mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-16 08:20:14 +01:00

Enhanced ChatGPT Clone: Features Agents, MCP, DeepSeek, Anthropic, AWS, OpenAI, Responses API, Azure, Groq, o1, GPT-5, Mistral, OpenRouter, Vertex AI, Gemini, Artifacts, AI model switching, message search, Code Interpreter, langchain, DALL-E-3, OpenAPI Actions, Functions, Secure Multi-User Auth, Presets, open-source for self-hosting. Active. https://librechat.ai/

ai anthropic artifacts aws azure chatgpt chatgpt-clone claude clone deepseek gemini google gpt-5 librechat mcp o1 openai responses-api vision webui

Find a file

Jón Levy ef3bf0a932 🆔 feat: Add OpenID Connect Federated Provider Token Support (#9931 ) * feat: Add OpenID Connect federated provider token support Implements support for passing federated provider tokens (Cognito, Azure AD, Auth0) as variables in LibreChat's librechat.yaml configuration for both custom endpoints and MCP servers. Features: - New LIBRECHAT_OPENID_* template variables for federated provider tokens - JWT claims parsing from ID tokens without verification (for claim extraction) - Token validation with expiration checking - Support for multiple token storage locations (federatedTokens, openidTokens) - Integration with existing template variable system - Comprehensive test suite with Cognito-specific scenarios - Provider-agnostic design supporting Cognito, Azure AD, Auth0, etc. Security: - Server-side only token processing - Automatic token expiration validation - Graceful fallbacks for missing/invalid tokens - No client-side token exposure 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Add federated token propagation to OIDC authentication strategies Adds federatedTokens object to user during authentication to enable federated provider token template variables in LibreChat configuration. Changes: - OpenID JWT Strategy: Extract raw JWT from Authorization header and attach as federatedTokens.access_token to enable {{LIBRECHAT_OPENID_TOKEN}} placeholder resolution - OpenID Strategy: Attach tokenset tokens as federatedTokens object to standardize token access across both authentication strategies This enables proper token propagation for custom endpoints and MCP servers that require federated provider tokens for authorization. Resolves missing token issue reported by @ramden in PR #9931 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Denis Ramic <denis.ramic@nfon.com> Co-Authored-By: Claude <noreply@anthropic.com> * test: Add federatedTokens validation tests for OIDC strategies Adds comprehensive test coverage for the federated token propagation feature implemented in the authentication strategies. Tests added: - Verify federatedTokens object is attached to user with correct structure (access_token, refresh_token, expires_at) - Verify both tokenset and federatedTokens are present in user object - Ensure tokens from OIDC provider are correctly propagated Also fixes existing test suite by adding missing mocks: - isEmailDomainAllowed function mock - findOpenIDUser function mock These tests validate the fix from commit `5874ba29f` that enables {{LIBRECHAT_OPENID_TOKEN}} template variable functionality. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: Remove implementation documentation file The PR description already contains all necessary implementation details. This documentation file is redundant and was requested to be removed. * fix: skip s256 check * fix(openid): handle missing refresh token in Cognito token refresh response When OPENID_REUSE_TOKENS=true, the token refresh flow was failing because Cognito (and most OAuth providers) don't return a new refresh token in the refresh grant response - they only return new access and ID tokens. Changes: - Modified setOpenIDAuthTokens() to accept optional existingRefreshToken parameter - Updated validation to only require access_token (refresh_token now optional) - Added logic to reuse existing refresh token when not provided in tokenset - Updated refreshController to pass original refresh token as fallback - Added comments explaining standard OAuth 2.0 refresh token behavior This fixes the "Token is not present. User is not authenticated." error that occurred during silent token refresh with Cognito as the OpenID provider. Fixes: Authentication loop with OPENID_REUSE_TOKENS=true and AWS Cognito * fix(openid): extract refresh token from cookies for template variable replacement When OPENID_REUSE_TOKENS=true, the openIdJwtStrategy populates user.federatedTokens to