*️⃣ feat: Reuse OpenID Auth Tokens (#7397)

* feat: integrate OpenID Connect support with token reuse - Added `jwks-rsa` and `new-openid-client` dependencies for OpenID Connect functionality. - Implemented OpenID token refresh logic in `AuthController`. - Enhanced `LogoutController` to handle OpenID logout and session termination. - Updated JWT authentication middleware to support OpenID token provider. - Modified OAuth routes to accommodate OpenID authentication and token management. - Created `setOpenIDAuthTokens` function to manage OpenID tokens in cookies. - Upgraded OpenID strategy with user info fetching and token exchange protocol. - Introduced `openIdJwtLogin` strategy for handling OpenID JWT tokens. - Added caching mechanism for exchanged OpenID tokens. - Updated configuration to include OpenID exchanged tokens cache key. - updated .env.example to include the new env variables needed for the feature. * fix: update return type in downloadImage documentation for clarity and fixed openIdJwtLogin env variables * fix: update Jest configuration and tests for OpenID strategy integration * fix: update OpenID strategy to include callback URL in setup * fix: fix optionalJwtAuth middleware to support OpenID token reuse and improve currentUrl method in CustomOpenIDStrategy to override the dynamic host issue related to proxy (e.g. cloudfront) * fix: fixed code formatting * Fix: Add mocks for openid-client and passport strategy in Jest configuration to fix unit tests * fix eslint errors: Format mock file openid-client. * ✨ feat: Add PKCE support for OpenID and default handling in strategy setup --------- Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com> Co-authored-by: Ruben Talstra <RubenTalstra1211@outlook.com>
2025-12-26 21:28:50 +01:00 · 2025-05-22 14:19:24 +02:00 · 2025-05-22 14:19:24 +02:00 · bf80cf30b3
commit bf80cf30b3
parent d47d827ed9
24 changed files with 690 additions and 191 deletions
--- a/api/cache/getLogStores.js
+++ b/api/cache/getLogStores.js
@ -61,6 +61,10 @@ const abortKeys = isRedisEnabled
  ? new Keyv({ store: keyvRedis })
  : new Keyv({ namespace: CacheKeys.ABORT_KEYS, ttl: Time.TEN_MINUTES });

+const openIdExchangedTokensCache = isRedisEnabled
+  ? new Keyv({ store: keyvRedis, ttl: Time.TEN_MINUTES })
+  : new Keyv({ namespace: CacheKeys.OPENID_EXCHANGED_TOKENS, ttl: Time.TEN_MINUTES });
+
 const namespaces = {
  [CacheKeys.ROLES]: roles,
  [CacheKeys.CONFIG_STORE]: config,
@ -98,6 +102,7 @@ const namespaces = {
  [CacheKeys.AUDIO_RUNS]: audioRuns,
  [CacheKeys.MESSAGES]: messages,
  [CacheKeys.FLOWS]: flows,
+  [CacheKeys.OPENID_EXCHANGED_TOKENS]: openIdExchangedTokensCache,
 };

 /**
--- a/api/cache/keyvRedis.js
+++ b/api/cache/keyvRedis.js
@ -76,10 +76,13 @@ if (REDIS_URI && isEnabled(USE_REDIS)) {
    keyvRedis = new KeyvRedis(REDIS_URI, keyvOpts);
  }

-  const pingInterval = setInterval(() => {
-    logger.debug('KeyvRedis ping');
-    keyvRedis.client.ping().catch(err => logger.error('Redis keep-alive ping failed:', err));
-  }, 5 * 60 * 1000);
+  const pingInterval = setInterval(
+    () => {
+      logger.debug('KeyvRedis ping');
+      keyvRedis.client.ping().catch((err) => logger.error('Redis keep-alive ping failed:', err));
+    },
+    5 * 60 * 1000,
+  );

  keyvRedis.on('ready', () => {
    logger.info('KeyvRedis connection ready');
--- a/api/jest.config.js
+++ b/api/jest.config.js
@ -11,5 +11,8 @@ module.exports = {
  moduleNameMapper: {
    '~/(.*)': '<rootDir>/$1',
    '~/data/auth.json': '<rootDir>/__mocks__/auth.mock.json',
+    '^openid-client/passport$': '<rootDir>/test/__mocks__/openid-client-passport.js', // Mock for the passport strategy part
+    '^openid-client$': '<rootDir>/test/__mocks__/openid-client.js',
  },
+  transformIgnorePatterns: ['/node_modules/(?!(openid-client|oauth4webapi|jose)/).*/'],
 };
--- a/api/package.json
+++ b/api/package.json
@ -75,6 +75,7 @@
    "ioredis": "^5.3.2",
    "js-yaml": "^4.1.0",
    "jsonwebtoken": "^9.0.0",
+    "jwks-rsa": "^3.2.0",
    "keyv": "^5.3.2",
    "keyv-file": "^5.1.2",
    "klona": "^2.0.6",
@ -92,7 +93,7 @@
    "ollama": "^0.5.0",
    "openai": "^4.96.2",
    "openai-chat-tokens": "^0.2.8",
-    "openid-client": "^5.4.2",
+    "openid-client": "^6.5.0",
    "passport": "^0.6.0",
    "passport-apple": "^2.0.2",
    "passport-discord": "^0.1.4",
--- a/api/server/controllers/AuthController.js
+++ b/api/server/controllers/AuthController.js
@ -1,3 +1,4 @@
+const openIdClient = require('openid-client');
 const cookies = require('cookie');
 const jwt = require('jsonwebtoken');
 const {
@ -5,9 +6,12 @@ const {
  resetPassword,
  setAuthTokens,
  requestPasswordReset,
+  setOpenIDAuthTokens,
 } = require('~/server/services/AuthService');
-const { findSession, getUserById, deleteAllUserSessions } = require('~/models');
+const { findSession, getUserById, deleteAllUserSessions, findUser } = require('~/models');
+const { getOpenIdConfig } = require('~/strategies');
 const { logger } = require('~/config');
+const { isEnabled } = require('~/server/utils');

