Skip to content

docs(auth): add OpenID Connect token placeholders and OPENID_EXPOSE_SUB_COOKIE documentation #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
busla wants to merge 1 commit into from
Closed

docs(auth): add OpenID Connect token placeholders and OPENID_EXPOSE_SUB_COOKIE documentation #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions pages/docs/configuration/authentication/OAuth2-OIDC/token-reuse.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,9 @@ OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE=user.read

# Logout Configuration
OPENID_USE_END_SESSION_ENDPOINT=true

# Cross-origin OAuth Callback Support (optional, independent of OPENID_REUSE_TOKENS)
# OPENID_EXPOSE_SUB_COOKIE=true
```

## Additional Configuration Options
Expand All @@ -124,6 +127,7 @@ OPENID_USE_END_SESSION_ENDPOINT=true
- `OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED`: Enables on-behalf-of flow for user info (Azure-specific)
- `OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE`: Scope for user info in on-behalf-of flow (Azure-specific)
- `OPENID_USE_END_SESSION_ENDPOINT`: Enables use of the end session endpoint for logout
- `OPENID_EXPOSE_SUB_COOKIE`: Exposes a JWT-signed cookie containing the OpenID `sub` claim with `sameSite=lax`. This enables cross-origin OAuth callback flows (e.g., AWS Bedrock AgentCore 3LO). Can be used independently of `OPENID_REUSE_TOKENS`.

## Security Considerations

Expand Down
27 changes: 27 additions & 0 deletions pages/docs/configuration/librechat_yaml/object_structure/custom_endpoint.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -490,6 +490,33 @@ headers:
X-Message-ID: "{{LIBRECHAT_BODY_MESSAGEID}}"
```

**Available OpenID Token Placeholders:**

These placeholders are available when using OpenID Connect authentication. They extract values from the OpenID tokens stored in the user's session.

| Placeholder | Description |
|-------------|-------------|
| `{{LIBRECHAT_OPENID_TOKEN}}` | OpenID access token (generic alias for ACCESS_TOKEN) |
| `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` | OpenID access token |
| `{{LIBRECHAT_OPENID_ID_TOKEN}}` | OpenID ID token |
| `{{LIBRECHAT_OPENID_USER_ID}}` | User ID from OpenID claims (sub claim or openidId) |
| `{{LIBRECHAT_OPENID_USER_EMAIL}}` | User email from OpenID claims |
| `{{LIBRECHAT_OPENID_USER_NAME}}` | User name from OpenID claims |
| `{{LIBRECHAT_OPENID_EXPIRES_AT}}` | Token expiration timestamp (Unix epoch seconds) |

<Callout type="info" title="OpenID Token Availability">
These placeholders require OpenID Connect authentication to be configured. The token values are extracted from the `federatedTokens` or `openidTokens` properties on the user object, which are populated during the OpenID authentication flow.
</Callout>

**Example using OpenID token placeholders:**

```yaml filename="endpoints / custom / headers with OpenID tokens"
headers:
Authorization: "Bearer {{LIBRECHAT_OPENID_ACCESS_TOKEN}}"
X-ID-Token: "{{LIBRECHAT_OPENID_ID_TOKEN}}"
X-User-Sub: "{{LIBRECHAT_OPENID_USER_ID}}"
```

## directEndpoint

**Key:**
Expand Down