enable template variable replacement (e.g., {{LIBRECHAT_OPENID_ACCESS_TOKEN}}). However, the refresh_token field was incorrectly sourced from payload.refresh_token, which is always undefined because: 1. JWTs don't contain refresh tokens in their payload 2. The JWT itself IS the access token 3. Refresh tokens are separate opaque tokens stored in HTTP-only cookies This caused extractOpenIDTokenInfo() to receive incomplete federatedTokens, resulting in template variables remaining unreplaced in headers. Root Cause: - Line 90: `refresh_token: payload.refresh_token` (always undefined) - JWTs only contain access token data in their claims - Refresh tokens are separate, stored securely in cookies Solution: - Import `cookie` module to parse cookies from request - Extract refresh token from `refreshToken` cookie - Populate federatedTokens with both access token (JWT) and refresh token (from cookie) Impact: - Template variables like {{LIBRECHAT_OPENID_ACCESS_TOKEN}} now work correctly - Headers in librechat.yaml are properly replaced with actual tokens - MCP server authentication with federated tokens now functional Technical Details: - passReqToCallback=true in JWT strategy provides req object access - Refresh token extracted via cookies.parse(req.headers.cookie).refreshToken - Falls back gracefully if cookie header or refreshToken is missing 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: re-resolve headers on each request to pick up fresh federatedTokens - OpenAIClient now re-resolves headers in chatCompletion() before each API call - This ensures template variables like {{LIBRECHAT_OPENID_TOKEN}} are replaced with actual token values from req.user.federatedTokens - initialize.js now stores original template headers instead of pre-resolved ones - Fixes template variable replacement when OPENID_REUSE_TOKENS=true The issue was that headers were only resolved once during client initialization, before openIdJwtStrategy had populated user.federatedTokens. Now headers are re-resolved on every request with the current user's fresh tokens. * debug: add logging to track header resolution in OpenAIClient * debug: log tokenset structure after refresh to diagnose missing access_token * fix: set federatedTokens on user object after OAuth refresh - After successful OAuth token refresh, the user object was not being updated with federatedTokens - This caused template variable resolution to fail on subsequent requests - Now sets user.federatedTokens with access_token, id_token, refresh_token and expires_at from the refreshed tokenset - Fixes template variables like {{LIBRECHAT_OPENID_TOKEN}} not being replaced after token refresh - Related to PR #9931 (OpenID federated token support) * fix(openid): pass user object through agent chain for template variable resolution Root cause: buildAgentContext in agents/run.ts called resolveHeaders without the user parameter, preventing OpenID federated token template variables from being resolved in agent runtime parameters. Changes: - packages/api/src/agents/run.ts: Add user parameter to createRun signature - packages/api/src/agents/run.ts: Pass user to resolveHeaders in buildAgentContext - api/server/controllers/agents/client.js: Pass user when calling createRun - api/server/services/Endpoints/bedrock/options.js: Add resolveHeaders call with debug logging - api/server/services/Endpoints/custom/initialize.js: Add debug logging - packages/api/src/utils/env.ts: Add comprehensive debug logging and stack traces - packages/api/src/utils/oidc.ts: Fix eslint errors (unused type, explicit any) This ensures template variables like {{LIBRECHAT_OPENID_TOKEN}} and {{LIBRECHAT_USER_OPENIDID}} are properly resolved in both custom endpoint headers and Bedrock AgentCore runtime parameters. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * refactor: remove debug logging from OpenID token template feature Removed excessive debug logging that was added during development to make the PR more suitable for upstream review: - Removed 7 debug statements from OpenAIClient.js - Removed all console.log statements from packages/api/src/utils/env.ts - Removed debug logging from bedrock/options.js - Removed debug logging from custom/initialize.js - Removed debug statement from AuthController.js This reduces the changeset by ~50 lines while maintaining full functionality of the OpenID federated token template variable feature. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * test(openid): add comprehensive unit tests for template variable substitution - Add 34 unit tests for OIDC token utilities (oidc.spec.ts) - Test coverage for token extraction, validation, and placeholder processing - Integration tests for full OpenID token flow - All tests pass with comprehensive edge case coverage 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> * test: fix OpenID federated tokens test failures - Add serverMetadata() mock to openid-client mock configuration * Fixes TypeError in openIdJwtStrategy.js where serverMetadata() was being called * Mock now returns jwks_uri and end_session_endpoint as expected by the code - Update outdated initialize.spec.js test * Remove test expecting resolveHeaders call during initialization * Header resolution was refactored to be deferred until LLM request time * Update test to verify options are returned correctly with useLegacyContent flag Fixes #9931 CI failures for backend unit tests 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: fix package-lock.json conflict * chore: sync package-log with upstream * chore: cleanup * fix: use createSafeUser * fix: fix createSafeUser signature * chore: remove comments * chore: purge comments * fix: update Jest testPathPattern to testPathPatterns for Jest 30+ compatibility --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Denis Ramic <denis.ramic@nfon.com> Co-authored-by: kristjanaapro <kristjana@apro.is> chore: import order and add back JSDoc for OpenID JWT callback		2025-11-21 09:51:11 -05:00
.devcontainer	🐋 chore: remove Docker version syntax as its no longer (#4375 )	2024-10-19 08:22:26 -04:00
.github	🐛 fix: Redis Cluster Bug + 🧪 Enhance Test Coverage (#10518 )	2025-11-16 11:58:52 -05:00
.husky	⚡ refactor: Latest Message Tracking with Robust Text Key Generation (#10059 )	2025-10-10 04:22:16 -04:00
.vscode	🔐 feat: Granular Role-based Permissions + Entra ID Group Discovery (#7804 )	2025-08-13 16:24:17 -04:00
api	🆔 feat: Add OpenID Connect Federated Provider Token Support (#9931 )	2025-11-21 09:51:11 -05:00
client	☕ feat: Prevent Screen Sleep During Response Generation (#10597 )	2025-11-21 09:14:32 -05:00
config	🪂 refactor: MCP Server Init Fallback (#10608 )	2025-11-20 16:47:00 -05:00
e2e	✨ v0.8.1-rc1 (#10316 )	2025-10-30 16:36:54 -04:00
helm	🪣 feat: Init Containers and Custom ConfigMaps Support in Helm Chart (#10525 )	2025-11-16 12:03:34 -05:00
packages	🆔 feat: Add OpenID Connect Federated Provider Token Support (#9931 )	2025-11-21 09:51:11 -05:00
redis-config	🔄 refactor: Migrate Cache Logic to TypeScript (#9771 )	2025-10-02 09:33:58 -04:00
src/tests	🆔 feat: Add OpenID Connect Federated Provider Token Support (#9931 )	2025-11-21 09:51:11 -05:00
utils	🐋 chore: switch from `ankane/pgvector` to `pgvector/pgvector` (#9245 )	2025-08-27 02:04:58 -04:00
.dockerignore	🐳 : Further Docker build Cleanup & Docs Update (#1502 )	2024-01-06 11:59:08 -05:00
.env.example	🆔 feat: Add OpenID Connect Federated Provider Token Support (#9931 )	2025-11-21 09:51:11 -05:00
.gitignore	🆔 feat: Add OpenID Connect Federated Provider Token Support (#9931 )	2025-11-21 09:51:11 -05:00
.prettierrc	🧹 chore: Migrate to Flat ESLint Config & Update Prettier Settings (#5737 )	2025-02-09 12:15:20 -05:00
bun.lockb	📦 chore: bump `vite` to address low severity vulns (#9553 )	2025-09-10 14:56:46 -04:00
CHANGELOG.md	📜 docs: Unreleased Changelog (#7560 )	2025-05-27 15:47:36 -04:00
deploy-compose.yml	🐋 chore: switch from `ankane/pgvector` to `pgvector/pgvector` (#9245 )	2025-08-27 02:04:58 -04:00
docker-compose.override.yml.example	🔑 feat: SAML authentication (#6169 )	2025-05-29 11:00:58 -04:00
docker-compose.yml	🧹 chore: Cleanup Logger and Utility Imports (#9935 )	2025-10-01 23:30:47 -04:00
Dockerfile	✨ v0.8.1-rc1 (#10316 )	2025-10-30 16:36:54 -04:00
Dockerfile.multi	✨ v0.8.1-rc1 (#10316 )	2025-10-30 16:36:54 -04:00
eslint.config.mjs	🚌 fix: MCP Runtime Errors while Initializing (#9046 )	2025-08-13 14:41:38 -04:00
librechat.example.yaml	🌉 feat: Integrate Helicone AI Gateway Provider (#10287 )	2025-11-13 08:45:32 -05:00
LICENSE	⚖️ docs: Update LICENSE.md Year: 2024 -> 2025 (#5915 )	2025-02-17 10:39:46 -05:00
package-lock.json	📷 fix: Use 'media' type for Google multimodal attachments (#10586 )	2025-11-19 18:31:05 -05:00
package.json	🔬 refactor: Prevent Automatic MCP Server UI Deselection (#10588 )	2025-11-19 17:10:25 -05:00
rag.yml	🐋 chore: switch from `ankane/pgvector` to `pgvector/pgvector` (#9245 )	2025-08-27 02:04:58 -04:00
README.md	🌉 feat: Integrate Helicone AI Gateway Provider (#10287 )	2025-11-13 08:45:32 -05:00