 const registrationController = async (req, res) => {
  try {
@ -55,10 +59,28 @@ const resetPasswordController = async (req, res) => {

 const refreshController = async (req, res) => {
  const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;
+  const token_provider = req.headers.cookie
+    ? cookies.parse(req.headers.cookie).token_provider
+    : null;
  if (!refreshToken) {
    return res.status(200).send('Refresh token not provided');
  }
-
+  if (token_provider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS) === true) {
+    try {
+      const openIdConfig = getOpenIdConfig();
+      const tokenset = await openIdClient.refreshTokenGrant(openIdConfig, refreshToken);
+      const claims = tokenset.claims();
+      const user = await findUser({ email: claims.email });
+      if (!user) {
+        return res.status(401).redirect('/login');
+      }
+      const token = setOpenIDAuthTokens(tokenset, res);
+      return res.status(200).send({ token, user });
+    } catch (error) {
+      logger.error('[refreshController] OpenID token refresh error', error);
+      return res.status(403).send('Invalid OpenID refresh token');
+    }
+  }
  try {
    const payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
    const user = await getUserById(payload.id, '-password -__v -totpSecret');
--- a/api/server/controllers/auth/LogoutController.js
+++ b/api/server/controllers/auth/LogoutController.js
@ -1,5 +1,5 @@
 const cookies = require('cookie');
-const { Issuer } = require('openid-client');
+const { getOpenIdConfig } = require('~/strategies');
 const { logoutUser } = require('~/server/services/AuthService');
 const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');
@ -10,20 +10,29 @@ const logoutController = async (req, res) => {
    const logout = await logoutUser(req, refreshToken);
    const { status, message } = logout;
    res.clearCookie('refreshToken');
+    res.clearCookie('token_provider');
    const response = { message };
    if (
      req.user.openidId != null &&
      isEnabled(process.env.OPENID_USE_END_SESSION_ENDPOINT) &&
      process.env.OPENID_ISSUER
    ) {
-      const issuer = await Issuer.discover(process.env.OPENID_ISSUER);
-      const redirect = issuer.metadata.end_session_endpoint;
-      if (!redirect) {
+      const openIdConfig = getOpenIdConfig();
+      if (!openIdConfig) {
        logger.warn(
-          '[logoutController] end_session_endpoint not found in OpenID issuer metadata. Please verify that the issuer is correct.',
+          '[logoutController] OpenID config not found. Please verify that the open id configuration and initialization are correct.',
        );
      } else {
-        response.redirect = redirect;
+        const endSessionEndpoint = openIdConfig
+          ? openIdConfig.serverMetadata().end_session_endpoint
+          : null;
+        if (endSessionEndpoint) {
+          response.redirect = endSessionEndpoint;
+        } else {
+          logger.warn(
+            '[logoutController] end_session_endpoint not found in OpenID issuer metadata. Please verify that the issuer is correct.',
+          );
+        }
      }
    }
    return res.status(status).send(response);
--- a/api/server/index.js
+++ b/api/server/index.js
@ -75,7 +75,7 @@ const startServer = async () => {

  /* OAUTH */
  app.use(passport.initialize());
-  passport.use(await jwtLogin());
+  passport.use(jwtLogin());
  passport.use(passportLogin());

  /* LDAP Auth */
@ -84,7 +84,7 @@ const startServer = async () => {
  }

  if (isEnabled(ALLOW_SOCIAL_LOGIN)) {
-    configureSocialLogins(app);
+    await configureSocialLogins(app);
  }

  app.use('/oauth', routes.oauth);
--- a/api/server/middleware/optionalJwtAuth.js
+++ b/api/server/middleware/optionalJwtAuth.js
@ -1,9 +1,13 @@
+const cookies = require('cookie');
+const { isEnabled } = require('~/server/utils');
 const passport = require('passport');

 // This middleware does not require authentication,
 // but if the user is authenticated, it will set the user object.
 const optionalJwtAuth = (req, res, next) => {
-  passport.authenticate('jwt', { session: false }, (err, user) => {
+  const cookieHeader = req.headers.cookie;
+  const tokenProvider = cookieHeader ? cookies.parse(cookieHeader).token_provider : null;
+  const callback = (err, user) => {
    if (err) {
      return next(err);
    }
@ -11,7 +15,11 @@ const optionalJwtAuth = (req, res, next) => {
      req.user = user;
    }
    next();
-  })(req, res, next);
+  };
+  if (tokenProvider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS)) {
+    return passport.authenticate('openidJwt', { session: false }, callback)(req, res, next);
+  }
+  passport.authenticate('jwt', { session: false }, callback)(req, res, next);
 };

 module.exports = optionalJwtAuth;
--- a/api/server/middleware/requireJwtAuth.js
+++ b/api/server/middleware/requireJwtAuth.js
@ -1,5 +1,23 @@
 const passport = require('passport');
+const cookies = require('cookie');
+const { isEnabled } = require('~/server/utils');

