🛂 fix: Reuse OpenID Auth Tokens with Proxy Setup (#8151)

* Fixes https://github.com/danny-avila/LibreChat/issues/8099 in correctly setting up proxy support - fixes the openid Strategy - fixes the openid jwt strategy (jwksRsa fetching in a proxy environment) Signed-off-by: Regli Daniel <daniel.regli1@sanitas.com> * Fixes https://github.com/danny-avila/LibreChat/issues/8099 in correctly setting up proxy support - properly formatted Signed-off-by: Regli Daniel <1daniregli@gmail.com> --------- Signed-off-by: Regli Daniel <daniel.regli1@sanitas.com> Signed-off-by: Regli Daniel <1daniregli@gmail.com> Co-authored-by: schnaker85 <1daniregligmail.com>
2025-09-22 06:00:56 +02:00 · 2025-07-01 22:30:06 +02:00 · 2025-07-01 22:30:06 +02:00 · 8a5dbac0f9
commit 8a5dbac0f9
parent 434289fe92
2 changed files with 18 additions and 10 deletions
--- a/api/strategies/openIdJwtStrategy.js
+++ b/api/strategies/openIdJwtStrategy.js
@ -1,4 +1,5 @@
 const { SystemRoles } = require('librechat-data-provider');
+const { HttpsProxyAgent } = require('https-proxy-agent');
 const { Strategy: JwtStrategy, ExtractJwt } = require('passport-jwt');
 const { updateUser, findUser } = require('~/models');
 const { logger } = require('~/config');
@ -13,17 +14,23 @@ const { isEnabled } = require('~/server/utils');
 * The strategy extracts the JWT from the Authorization header as a Bearer token.
 * The JWT is then verified using the signing key, and the user is retrieved from the database.
 */
-const openIdJwtLogin = (openIdConfig) =>
-  new JwtStrategy(
+const openIdJwtLogin = (openIdConfig) => {
+  let jwksRsaOptions = {
+    cache: isEnabled(process.env.OPENID_JWKS_URL_CACHE_ENABLED) || true,
+    cacheMaxAge: process.env.OPENID_JWKS_URL_CACHE_TIME
+      ? eval(process.env.OPENID_JWKS_URL_CACHE_TIME)
+      : 60000,
+    jwksUri: openIdConfig.serverMetadata().jwks_uri,
+  };
+
+  if (process.env.PROXY) {
+    jwksRsaOptions.requestAgent = new HttpsProxyAgent(process.env.PROXY);
+  }
+
+  return new JwtStrategy(
    {
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
-      secretOrKeyProvider: jwksRsa.passportJwtSecret({
-        cache: isEnabled(process.env.OPENID_JWKS_URL_CACHE_ENABLED) || true,
-        cacheMaxAge: process.env.OPENID_JWKS_URL_CACHE_TIME
-          ? eval(process.env.OPENID_JWKS_URL_CACHE_TIME)
-          : 60000,
-        jwksUri: openIdConfig.serverMetadata().jwks_uri,
-      }),
+      secretOrKeyProvider: jwksRsa.passportJwtSecret(jwksRsaOptions),
    },
    async (payload, done) => {
      try {
@ -48,5 +55,6 @@ const openIdJwtLogin = (openIdConfig) =>
      }
    },
  );
+};

 module.exports = openIdJwtLogin;
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@ -49,7 +49,7 @@ async function customFetch(url, options) {
      logger.info(`[openidStrategy] proxy agent configured: ${process.env.PROXY}`);
      fetchOptions = {
        ...options,
-        dispatcher: new HttpsProxyAgent(process.env.PROXY),
+        dispatcher: new undici.ProxyAgent(process.env.PROXY),
      };
    }