README.md

LibreChat

✨ Features

🖥️ UI & Experience inspired by ChatGPT with enhanced design and features
🤖 AI Model Selection:
- Anthropic (Claude), AWS Bedrock, OpenAI, Azure OpenAI, Google, Vertex AI, OpenAI Responses API (incl. Azure)
- Custom Endpoints: Use any OpenAI-compatible API with LibreChat, no proxy required
- Compatible with Local & Remote AI Providers:
  - Ollama, groq, Cohere, Mistral AI, Apple MLX, koboldcpp, together.ai,
  - OpenRouter, Helicone, Perplexity, ShuttleAI, Deepseek, Qwen, and more
🔧 Code Interpreter API:
- Secure, Sandboxed Execution in Python, Node.js (JS/TS), Go, C/C++, Java, PHP, Rust, and Fortran
- Seamless File Handling: Upload, process, and download files directly
- No Privacy Concerns: Fully isolated and secure execution
🔦 Agents & Tools Integration:
- LibreChat Agents:
  - No-Code Custom Assistants: Build specialized, AI-driven helpers
  - Agent Marketplace: Discover and deploy community-built agents
  - Collaborative Sharing: Share agents with specific users and groups
  - Flexible & Extensible: Use MCP Servers, tools, file search, code execution, and more
  - Compatible with Custom Endpoints, OpenAI, Azure, Anthropic, AWS Bedrock, Google, Vertex AI, Responses API, and more
  - Model Context Protocol (MCP) Support for Tools
🔍 Web Search:
- Search the internet and retrieve relevant information to enhance your AI context
- Combines search providers, content scrapers, and result rerankers for optimal results
- Customizable Jina Reranking: Configure custom Jina API URLs for reranking services
- Learn More →
🪄 Generative UI with Code Artifacts:
- Code Artifacts allow creation of React, HTML, and Mermaid diagrams directly in chat
🎨 Image Generation & Editing
- Text-to-image and image-to-image with GPT-Image-1
- Text-to-image with DALL-E (3/2), Stable Diffusion, Flux, or any MCP server
- Produce stunning visuals from prompts or refine existing images with a single instruction
💾 Presets & Context Management:
- Create, Save, & Share Custom Presets
- Switch between AI Endpoints and Presets mid-chat
- Edit, Resubmit, and Continue Messages with Conversation branching
- Create and share prompts with specific users and groups
- Fork Messages & Conversations for Advanced Context control
💬 Multimodal & File Interactions:
- Upload and analyze images with Claude 3, GPT-4.5, GPT-4o, o1, Llama-Vision, and Gemini 📸
- Chat with Files using Custom Endpoints, OpenAI, Azure, Anthropic, AWS Bedrock, & Google 🗃️
🌎 Multilingual UI:
- English, 中文 (简体), 中文 (繁體), العربية, Deutsch, Español, Français, Italiano
- Polski, Português (PT), Português (BR), Русский, 日本語, Svenska, 한국어, Tiếng Việt
- Türkçe, Nederlands, עברית, Català, Čeština, Dansk, Eesti, فارسی
- Suomi, Magyar, Հայերեն, Bahasa Indonesia, ქართული, Latviešu, ไทย, ئۇيغۇرچە
🧠 Reasoning UI:
- Dynamic Reasoning UI for Chain-of-Thought/Reasoning AI models like DeepSeek-R1
🎨 Customizable Interface:
- Customizable Dropdown & Interface that adapts to both power users and newcomers
🗣️ Speech & Audio:
- Chat hands-free with Speech-to-Text and Text-to-Speech
- Automatically send and play Audio
- Supports OpenAI, Azure OpenAI, and Elevenlabs
📥 Import & Export Conversations:
- Import Conversations from LibreChat, ChatGPT, Chatbot UI
- Export conversations as screenshots, markdown, text, json
🔍 Search & Discovery:
- Search all messages/conversations
👥 Multi-User & Secure Access:
- Multi-User, Secure Authentication with OAuth2, LDAP, & Email Login Support
- Built-in Moderation, and Token spend tools
⚙️ Configuration & Deployment:
- Configure Proxy, Reverse Proxy, Docker, & many Deployment options
- Use completely local or deploy on the cloud
📖 Open-Source & Community:
- Completely Open-Source & Built in Public
- Community-driven development, support, and feedback

For a thorough review of our features, see our docs here 📚

🪶 All-In-One AI Conversations with LibreChat

LibreChat brings together the future of assistant AIs with the revolutionary technology of OpenAI's ChatGPT. Celebrating the original styling, LibreChat gives you the ability to integrate multiple AI models. It also integrates and enhances original client features such as conversation and message search, prompt templates and plugins.

With LibreChat, you no longer need to opt for ChatGPT Plus and can instead use free or pay-per-call APIs. We welcome contributions, cloning, and forking to enhance the capabilities of this advanced chatbot platform.

Click on the thumbnail to open the video☝️

🌐 Resources

GitHub Repo:

RAG API: github.com/danny-avila/rag_api
Website: github.com/LibreChat-AI/librechat.ai

Other:

Website: librechat.ai
Documentation: librechat.ai/docs
Blog: librechat.ai/blog

📝 Changelog

Keep up with the latest updates by visiting the releases page and notes:

⚠️ Please consult the changelog for breaking changes before updating.

⭐ Star History

✨ Contributions

Contributions, suggestions, bug reports and fixes are welcome!

For new features, components, or extensions, please open an issue and discuss before sending a PR.

If you'd like to help translate LibreChat into your language, we'd love your contribution! Improving our translations not only makes LibreChat more accessible to users around the world but also enhances the overall user experience. Please check out our Translation Guide.

💖 This project exists in its current state thanks to all the people who contribute

🎉 Special Thanks

We thank Locize for their translation management tools that support multiple languages in LibreChat.