-const requireJwtAuth = passport.authenticate('jwt', { session: false });
+/**
+ * Custom Middleware to handle JWT authentication, with support for OpenID token reuse
+ * Switches between JWT and OpenID authentication based on cookies and environment settings
+ */
+const requireJwtAuth = (req, res, next) => {
+  // Check if token provider is specified in cookies
+  const cookieHeader = req.headers.cookie;
+  const tokenProvider = cookieHeader ? cookies.parse(cookieHeader).token_provider : null;
+
+  // Use OpenID authentication if token provider is OpenID and OPENID_REUSE_TOKENS is enabled
+  if (tokenProvider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS)) {
+    return passport.authenticate('openidJwt', { session: false })(req, res, next);
+  }
+
+  // Default to standard JWT authentication
+  return passport.authenticate('jwt', { session: false })(req, res, next);
+};

 module.exports = requireJwtAuth;
--- a/api/server/routes/tests/config.spec.js
+++ b/api/server/routes/tests/config.spec.js
@ -1,11 +1,11 @@
 jest.mock('~/cache/getLogStores');
 const request = require('supertest');
 const express = require('express');
-const routes = require('../');
+const configRoute = require('../config');
 // file deepcode ignore UseCsurfForExpress/test: test
 const app = express();
 app.disable('x-powered-by');
-app.use('/api/config', routes.config);
+app.use('/api/config', configRoute);

 afterEach(() => {
  delete process.env.APP_TITLE;
--- a/api/server/routes/oauth.js
+++ b/api/server/routes/oauth.js
@ -8,8 +8,9 @@ const {
  setBalanceConfig,
  checkDomainAllowed,
 } = require('~/server/middleware');
-const { setAuthTokens } = require('~/server/services/AuthService');
+const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
 const { logger } = require('~/config');
+const { isEnabled } = require('~/server/utils');

 const router = express.Router();

@ -28,7 +29,15 @@ const oauthHandler = async (req, res) => {
    if (req.banned) {
      return;
    }
-    await setAuthTokens(req.user._id, res);
+    if (
+      req.user &&
+      req.user.provider == 'openid' &&
+      isEnabled(process.env.OPENID_REUSE_TOKENS) === true
+    ) {
+      setOpenIDAuthTokens(req.user.tokenset, res);
+    } else {
+      await setAuthTokens(req.user._id, res);
+    }
    res.redirect(domains.client);
  } catch (err) {
    logger.error('Error in setting authentication tokens:', err);
--- a/api/server/services/AuthService.js
+++ b/api/server/services/AuthService.js
@ -377,13 +377,62 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
      secure: isProduction,
      sameSite: 'strict',
    });
-
+    res.cookie('token_provider', 'librechat', {
+      expires: new Date(refreshTokenExpires),
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: 'strict',
+    });
    return token;
  } catch (error) {
    logger.error('[setAuthTokens] Error in setting authentication tokens:', error);
    throw error;
  }
 };
+/**
+ * @function setOpenIDAuthTokens
+ * Set OpenID Authentication Tokens
+ * //type tokenset from openid-client
+ * @param {import('openid-client').TokenEndpointResponse & import('openid-client').TokenEndpointResponseHelpers} tokenset
+ * - The tokenset object containing access and refresh tokens
+ * @param {Object} res - response object
+ * @returns {String} - access token
+ */
+const setOpenIDAuthTokens = (tokenset, res) => {
+  try {
+    if (!tokenset) {
+      logger.error('[setOpenIDAuthTokens] No tokenset found in request');
+      return;
+    }
+    const { REFRESH_TOKEN_EXPIRY } = process.env ?? {};
+    const expiryInMilliseconds = eval(REFRESH_TOKEN_EXPIRY) ?? 1000 * 60 * 60 * 24 * 7; // 7 days default
+    const expirationDate = new Date(Date.now() + expiryInMilliseconds);
+    if (tokenset == null) {
+      logger.error('[setOpenIDAuthTokens] No tokenset found in request');
+      return;
+    }
+    if (!tokenset.access_token || !tokenset.refresh_token) {
+      logger.error('[setOpenIDAuthTokens] No access or refresh token found in tokenset');
+      return;
+    }
+    res.cookie('refreshToken', tokenset.refresh_token, {
+      expires: expirationDate,
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: 'strict',
+    });
+    res.cookie('token_provider', 'openid', {
+      expires: expirationDate,
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: 'strict',
+    });
+    return tokenset.access_token;
+  } catch (error) {
+    logger.error('[setOpenIDAuthTokens] Error in setting authentication tokens:', error);
+    throw error;
+  }
+};

 /**
 * Resend Verification Email
@ -452,4 +501,5 @@ module.exports = {
  resetPassword,
  requestPasswordReset,
  resendVerificationEmail,
+  setOpenIDAuthTokens,
 };
--- a/api/server/socialLogins.js
+++ b/api/server/socialLogins.js
@ -10,6 +10,7 @@ const {
  discordLogin,
  facebookLogin,
  appleLogin,
+  openIdJwtLogin,
 } = require('~/strategies');
 const { isEnabled } = require('~/server/utils');
 const keyvRedis = require('~/cache/keyvRedis');
@ -19,7 +20,7 @@ const { logger } = require('~/config');
 *
 * @param {Express.Application} app
 */
-const configureSocialLogins = (app) => {
+const configureSocialLogins = async (app) => {
  logger.info('Configuring social logins...');

  if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
@ -62,8 +63,11 @@ const configureSocialLogins = (app) => {
    }
    app.use(session(sessionOptions));
    app.use(passport.session());
-    setupOpenId();
-
+    const config = await setupOpenId();
+    if (isEnabled(process.env.OPENID_REUSE_TOKENS)) {
+      logger.info('OpenID token reuse is enabled.');
+      passport.use('openidJwt', openIdJwtLogin(config));
+    }
    logger.info('OpenID Connect configured.');
  }
 };
--- a/api/strategies/index.js
+++ b/api/strategies/index.js
@ -4,9 +4,10 @@ const googleLogin = require('./googleStrategy');
 const githubLogin = require('./githubStrategy');
 const discordLogin = require('./discordStrategy');
 const facebookLogin = require('./facebookStrategy');
-const setupOpenId = require('./openidStrategy');
+const { setupOpenId, getOpenIdConfig } = require('./openidStrategy');
 const jwtLogin = require('./jwtStrategy');
 const ldapLogin = require('./ldapStrategy');
+const openIdJwtLogin = require('./openIdJwtStrategy');

 module.exports = {
  appleLogin,
@ -17,5 +18,7 @@ module.exports = {
  jwtLogin,
  facebookLogin,
  setupOpenId,
+  getOpenIdConfig,
  ldapLogin,
-};
+  openIdJwtLogin,
+};
--- a/api/strategies/jwtStrategy.js
+++ b/api/strategies/jwtStrategy.js
@ -4,7 +4,7 @@ const { getUserById, updateUser } = require('~/models');
 const { logger } = require('~/config');

