Overview

This section will cover how to configure OAuth2 and OpenID Connect with LibreChat

OAuth2

• Apple
• Discord
• Facebook
• GitHub
• Google

OpenID Connect

• Auth0
• AWS Cognito
• Azure Entra/AD
• Keycloak
• Re-use OpenID Tokens for Login Session

Troubleshooting OpenID Connect

If you encounter issues with OpenID Connect authentication:

1. Enable Header Debug Logging: Set DEBUG_OPENID_REQUESTS=true in your environment variables to log request headers in addition to URLs (with sensitive data masked). Note: Request URLs are always logged at debug level
2. Check Redirect URIs: Ensure your callback URL matches exactly between your provider and LibreChat configuration
3. Verify Scopes: Make sure all required scopes are properly configured
4. Review Provider Logs: Check your identity provider's logs for authentication errors
5. Validate Tokens: Ensure your provider is issuing valid tokens with the expected claims
6. Ensure nonce is generated: Some identity providers generate nonce url parameter if it's missing in the request. Set OPENID_GENERATE_NONCE=true to force the openid-client to generate it.

Admin Panel Redirects

If the Admin Panel is hosted on a separate URL from LibreChat, set ADMIN_PANEL_URL in the LibreChat API environment. This tells LibreChat where to send admins after the admin OAuth or SSO callback completes.