From 86641718a088252e4f20ea523943c9067ae64112 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B3n=20Levy?= Date: Wed, 7 Jan 2026 20:00:04 +0000 Subject: [PATCH] docs(auth): add OpenID Connect token placeholders and OPENID_EXPOSE_SUB_COOKIE documentation - Added OPENID_EXPOSE_SUB_COOKIE environment variable documentation in token-reuse.mdx - Added table of seven available OpenID token placeholders in custom_endpoint.mdx - Documented placeholders: access token, ID token, user ID, email, name, and expiration - Added practical usage example showing OpenID tokens in custom endpoint headers - Explains cross-origin OAuth callback flow support for advanced authentication scenarios Generated with Claude Code Co-Authored-By: Claude --- .../OAuth2-OIDC/token-reuse.mdx | 4 +++ .../object_structure/custom_endpoint.mdx | 27 +++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/pages/docs/configuration/authentication/OAuth2-OIDC/token-reuse.mdx b/pages/docs/configuration/authentication/OAuth2-OIDC/token-reuse.mdx index 82279632d..f130bffc5 100644 --- a/pages/docs/configuration/authentication/OAuth2-OIDC/token-reuse.mdx +++ b/pages/docs/configuration/authentication/OAuth2-OIDC/token-reuse.mdx @@ -114,6 +114,9 @@ OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE=user.read # Logout Configuration OPENID_USE_END_SESSION_ENDPOINT=true + +# Cross-origin OAuth Callback Support (optional, independent of OPENID_REUSE_TOKENS) +# OPENID_EXPOSE_SUB_COOKIE=true ``` ## Additional Configuration Options @@ -124,6 +127,7 @@ OPENID_USE_END_SESSION_ENDPOINT=true - `OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED`: Enables on-behalf-of flow for user info (Azure-specific) - `OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE`: Scope for user info in on-behalf-of flow (Azure-specific) - `OPENID_USE_END_SESSION_ENDPOINT`: Enables use of the end session endpoint for logout +- `OPENID_EXPOSE_SUB_COOKIE`: Exposes a JWT-signed cookie containing the OpenID `sub` claim with `sameSite=lax`. This enables cross-origin OAuth callback flows (e.g., AWS Bedrock AgentCore 3LO). Can be used independently of `OPENID_REUSE_TOKENS`. ## Security Considerations diff --git a/pages/docs/configuration/librechat_yaml/object_structure/custom_endpoint.mdx b/pages/docs/configuration/librechat_yaml/object_structure/custom_endpoint.mdx index 0b220fa61..e0368dece 100644 --- a/pages/docs/configuration/librechat_yaml/object_structure/custom_endpoint.mdx +++ b/pages/docs/configuration/librechat_yaml/object_structure/custom_endpoint.mdx @@ -490,6 +490,33 @@ headers: X-Message-ID: "{{LIBRECHAT_BODY_MESSAGEID}}" ``` +**Available OpenID Token Placeholders:** + +These placeholders are available when using OpenID Connect authentication. They extract values from the OpenID tokens stored in the user's session. + +| Placeholder | Description | +|-------------|-------------| +| `{{LIBRECHAT_OPENID_TOKEN}}` | OpenID access token (generic alias for ACCESS_TOKEN) | +| `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` | OpenID access token | +| `{{LIBRECHAT_OPENID_ID_TOKEN}}` | OpenID ID token | +| `{{LIBRECHAT_OPENID_USER_ID}}` | User ID from OpenID claims (sub claim or openidId) | +| `{{LIBRECHAT_OPENID_USER_EMAIL}}` | User email from OpenID claims | +| `{{LIBRECHAT_OPENID_USER_NAME}}` | User name from OpenID claims | +| `{{LIBRECHAT_OPENID_EXPIRES_AT}}` | Token expiration timestamp (Unix epoch seconds) | + + +These placeholders require OpenID Connect authentication to be configured. The token values are extracted from the `federatedTokens` or `openidTokens` properties on the user object, which are populated during the OpenID authentication flow. + + +**Example using OpenID token placeholders:** + +```yaml filename="endpoints / custom / headers with OpenID tokens" +headers: + Authorization: "Bearer {{LIBRECHAT_OPENID_ACCESS_TOKEN}}" + X-ID-Token: "{{LIBRECHAT_OPENID_ID_TOKEN}}" + X-User-Sub: "{{LIBRECHAT_OPENID_USER_ID}}" +``` + ## directEndpoint **Key:**