 // JWT strategy
-const jwtLogin = async () =>
+const jwtLogin = () =>
  new JwtStrategy(
    {
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
--- a/api/strategies/openIdJwtStrategy.js
+++ b/api/strategies/openIdJwtStrategy.js
@ -0,0 +1,52 @@
+const { SystemRoles } = require('librechat-data-provider');
+const { Strategy: JwtStrategy, ExtractJwt } = require('passport-jwt');
+const { updateUser, findUser } = require('~/models');
+const { logger } = require('~/config');
+const jwksRsa = require('jwks-rsa');
+const { isEnabled } = require('~/server/utils');
+/**
+ * @function openIdJwtLogin
+ * @param {import('openid-client').Configuration} openIdConfig - Configuration object for the JWT strategy.
+ * @returns {JwtStrategy}
+ * @description This function creates a JWT strategy for OpenID authentication.
+ * It uses the jwks-rsa library to retrieve the signing key from a JWKS endpoint.
+ * The strategy extracts the JWT from the Authorization header as a Bearer token.
+ * The JWT is then verified using the signing key, and the user is retrieved from the database.
+ */
+const openIdJwtLogin = (openIdConfig) =>
+  new JwtStrategy(
+    {
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      secretOrKeyProvider: jwksRsa.passportJwtSecret({
+        cache: isEnabled(process.env.OPENID_JWKS_URL_CACHE_ENABLED) || true,
+        cacheMaxAge: process.env.OPENID_JWKS_URL_CACHE_TIME
+          ? eval(process.env.OPENID_JWKS_URL_CACHE_TIME)
+          : 60000,
+        jwksUri: openIdConfig.serverMetadata().jwks_uri,
+      }),
+    },
+    async (payload, done) => {
+      try {
+        const user = await findUser({ openidId: payload?.sub });
+
+        if (user) {
+          user.id = user._id.toString();
+          if (!user.role) {
+            user.role = SystemRoles.USER;
+            await updateUser(user.id, { role: user.role });
+          }
+          done(null, user);
+        } else {
+          logger.warn(
+            '[openIdJwtLogin] openId JwtStrategy => no user found with the sub claims: ' +
+              payload?.sub,
+          );
+          done(null, false);
+        }
+      } catch (err) {
+        done(err, false);
+      }
+    },
+  );
+
+module.exports = openIdJwtLogin;
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@ -1,28 +1,101 @@
+const { CacheKeys } = require('librechat-data-provider');
 const fetch = require('node-fetch');
 const passport = require('passport');
 const jwtDecode = require('jsonwebtoken/decode');
 const { HttpsProxyAgent } = require('https-proxy-agent');
-const { Issuer, Strategy: OpenIDStrategy, custom } = require('openid-client');
+const client = require('openid-client');
+const { Strategy: OpenIDStrategy } = require('openid-client/passport');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { findUser, createUser, updateUser } = require('~/models/userMethods');
 const { hashToken } = require('~/server/utils/crypto');
 const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');
+const getLogStores = require('~/cache/getLogStores');

-let crypto;
-try {
-  crypto = require('node:crypto');
-} catch (err) {
-  logger.error('[openidStrategy] crypto support is disabled!', err);
+/**
+ * @typedef {import('openid-client').ClientMetadata} ClientMetadata
+ * @typedef {import('openid-client').Configuration} Configuration
+ **/
+
+/** @typedef {Configuration | null}  */
+let openidConfig = null;
+
+//overload currenturl function because of express version 4 buggy req.host doesn't include port
+//More info https://github.com/panva/openid-client/pull/713
+
+class CustomOpenIDStrategy extends OpenIDStrategy {
+  currentUrl(req) {
+    const hostAndProtocol = process.env.DOMAIN_SERVER;
+    return new URL(`${hostAndProtocol}${req.originalUrl ?? req.url}`);
+  }
 }

