LibreChat/api/server/routes/admin
Dustin Healy d40c51616e 🔑 feat: Refresh-Capable Google Admin OAuth Sessions
Google admin sessions cannot be refreshed today. Three gaps add up to that:
passport.authenticate('googleAdmin', ...) in api/server/routes/admin/auth.js
never sets access_type=offline, so Google omits the refresh_token from its
token response; createOAuthHandler in api/server/controllers/auth/oauth.js
only forwards a refresh token into the admin exchange payload when the user's
provider is 'openid' AND OPENID_REUSE_TOKENS is enabled; and
/api/admin/oauth/refresh is openid-only, calling openid-client.refreshTokenGrant
against the configured OIDC issuer. OpenID admins refresh transparently
because all three are in place for them.

This PR closes all three. The googleAdmin authenticate call now passes
accessType: 'offline' and prompt: 'consent' so Google issues a refresh token
on consent; the chat-side googleLogin is untouched. The shared socialLogin
verify callback now passes the IdP refreshToken through as passport's third
argument (info), landing on req.authInfo, with the two-argument call shape
preserved when no refresh token is present so existing strategy tests stay
valid. createOAuthHandler reads req.authInfo?.refreshToken for non-OpenID
admin providers and forwards it into the exchange code; the OpenID branch
and its OPENID_REUSE_TOKENS gate are unchanged. /api/admin/oauth/refresh
now accepts an optional provider field ('openid' | 'google', default 'openid').
The new Google branch POSTs grant_type=refresh_token to
https://oauth2.googleapis.com/token, decodes the returned id_token for the sub
claim, looks up the admin user by googleId, enforces tenant scope and
ACCESS_ADMIN, and mints a fresh LibreChat JWT in the same response shape
/oauth/exchange returns. It is gated on GOOGLE_CLIENT_ID and
GOOGLE_CLIENT_SECRET being set (returns 503 GOOGLE_NOT_CONFIGURED otherwise);
unknown provider values return 400 INVALID_PROVIDER.
2026-06-18 07:54:30 -07:00
..
auth.js 🔑 feat: Refresh-Capable Google Admin OAuth Sessions 2026-06-18 07:54:30 -07:00
auth.refresh.test.js 🔑 feat: Refresh-Capable Google Admin OAuth Sessions 2026-06-18 07:54:30 -07:00
config.js 🪦 fix: Add Durable MCP Config Tombstones (#13534) 2026-06-05 15:05:40 -04:00
grants.js ⛩️ feat: Admin Grants API Endpoints (#12438) 2026-03-30 16:49:23 -04:00
groups.js 🛡️ fix: Restrict System Grants to Role Principals (#12491) 2026-03-31 19:25:14 -04:00
roles.js ⛩️ feat: Admin Grants API Endpoints (#12438) 2026-03-30 16:49:23 -04:00
skills.js 🧬 feat: Add GitHub Skill Sync (#13293) 2026-06-10 21:05:54 -04:00
skills.test.js 🧬 feat: Add GitHub Skill Sync (#13293) 2026-06-10 21:05:54 -04:00
users.js 🛡️ fix: Restrict System Grants to Role Principals (#12491) 2026-03-31 19:25:14 -04:00