Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-04-07 00:15:23 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix: allow OpenID PKCE authentication without client secret

Browse source
This commit is contained in:
CMF\e-leite 2026-03-12 16:08:37 +00:00
parent ccd049d8ce
commit 9877a52955
3 changed files with 11 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
api/server/routes/config.js
View file

@ -41,7 +41,7 @@ router.get('/', async function (req, res) {
const isOpenIdEnabled =
!!process.env.OPENID_CLIENT_ID &&
!!process.env.OPENID_CLIENT_SECRET &&
(isEnabled(process.env.OPENID_USE_PKCE) || !!process.env.OPENID_CLIENT_SECRET) &&
!!process.env.OPENID_ISSUER &&
!!process.env.OPENID_SESSION_SECRET;

2
api/server/socialLogins.js
View file

@ -73,7 +73,7 @@ const configureSocialLogins = async (app) => {
}
if (
process.env.OPENID_CLIENT_ID &&
process.env.OPENID_CLIENT_SECRET &&
(isEnabled(process.env.OPENID_USE_PKCE) || process.env.OPENID_CLIENT_SECRET) &&
process.env.OPENID_ISSUER &&
process.env.OPENID_SCOPE &&
process.env.OPENID_SESSION_SECRET

13
api/strategies/openidStrategy.js
View file

@ -772,18 +772,23 @@ const setupOpenIdAdmin = (openidConfig) => {
*/
async function setupOpenId() {
try {
const usePKCE = isEnabled(process.env.OPENID_USE_PKCE);
const shouldGenerateNonce = isEnabled(process.env.OPENID_GENERATE_NONCE);
/** @type {ClientMetadata} */
const clientMetadata = {
client_id: process.env.OPENID_CLIENT_ID,
client_secret: process.env.OPENID_CLIENT_SECRET,
response_types: ['code'],
grant_types: ['authorization_code']
};
if (shouldGenerateNonce) {
clientMetadata.response_types = ['code'];
clientMetadata.grant_types = ['authorization_code'];
const clientSecret = process.env.OPENID_CLIENT_SECRET?.trim();
if (clientSecret) {
clientMetadata.client_secret = clientSecret;
clientMetadata.token_endpoint_auth_method = 'client_secret_post';
} else if (usePKCE) {
clientMetadata.token_endpoint_auth_method = 'none';
}
/** @type {Configuration} */