+/**
+ * Exchange the access token for a new access token using the on-behalf-of flow if required.
+ * @param {Configuration} config
+ * @param {string} accessToken access token to be exchanged if necessary
+ * @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
+ * @param {boolean} fromCache - Indicates whether to use cached tokens.
+ * @returns {Promise<string>} The new access token if exchanged, otherwise the original access token.
+ */
+const exchangeAccessTokenIfNeeded = async (config, accessToken, sub, fromCache = false) => {
+  const tokensCache = getLogStores(CacheKeys.OPENID_EXCHANGED_TOKENS);
+  const onBehalfFlowRequired = isEnabled(process.env.OPENID_ON_BEHALF_FLOW_FOR_USERINFRO_REQUIRED);
+  if (onBehalfFlowRequired) {
+    if (fromCache) {
+      const cachedToken = await tokensCache.get(sub);
+      if (cachedToken) {
+        return cachedToken.access_token;
+      }
+    }
+    const grantResponse = await client.genericGrantRequest(
+      config,
+      'urn:ietf:params:oauth:grant-type:jwt-bearer',
+      {
+        scope: process.env.OPENID_ON_BEHALF_FLOW_USERINFRO_SCOPE || 'user.read',
+        assertion: accessToken,
+        requested_token_use: 'on_behalf_of',
+      },
+    );
+    await tokensCache.set(
+      sub,
+      {
+        access_token: grantResponse.access_token,
+      },
+      grantResponse.expires_in * 1000,
+    );
+    return grantResponse.access_token;
+  }
+  return accessToken;
+};
+
+/**
+ * get user info from openid provider
+ * @param {Configuration} config
+ * @param {string} accessToken access token
+ * @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
+ * @returns {Promise<Object|null>}
+ */
+const getUserInfo = async (config, accessToken, sub) => {
+  try {
+    const exchangedAccessToken = await exchangeAccessTokenIfNeeded(config, accessToken, sub);
+    return await client.fetchUserInfo(config, exchangedAccessToken, sub);
+  } catch (error) {
+    logger.warn(`[openidStrategy] getUserInfo: Error fetching user info: ${error}`);
+    return null;
+  }
+};
+
 /**
 * Downloads an image from a URL using an access token.
 * @param {string} url
- * @param {string} accessToken
- * @returns {Promise<Buffer>}
+ * @param {Configuration} config
+ * @param {string} accessToken access token
+ * @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
+ * @returns {Promise<Buffer | string>} The image buffer or an empty string if the download fails.
 */
-const downloadImage = async (url, accessToken) => {
+const downloadImage = async (url, config, accessToken, sub) => {
+  const exchangedAccessToken = await exchangeAccessTokenIfNeeded(config, accessToken, sub, true);
  if (!url) {
    return '';
  }
@ -31,7 +104,7 @@ const downloadImage = async (url, accessToken) => {
    const options = {
      method: 'GET',
      headers: {
-        Authorization: `Bearer ${accessToken}`,
+        Authorization: `Bearer ${exchangedAccessToken}`,
      },
    };

@ -105,63 +178,68 @@ function convertToUsername(input, defaultValue = '') {
  return defaultValue;
 }

+/**
+ * Sets up the OpenID strategy for authentication.
+ * This function configures the OpenID client, handles proxy settings,
+ * and defines the OpenID strategy for Passport.js.
+ *
+ * @async
+ * @function setupOpenId
+ * @returns {Promise<Configuration | null>} A promise that resolves when the OpenID strategy is set up and returns the openid client config object.
+ * @throws {Error} If an error occurs during the setup process.
+ */
 async function setupOpenId() {
  try {
-    if (process.env.PROXY) {
-      const proxyAgent = new HttpsProxyAgent(process.env.PROXY);
-      custom.setHttpOptionsDefaults({
-        agent: proxyAgent,
-      });
-      logger.info(`[openidStrategy] proxy agent added: ${process.env.PROXY}`);
-    }
-    const issuer = await Issuer.discover(process.env.OPENID_ISSUER);
-    /* Supported Algorithms, openid-client v5 doesn't set it automatically as discovered from server.
-      - id_token_signed_response_alg      // defaults to 'RS256'
-      - request_object_signing_alg        // defaults to 'RS256'
-      - userinfo_signed_response_alg      // not in v5
-      - introspection_signed_response_alg // not in v5
-      - authorization_signed_response_alg // not in v5
-    */
-    /** @type {import('openid-client').ClientMetadata} */
+    /** @type {ClientMetadata} */
    const clientMetadata = {
      client_id: process.env.OPENID_CLIENT_ID,
      client_secret: process.env.OPENID_CLIENT_SECRET,
-      redirect_uris: [process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL],
    };
-    if (isEnabled(process.env.OPENID_SET_FIRST_SUPPORTED_ALGORITHM)) {
-      clientMetadata.id_token_signed_response_alg =
-        issuer.id_token_signing_alg_values_supported?.[0] || 'RS256';
+
+    /** @type {Configuration} */
+    openidConfig = await client.discovery(
+      new URL(process.env.OPENID_ISSUER),
+      process.env.OPENID_CLIENT_ID,
+      clientMetadata,
+    );
+    if (process.env.PROXY) {
+      const proxyAgent = new HttpsProxyAgent(process.env.PROXY);
+      openidConfig[client.customFetch] = (...args) => {
+        return fetch(args[0], { ...args[1], agent: proxyAgent });
+      };
+      logger.info(`[openidStrategy] proxy agent added: ${process.env.PROXY}`);
    }
-    const client = new issuer.Client(clientMetadata);
    const requiredRole = process.env.OPENID_REQUIRED_ROLE;
    const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
    const requiredRoleTokenKind = process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND;
-    const openidLogin = new OpenIDStrategy(
+    const usePKCE = isEnabled(process.env.OPENID_USE_PKCE);
+    const openidLogin = new CustomOpenIDStrategy(
      {
-        client,
-        params: {
-          scope: process.env.OPENID_SCOPE,
-        },
+        config: openidConfig,
+        scope: process.env.OPENID_SCOPE,
+        callbackURL: process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL,
+        usePKCE,
      },
-      async (tokenset, userinfo, done) => {
+      async (tokenset, done) => {
        try {
-          logger.info(`[openidStrategy] verify login openidId: ${userinfo.sub}`);
-          logger.debug('[openidStrategy] very login tokenset and userinfo', { tokenset, userinfo });
-
-          let user = await findUser({ openidId: userinfo.sub });
+          const claims = tokenset.claims();
+          let user = await findUser({ openidId: claims.sub });
          logger.info(
-            `[openidStrategy] user ${user ? 'found' : 'not found'} with openidId: ${userinfo.sub}`,
+            `[openidStrategy] user ${user ? 'found' : 'not found'} with openidId: ${claims.sub}`,
          );

          if (!user) {
-            user = await findUser({ email: userinfo.email });
+            user = await findUser({ email: claims.email });
            logger.info(
              `[openidStrategy] user ${user ? 'found' : 'not found'} with email: ${
-                userinfo.email
-              } for openidId: ${userinfo.sub}`,
+                claims.email
+              } for openidId: ${claims.sub}`,
            );
          }
-
+          const userinfo = {
+            ...claims,
+            ...(await getUserInfo(openidConfig, tokenset.access_token, claims.sub)),
+          };
          const fullName = getFullName(userinfo);

          if (requiredRole) {
@ -220,7 +298,7 @@ async function setupOpenId() {
            user.name = fullName;
          }

