mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-06-26 17:31:27 +00:00
ef3bf0a932
* feat: Add OpenID Connect federated provider token support
Implements support for passing federated provider tokens (Cognito, Azure AD, Auth0)
as variables in LibreChat's librechat.yaml configuration for both custom endpoints
and MCP servers.
Features:
- New LIBRECHAT_OPENID_* template variables for federated provider tokens
- JWT claims parsing from ID tokens without verification (for claim extraction)
- Token validation with expiration checking
- Support for multiple token storage locations (federatedTokens, openidTokens)
- Integration with existing template variable system
- Comprehensive test suite with Cognito-specific scenarios
- Provider-agnostic design supporting Cognito, Azure AD, Auth0, etc.
Security:
- Server-side only token processing
- Automatic token expiration validation
- Graceful fallbacks for missing/invalid tokens
- No client-side token exposure
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: Add federated token propagation to OIDC authentication strategies
Adds federatedTokens object to user during authentication to enable
federated provider token template variables in LibreChat configuration.
Changes:
- OpenID JWT Strategy: Extract raw JWT from Authorization header and
attach as federatedTokens.access_token to enable {{LIBRECHAT_OPENID_TOKEN}}
placeholder resolution
- OpenID Strategy: Attach tokenset tokens as federatedTokens object to
standardize token access across both authentication strategies
This enables proper token propagation for custom endpoints and MCP
servers that require federated provider tokens for authorization.
Resolves missing token issue reported by @ramden in PR #9931
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Denis Ramic <denis.ramic@nfon.com>
Co-Authored-By: Claude <noreply@anthropic.com>
* test: Add federatedTokens validation tests for OIDC strategies
Adds comprehensive test coverage for the federated token propagation
feature implemented in the authentication strategies.
Tests added:
- Verify federatedTokens object is attached to user with correct structure
(access_token, refresh_token, expires_at)
- Verify both tokenset and federatedTokens are present in user object
- Ensure tokens from OIDC provider are correctly propagated
Also fixes existing test suite by adding missing mocks:
- isEmailDomainAllowed function mock
- findOpenIDUser function mock
These tests validate the fix from commit
|
||
|---|---|---|
| .. | ||
| __tests__ | ||
| axios.spec.ts | ||
| axios.ts | ||
| azure.spec.ts | ||
| azure.ts | ||
| common.spec.ts | ||
| common.ts | ||
| content.spec.ts | ||
| content.ts | ||
| email.ts | ||
| env.spec.ts | ||
| env.ts | ||
| events.ts | ||
| files.spec.ts | ||
| files.ts | ||
| generators.ts | ||
| http.ts | ||
| index.ts | ||
| key.test.ts | ||
| key.ts | ||
| latex.spec.ts | ||
| latex.ts | ||
| llm.test.ts | ||
| llm.ts | ||
| math.ts | ||
| oidc.spec.ts | ||
| oidc.ts | ||
| openid.ts | ||
| promise.spec.ts | ||
| promise.ts | ||
| sanitizeTitle.spec.ts | ||
| sanitizeTitle.ts | ||
| tempChatRetention.spec.ts | ||
| tempChatRetention.ts | ||
| text.ts | ||
| tokenizer.spec.ts | ||
| tokenizer.ts | ||
| tokens.ts | ||
| yaml.ts | ||