✨ feat: Add OpenID Audience Parameter

[SollalF]

• Updated .env.example to include OPENID_AUDIENCE variable for configuration.
• Enhanced openidStrategy to set the audience parameter in authorization requests if specified, improving OpenID integration.

[SollalF]

OpenID Connect Auth0 JWT Token Fix

Problem Description

When using Auth0 as an OpenID Connect provider with OPENID_REUSE_TOKENS=true, LibreChat experiences an infinite refresh loop. This occurs because:

1. Auth0 returns encrypted access tokens (JWE) by default instead of signed JWTs
2. LibreChat's openidJwt strategy expects standard JWTs that can be validated using JWKS
3. When the encrypted tokens fail validation, authentication fails, triggering client retries and creating an infinite loop

Root Cause

Auth0 issues Opaque Tokens by default for security reasons. These tokens cannot be validated by LibreChat's JWT validation logic, which expects signed JWTs (JWS) that can be verified using the provider's JWKS endpoint.

Solution

The fix modifies the authorizationRequestParams method in CustomOpenIDStrategy to explicitly pass the audience parameter to Auth0 during the authorization request.

When audience is specified in the authorization request, Auth0 is instructed to issue JWT access tokens instead of encrypted tokens. See auth0 documentation

Testing the issue

Create an Auth0 Application

1. Go to Auth0 Dashboard → Applications → Applications
2. Click "Create Application"
3. Name: LibreChat (or your preferred name)
4. Application Type: Select "Single Page Application"
5. Click "Create"

Configure Application

1. Go to Settings tab:
2. Allowed Callback URLs: http://localhost:3080/oauth/openid/callback

Environment Variables

# OpenID Connect Configuration
OPENID_ISSUER=https://your-tenant.auth0.com
OPENID_CLIENT_ID=your_client_id_from_auth0_app
OPENID_CLIENT_SECRET=your_client_secret_from_auth0_app
OPENID_CALLBACK_URL=/oauth/openid/callback

# Token Configuration
OPENID_REUSE_TOKENS=true
OPENID_SCOPE=openid profile email offline_access

# Security Settings
OPENID_USE_PKCE=true

Run Librechat

1. Run Librechat
2. On the logging screen click Continue with OpenID

Expected results

The page should reload over and over again

Fix

Create an Auth0 API

1. Go to Auth0 Dashboard → Applications → APIs
2. Click "Create API"
3. Configure the API:
   - Name: LibreChat API (or your preferred name)
   - Identifier: https://api.librechat.com (or your preferred identifier)
4. Click "Create"

Configure Offline Access in the API

1. Go to Settings → Access Settings
2. Enable Allow Offline Access

Add this to Environment Variables

# Set this to your Auth0 API identifier
OPENID_AUDIENCE=https://api.librechat.com

Run Librechat

1. Run Librechat
2. On the logging screen click Continue with OpenID

Expected results

The page should log in as expected

How the Fix Works

1. API Creation: By creating an Auth0 API, you define an audience that Auth0 will use when issuing tokens.

2. Audience Parameter: The OPENID_AUDIENCE environment variable is passed to Auth0 during the authorization request, instructing Auth0 to issue JWT access tokens instead of encrypted tokens.

3. JWT Tokens: With the audience specified, Auth0 will return signed JWTs that LibreChat can validate using the JWKS endpoint, preventing the infinite refresh loop.