-          if (userinfo.picture && !user.avatar?.includes('manual=true')) {
+          if (!!userinfo && userinfo.picture && !user.avatar?.includes('manual=true')) {
            /** @type {string | undefined} */
            const imageUrl = userinfo.picture;

@ -231,7 +309,12 @@ async function setupOpenId() {
              fileName = userinfo.sub + '.png';
            }

-            const imageBuffer = await downloadImage(imageUrl, tokenset.access_token);
+            const imageBuffer = await downloadImage(
+              imageUrl,
+              openidConfig,
+              tokenset.access_token,
+              userinfo.sub,
+            );
            if (imageBuffer) {
              const { saveBuffer } = getStrategyFunctions(process.env.CDN_PROVIDER);
              const imagePath = await saveBuffer({
@ -257,18 +340,34 @@ async function setupOpenId() {
            },
          );

-          done(null, user);
+          done(null, { ...user, tokenset });
        } catch (err) {
          logger.error('[openidStrategy] login failed', err);
          done(err);
        }
      },
    );
-
    passport.use('openid', openidLogin);
+    return openidConfig;
  } catch (err) {
    logger.error('[openidStrategy]', err);
+    return null;
  }
 }
+/**
+ * @function getOpenIdConfig
+ * @description Returns the OpenID client instance.
+ * @throws {Error} If the OpenID client is not initialized.
+ * @returns {Configuration}
+ */
+function getOpenIdConfig() {
+  if (!openidConfig) {
+    throw new Error('OpenID client is not initialized. Please call setupOpenId first.');
+  }
+  return openidConfig;
+}

-module.exports = setupOpenId;
+module.exports = {
+  setupOpenId,
+  getOpenIdConfig,
+};
--- a/api/strategies/openidStrategy.spec.js
+++ b/api/strategies/openidStrategy.spec.js
@ -1,16 +1,13 @@
 const fetch = require('node-fetch');
 const jwtDecode = require('jsonwebtoken/decode');
-const { Issuer, Strategy: OpenIDStrategy } = require('openid-client');
 const { findUser, createUser, updateUser } = require('~/models/userMethods');
-const setupOpenId = require('./openidStrategy');
+const { setupOpenId } = require('./openidStrategy');

 // --- Mocks ---
 jest.mock('node-fetch');
-jest.mock('openid-client');
 jest.mock('jsonwebtoken/decode');
 jest.mock('~/server/services/Files/strategies', () => ({
  getStrategyFunctions: jest.fn(() => ({
-    // You can modify this mock as needed (here returning a dummy function)
    saveBuffer: jest.fn().mockResolvedValue('/fake/path/to/avatar.png'),
  })),
 }));
@ -23,38 +20,73 @@ jest.mock('~/server/utils/crypto', () => ({
  hashToken: jest.fn().mockResolvedValue('hashed-token'),
 }));
 jest.mock('~/server/utils', () => ({
-  isEnabled: jest.fn(() => false), // default to false, override per test if needed
+  isEnabled: jest.fn(() => false),
 }));
 jest.mock('~/config', () => ({
  logger: {
    info: jest.fn(),
    debug: jest.fn(),
    error: jest.fn(),
+    warn: jest.fn(),
+  },
+}));
+jest.mock('~/cache/getLogStores', () =>
+  jest.fn(() => ({
+    get: jest.fn(),
+    set: jest.fn(),
+  })),
+);
+jest.mock('librechat-data-provider', () => ({
+  CacheKeys: {
+    OPENID_EXCHANGED_TOKENS: 'openid-exchanged-tokens',
  },
 }));

-// Mock Issuer.discover so that setupOpenId gets a fake issuer and client
-Issuer.discover = jest.fn().mockResolvedValue({
-  id_token_signing_alg_values_supported: ['RS256'],
-  Client: jest.fn().mockImplementation((clientMetadata) => {
-    return {
-      metadata: clientMetadata,
-    };
-  }),
+// Mock the openid-client module and all its dependencies
+jest.mock('openid-client', () => {
+  return {
+    discovery: jest.fn().mockResolvedValue({
+      clientId: 'fake_client_id',
+      clientSecret: 'fake_client_secret',
+      issuer: 'https://fake-issuer.com',
+      // Add any other properties needed by the implementation
+    }),
+    fetchUserInfo: jest.fn().mockImplementation((config, accessToken, sub) => {
+      // Only return additional properties, but don't override any claims
+      return Promise.resolve({
+        preferred_username: 'preferred_username',
+      });
+    }),
+    customFetch: Symbol('customFetch'),
+  };
 });

-// To capture the verify callback from the strategy, we grab it from the mock constructor
-let verifyCallback;
-OpenIDStrategy.mockImplementation((options, verify) => {
-  verifyCallback = verify;
-  return { name: 'openid', options, verify };
+jest.mock('openid-client/passport', () => {
+  let verifyCallback;
+  const mockStrategy = jest.fn((options, verify) => {
+    verifyCallback = verify;
+    return { name: 'openid', options, verify };
+  });
+
+  return {
+    Strategy: mockStrategy,
+    __getVerifyCallback: () => verifyCallback,
+  };
 });

