services/Endpoints/custom/initialize.js: Add debug logging
- packages/api/src/utils/env.ts: Add comprehensive debug logging and stack traces
- packages/api/src/utils/oidc.ts: Fix eslint errors (unused type, explicit any)
This ensures template variables like {{LIBRECHAT_OPENID_TOKEN}} and
{{LIBRECHAT_USER_OPENIDID}} are properly resolved in both custom endpoint
headers and Bedrock AgentCore runtime parameters.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* refactor: remove debug logging from OpenID token template feature
Removed excessive debug logging that was added during development to make
the PR more suitable for upstream review:
- Removed 7 debug statements from OpenAIClient.js
- Removed all console.log statements from packages/api/src/utils/env.ts
- Removed debug logging from bedrock/options.js
- Removed debug logging from custom/initialize.js
- Removed debug statement from AuthController.js
This reduces the changeset by ~50 lines while maintaining full functionality
of the OpenID federated token template variable feature.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(openid): add comprehensive unit tests for template variable substitution
- Add 34 unit tests for OIDC token utilities (oidc.spec.ts)
- Test coverage for token extraction, validation, and placeholder processing
- Integration tests for full OpenID token flow
- All tests pass with comprehensive edge case coverage
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
* test: fix OpenID federated tokens test failures
- Add serverMetadata() mock to openid-client mock configuration
* Fixes TypeError in openIdJwtStrategy.js where serverMetadata() was being called
* Mock now returns jwks_uri and end_session_endpoint as expected by the code
- Update outdated initialize.spec.js test
* Remove test expecting resolveHeaders call during initialization
* Header resolution was refactored to be deferred until LLM request time
* Update test to verify options are returned correctly with useLegacyContent flag
Fixes #9931 CI failures for backend unit tests
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* chore: fix package-lock.json conflict
* chore: sync package-log with upstream
* chore: cleanup
* fix: use createSafeUser
* fix: fix createSafeUser signature
* chore: remove comments
* chore: purge comments
* fix: update Jest testPathPattern to testPathPatterns for Jest 30+ compatibility
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Denis Ramic <denis.ramic@nfon.com>
Co-authored-by: kristjanaapro <kristjana@apro.is>
chore: import order and add back JSDoc for OpenID JWT callback
2025-11-21 14:44:52 +00:00
|
|
|
done(null, {
|
|
|
|
|
...user,
|
|
|
|
|
tokenset,
|
|
|
|
|
federatedTokens: {
|
|
|
|
|
access_token: tokenset.access_token,
|
|
|
|
|
refresh_token: tokenset.refresh_token,
|
|
|
|
|
expires_at: tokenset.expires_at,
|
|
|
|
|
},
|
|
|
|
|
});
|
2023-06-24 21:45:52 -05:00
|
|
|
} catch (err) {
|
2024-05-30 10:48:03 -04:00
|
|
|
logger.error('[openidStrategy] login failed', err);
|
2023-06-24 21:45:52 -05:00
|
|
|
done(err);
|
|
|
|
|
}
|
2023-07-14 09:36:49 -04:00
|
|
|
},
|
2023-06-24 21:45:52 -05:00
|
|
|
);
|
|
|
|
|
passport.use('openid', openidLogin);
|
2025-05-22 14:19:24 +02:00
|
|
|
return openidConfig;
|
2023-07-22 07:29:17 -07:00
|
|
|
} catch (err) {
|
2023-12-14 07:49:27 -05:00
|
|
|
logger.error('[openidStrategy]', err);
|
2025-05-22 14:19:24 +02:00
|
|
|
return null;
|
2023-07-22 07:29:17 -07:00
|
|
|
}
|
|
|
|
|
}
|
2025-05-22 14:19:24 +02:00
|
|
|
/**
|
|
|
|
|
* @function getOpenIdConfig
|
|
|
|
|
* @description Returns the OpenID client instance.
|
|
|
|
|
* @throws {Error} If the OpenID client is not initialized.
|
|
|
|
|
* @returns {Configuration}
|
|
|
|
|
*/
|
|
|
|
|
function getOpenIdConfig() {
|
|
|
|
|
if (!openidConfig) {
|
|
|
|
|
throw new Error('OpenID client is not initialized. Please call setupOpenId first.');
|
|
|
|
|
}
|
|
|
|
|
return openidConfig;
|
|
|
|
|
}
|
2023-07-22 07:29:17 -07:00
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
module.exports = {
|
|
|
|
|
setupOpenId,
|
|
|
|
|
getOpenIdConfig,
|
|
|
|
|
};
|