Authentik OIDC errors when signing or encryption keys are used

[GiganticThirstyHerald]

What happened?

I've followed Authentik OIDC setup from documentation, and when I try to login with OIDC, redirects and authentik login works fine, but after that when I go back to librechat, I've got txt page with An unknown error occurred.
And got this in the logs:
error: ErrorController => error invalid response encountered

When I left signing key and encryption key empty in provider's settings, I can login without any issues.
I've tried to run with DEBUG_OPENID_REQUESTS=true, but that's the only error I've got.

Version Information

ghcr.io/danny-avila/librechat-rag-api-dev-lite latest e2105afcb948 8 days ago 1.9GB
ghcr.io/danny-avila/librechat-dev latest 6ae79e5362d5 8 days ago 1.93GB

Steps to Reproduce

1. Follow Authentik OIDC docs
2. Try to login
3. Get error

What browsers are you seeing the problem on?

Firefox

Relevant log output

error: ErrorController => error invalid response encountered

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[GiganticThirstyHerald]

Ok, so I went to check with claude code what can be done with it. This worked for me:

LibreChat/api/strategies/openidStrategy.js

Lines 694 to 703 in cfaa633

	const clientMetadata = {
	client_id: process.env.OPENID_CLIENT_ID,
	client_secret: process.env.OPENID_CLIENT_SECRET,
	};
	if (shouldGenerateNonce) {
	clientMetadata.response_types = ['code'];
	clientMetadata.grant_types = ['authorization_code'];
	clientMetadata.token_endpoint_auth_method = 'client_secret_post';
	}

      694      const clientMetadata = {
      695        client_id: process.env.OPENID_CLIENT_ID,
      696        client_secret: process.env.OPENID_CLIENT_SECRET,
      697 +      response_types: ['code'],
      698 +      grant_types: ['authorization_code'],
      699      };
      700
      701      if (shouldGenerateNonce) {
      700 -      clientMetadata.response_types = ['code'];
      701 -      clientMetadata.grant_types = ['authorization_code'];
      702        clientMetadata.token_endpoint_auth_method = 'client_secret_post';
      703      }

I'm not sure if it's legit issue, I had OPENID_GENERATE_NONCE set to true, but it didn't work until I've added these fields explicitly.

[danny-avila]

Thanks for the report!

The response_types and grant_types fields are already set when OPENID_GENERATE_NONCE=true, which is the same change you're proposing.

It also sounds like DEBUG_OPENID_REQUESTS=true didn't produce any extra output, which suggests your env vars aren't being picked up.

Could you double-check that these are actually set in the running container's environment? (e.g. docker exec <container> env | grep OPENID). Make sure to restart the container after .env changes.