+// Mock passport
+jest.mock('passport', () => ({
+  use: jest.fn(),
+}));
+
 describe('setupOpenId', () => {
+  // Store a reference to the verify callback once it's set up
+  let verifyCallback;
+
  // Helper to wrap the verify callback in a promise
-  const validate = (tokenset, userinfo) =>
+  const validate = (tokenset) =>
    new Promise((resolve, reject) => {
-      verifyCallback(tokenset, userinfo, (err, user, details) => {
+      verifyCallback(tokenset, (err, user, details) => {
        if (err) {
          reject(err);
        } else {
@ -66,17 +98,16 @@ describe('setupOpenId', () => {
  const tokenset = {
    id_token: 'fake_id_token',
    access_token: 'fake_access_token',
-  };
-
-  const baseUserinfo = {
-    sub: '1234',
-    email: 'test@example.com',
-    email_verified: true,
-    given_name: 'First',
-    family_name: 'Last',
-    name: 'My Full',
-    username: 'flast',
-    picture: 'https://example.com/avatar.png',
+    claims: () => ({
+      sub: '1234',
+      email: 'test@example.com',
+      email_verified: true,
+      given_name: 'First',
+      family_name: 'Last',
+      name: 'My Full',
+      username: 'flast',
+      picture: 'https://example.com/avatar.png',
+    }),
  };

  beforeEach(async () => {
@ -96,6 +127,7 @@ describe('setupOpenId', () => {
    delete process.env.OPENID_USERNAME_CLAIM;
    delete process.env.OPENID_NAME_CLAIM;
    delete process.env.PROXY;
+    delete process.env.OPENID_USE_PKCE;

    // Default jwtDecode mock returns a token that includes the required role.
    jwtDecode.mockReturnValue({
@ -120,16 +152,17 @@ describe('setupOpenId', () => {
    };
    fetch.mockResolvedValue(fakeResponse);

-    // Finally, call the setup function so that passport.use gets called
+    // Call the setup function and capture the verify callback
    await setupOpenId();
+    verifyCallback = require('openid-client/passport').__getVerifyCallback();
  });

  it('should create a new user with correct username when username claim exists', async () => {
    // Arrange – our userinfo already has username 'flast'
-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();

    // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate(tokenset);

    // Assert
    expect(user.username).toBe(userinfo.username);
@ -148,13 +181,13 @@ describe('setupOpenId', () => {

  it('should use given_name as username when username claim is missing', async () => {
    // Arrange – remove username from userinfo
-    const userinfo = { ...baseUserinfo };
+    const userinfo = { ...tokenset.claims() };
    delete userinfo.username;
    // Expect the username to be the given name (unchanged case)
    const expectUsername = userinfo.given_name;

    // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate({ ...tokenset, claims: () => userinfo });

    // Assert
    expect(user.username).toBe(expectUsername);
@ -167,13 +200,13 @@ describe('setupOpenId', () => {

  it('should use email as username when username and given_name are missing', async () => {
    // Arrange – remove username and given_name
-    const userinfo = { ...baseUserinfo };
+    const userinfo = { ...tokenset.claims() };
    delete userinfo.username;
    delete userinfo.given_name;
    const expectUsername = userinfo.email;

    // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate({ ...tokenset, claims: () => userinfo });

    // Assert
    expect(user.username).toBe(expectUsername);
@ -187,10 +220,10 @@ describe('setupOpenId', () => {
  it('should override username with OPENID_USERNAME_CLAIM when set', async () => {
    // Arrange – set OPENID_USERNAME_CLAIM so that the sub claim is used
    process.env.OPENID_USERNAME_CLAIM = 'sub';
-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();

    // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate(tokenset);

    // Assert – username should equal the sub (converted as-is)
    expect(user.username).toBe(userinfo.sub);
@ -203,11 +236,11 @@ describe('setupOpenId', () => {

  it('should set the full name correctly when given_name and family_name exist', async () => {
    // Arrange
-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();
    const expectedFullName = `${userinfo.given_name} ${userinfo.family_name}`;

    // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate(tokenset);

    // Assert
    expect(user.name).toBe(expectedFullName);
@ -216,10 +249,10 @@ describe('setupOpenId', () => {
  it('should override full name with OPENID_NAME_CLAIM when set', async () => {
    // Arrange – use the name claim as the full name
    process.env.OPENID_NAME_CLAIM = 'name';
-    const userinfo = { ...baseUserinfo, name: 'Custom Name' };
+    const userinfo = { ...tokenset.claims(), name: 'Custom Name' };

    // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate({ ...tokenset, claims: () => userinfo });

    // Assert
    expect(user.name).toBe('Custom Name');
@ -230,31 +263,31 @@ describe('setupOpenId', () => {
    const existingUser = {
      _id: 'existingUserId',
      provider: 'local',
-      email: baseUserinfo.email,
+      email: tokenset.claims().email,
      openidId: '',
      username: '',
      name: '',
    };
    findUser.mockImplementation(async (query) => {
-      if (query.openidId === baseUserinfo.sub || query.email === baseUserinfo.email) {
+      if (query.openidId === tokenset.claims().sub || query.email === tokenset.claims().email) {
        return existingUser;
      }
      return null;
    });

-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();

    // Act
-    await validate(tokenset, userinfo);
+    await validate(tokenset);

    // Assert – updateUser should be called and the user object updated
    expect(updateUser).toHaveBeenCalledWith(
      existingUser._id,
      expect.objectContaining({
        provider: 'openid',
-        openidId: baseUserinfo.sub,
-        username: baseUserinfo.username,
-        name: `${baseUserinfo.given_name} ${baseUserinfo.family_name}`,
+        openidId: userinfo.sub,
+        username: userinfo.username,
+        name: `${userinfo.given_name} ${userinfo.family_name}`,
      }),
    );
  });
@ -264,10 +297,10 @@ describe('setupOpenId', () => {
    jwtDecode.mockReturnValue({
      roles: ['SomeOtherRole'],
    });
-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();

