Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-02-14 05:24:24 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

🪙 refactor: Distinguish ID Tokens from Access Tokens in OIDC Federated Auth (#11711)

Browse source 
* fix(openid): distinguish ID tokens from access tokens in federated auth

Fix OpenID Connect token handling to properly distinguish ID tokens from access tokens. ID tokens and access tokens are now stored and propagated separately, preventing token placeholders from resolving to identical values.

- AuthService.js: Added idToken field to session storage
- openIdJwtStrategy.js: Updated to read idToken from session
- openidStrategy.js: Explicitly included id_token in federatedTokens
- Test suites: Added comprehensive test coverage for token distinction

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(openid): add separate openid_id_token cookie for ID token storage

Store the OIDC ID token in its own cookie rather than relying solely on
the access token, ensuring correct token type is used for identity
verification vs API authorization.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test(openid): add JWT strategy cookie fallback tests

Cover the token source resolution logic in openIdJwtStrategy:
session-only, cookie-only, partial session fallback, raw Bearer
fallback, and distinct id_token/access_token from cookies.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jón Levy 2026-02-13 16:07:39 +00:00 committed by GitHub
parent 8e3b717e99
commit dc89e00039
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 253 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

9
api/server/services/AuthService.js
View file

@ -466,6 +466,7 @@ const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) =
if (req.session) {
req.session.openidTokens = {
accessToken: tokenset.access_token,
idToken: tokenset.id_token,
refreshToken: refreshToken,
expiresAt: expirationDate.getTime(),
};
@ -483,6 +484,14 @@ const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) =
secure: shouldUseSecureCookie(),
sameSite: 'strict',
});
if (tokenset.id_token) {
res.cookie('openid_id_token', tokenset.id_token, {
expires: expirationDate,
httpOnly: true,
secure: isProduction,
sameSite: 'strict',
});
}
}
/** Small cookie to indicate token provider (required for auth middleware) */