    // Act
-    const { user, details } = await validate(tokenset, userinfo);
+    const { user, details } = await validate(tokenset);

    // Assert – verify that the strategy rejects login
    expect(user).toBe(false);
@ -276,10 +309,10 @@ describe('setupOpenId', () => {

  it('should attempt to download and save the avatar if picture is provided', async () => {
    // Arrange – ensure userinfo contains a picture URL
-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();

    // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate(tokenset);

    // Assert – verify that download was attempted and the avatar field was set via updateUser
    expect(fetch).toHaveBeenCalled();
@ -289,14 +322,25 @@ describe('setupOpenId', () => {

  it('should not attempt to download avatar if picture is not provided', async () => {
    // Arrange – remove picture
-    const userinfo = { ...baseUserinfo };
+    const userinfo = { ...tokenset.claims() };
    delete userinfo.picture;

    // Act
-    await validate(tokenset, userinfo);
+    await validate({ ...tokenset, claims: () => userinfo });

    // Assert – fetch should not be called and avatar should remain undefined or empty
    expect(fetch).not.toHaveBeenCalled();
    // Depending on your implementation, user.avatar may be undefined or an empty string.
  });
+
+  it('should default to usePKCE false when OPENID_USE_PKCE is not defined', async () => {
+    const OpenIDStrategy = require('openid-client/passport').Strategy;
+
+    delete process.env.OPENID_USE_PKCE;
+    await setupOpenId();
+
+    const callOptions = OpenIDStrategy.mock.calls[OpenIDStrategy.mock.calls.length - 1][0];
+    expect(callOptions.usePKCE).toBe(false);
+    expect(callOptions.params?.code_challenge_method).toBeUndefined();
+  });
 });
--- a/api/strategies/socialLogin.js
+++ b/api/strategies/socialLogin.js
@ -7,7 +7,8 @@ const socialLogin =
  (provider, getProfileDetails) => async (accessToken, refreshToken, idToken, profile, cb) => {
    try {
      const { email, id, avatarUrl, username, name, emailVerified } = getProfileDetails({
-        idToken, profile,
+        idToken,
+        profile,
      });

      const oldUser = await findUser({ email: email.trim() });
--- a/api/test/mocks/openid-client-passport.js
+++ b/api/test/mocks/openid-client-passport.js
@ -0,0 +1,6 @@
+// api/test/__mocks__/openid-client-passport.js
+const Strategy = jest.fn().mockImplementation((options, verify) => {
+  return { name: 'mocked-openid-passport-strategy', options, verify };
+});
+
+module.exports = { Strategy };
--- a/api/test/mocks/openid-client.js
+++ b/api/test/mocks/openid-client.js
@ -0,0 +1,67 @@
+// api/test/__mocks__/openid-client.js
+module.exports = {
+  Issuer: {
+    discover: jest.fn().mockResolvedValue({
+      Client: jest.fn().mockImplementation(() => ({
+        authorizationUrl: jest.fn().mockReturnValue('mock_auth_url'),
+        callback: jest.fn().mockResolvedValue({
+          access_token: 'mock_access_token',
+          id_token: 'mock_id_token',
+          claims: () => ({
+            sub: 'mock_sub',
+            email: 'mock@example.com',
+          }),
+        }),
+        userinfo: jest.fn().mockResolvedValue({
+          sub: 'mock_sub',
+          email: 'mock@example.com',
+        }),
+      })),
+    }),
+  },
+  Strategy: jest.fn().mockImplementation((options, verify) => {
+    // Store verify to call it if needed, or just mock the strategy behavior
+    return { name: 'openid-mock-strategy' };
+  }),
+  custom: {
+    setHttpOptionsDefaults: jest.fn(),
+  },
+  // Add any other exports from openid-client that are used directly
+  // For example, if your code uses `client.Issuer.discover`, then mock `Issuer`
+  // If it uses `new Strategy()`, then mock `Strategy`
+  // Based on openidStrategy.js, it uses:
+  // const client = require('openid-client'); -> client.discovery, client.fetchUserInfo, client.genericGrantRequest
+  // const { Strategy: OpenIDStrategy } = require('openid-client/passport');
+  // So the mock needs to cover these.
+  // The provided mock in openidStrategy.spec.js is a good reference.
+
+  // Simpler mock based on the spec file:
+  discovery: jest.fn().mockResolvedValue({
+    clientId: 'fake_client_id',
+    clientSecret: 'fake_client_secret',
+    issuer: 'https://fake-issuer.com',
+    Client: jest.fn().mockImplementation(() => ({
+      authorizationUrl: jest.fn().mockReturnValue('mock_auth_url'),
+      callback: jest.fn().mockResolvedValue({
+        access_token: 'mock_access_token',
+        id_token: 'mock_id_token',
+        claims: () => ({
+          sub: 'mock_sub',
+          email: 'mock@example.com',
+        }),
+      }),
+      userinfo: jest.fn().mockResolvedValue({
+        sub: 'mock_sub',
+        email: 'mock@example.com',
+      }),
+      grant: jest.fn().mockResolvedValue({ access_token: 'mock_grant_token' }), // For genericGrantRequest
+    })),
+  }),
+  fetchUserInfo: jest.fn().mockResolvedValue({
+    preferred_username: 'preferred_username',
+  }),
+  genericGrantRequest: jest
+    .fn()
+    .mockResolvedValue({ access_token: 'mock_grant_access_token', expires_in: 3600 }),
+  customFetch: Symbol('customFetch'),
+};