ADFS (email can't be blank)

[veix90]

Hi!

I am struggling with getting AD users to log in to LibreChat passwordless. I have configured LDAP_ and OPENID_ parameters.
I can login with AD username and AD password. If I use "Continue with OpenID" login button, then "Internal server error" is shown.
In the debug.log file are lines:
info: user not found with openidId: 324tguh4k....
info: user not found with email: undefined for openidId: 324tguh4k....
error: logon failed User validation failed: email: can't be blank

I have tried different ADFS Issuance Tranform Rules and different LDAP_ parameters changing username vs email values, nothing.
Has anyone gotten it work and can share settings or how to debug for more?

[veix90]

For a week I have been trying various settings, but must be missing something or it is not possible. I will write all info here, maybe somebody will help me.

When doing SSO with ADFS, the into browser is displayed Internal Server Error

I will post some config and logs from test setup - they are not edited.
$docker logs LibreCHat:

2025-02-06 14:53:55 info: [openidStrategy] verify login openidId: 4QgwMMlgkh54+TAh+RUqBgOulNPvLSDHgvaJlWq+f8w=
2025-02-06 14:53:55 info: [openidStrategy] user not found with openidId: 4QgwMMlgkh54+TAh+RUqBgOulNPvLSDHgvaJlWq+f8w=
2025-02-06 14:53:55 info: [openidStrategy] user not found with email: undefined for openidId: 4QgwMMlgkh54+TAh+RUqBgOulNPvLSDHgvaJlWq+f8w=
2025-02-06 14:53:55 error: [openidStrategy] login failed User validation failed: email: can't be blank
ValidationError: User validation failed: email: can't be blank
    at Document.invalidate (/app/node_modules/mongoose/lib/document.js:3334:32)
    at /app/node_modules/mongoose/lib/document.js:3095:17
    at /app/node_modules/mongoose/lib/schemaType.js:1407:9
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11)

debug.log:

2025-02-06T14:53:55.286Z info: [openidStrategy] verify login openidId: 4QgwMMlgkh54+TAh+RUqBgOulNPvLSDHgvaJlWq+f8w=
2025-02-06T14:53:55.287Z debug: [openidStrategy] very login tokenset and userinfo
{
    tokenset.access_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImRIRGQ5ZWs3ZmMzOXRFZkQyajVHdXhwSzcwRSIsImtpZCI6ImRIRGQ5... [truncated]",
    tokenset.token_type: "bearer",
    tokenset.expires_at: 1738857235,
    tokenset.resource: "2962946f-f01f-419d-8d75-12c5424b4adf",
    tokenset.refresh_token: "pk9KlyHHJt6XHBHVSH2PZpln-iLzb3a4rVGDpSCL8iEAAgAAmGFcLQQTTaVmy2fYdkL1m_sQ3I7YEV5I534NLYOGW6BcV6P6e9ty... [truncated]",
    tokenset.refresh_token_expires_in: 28799,
    tokenset.scope: "email profile openid",
    tokenset.id_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImRIRGQ5ZWs3ZmMzOXRFZkQyajVHdXhwSzcwRSIsImtpZCI6ImRIRGQ5... [truncated]",
    userinfo.sub: "4QgwMMlgkh54+TAh+RUqBgOulNPvLSDHgvaJlWq+f8w=",
}
2025-02-06T14:53:55.290Z info: [openidStrategy] user not found with openidId: 4QgwMMlgkh54+TAh+RUqBgOulNPvLSDHgvaJlWq+f8w=
2025-02-06T14:53:55.304Z info: [openidStrategy] user not found with email: undefined for openidId: 4QgwMMlgkh54+TAh+RUqBgOulNPvLSDHgvaJlWq+f8w=
2025-02-06T14:53:55.306Z error: [openidStrategy] login failed User validation failed: email: can't be blank

.env:

HOST=localhost
PORT=3080
DOMAIN_CLIENT=http://docker.ad.com:3080
DOMAIN_SERVER=http://docker.ad.com:3080
ALLOW_EMAIL_LOGIN=true
ALLOW_REGISTRATION=true
ALLOW_SOCIAL_LOGIN=true
ALLOW_SOCIAL_REGISTRATION=true
ALLOW_UNVERIFIED_EMAIL_LOGIN=true
OPENID_CLIENT_ID=2962946f-f01f-419d-8d75-12c5424b4adf
OPENID_CLIENT_SECRET=hZ5TEqiDhNKndHTnJiyr80dyNWQJlXdf_6TGSQWq
OPENID_ISSUER=https://adfs.ad.com/adfs
OPENID_SESSION_SECRET=asdfasdf
OPENID_SCOPE="openid profile email"
OPENID_CALLBACK_URL=/oauth/openid/callback
OPENID_REQUIRED_ROLE=
OPENID_REQUIRED_ROLE_TOKEN_KIND=
OPENID_REQUIRED_ROLE_PARAMETER_PATH=
# Set to determine which user info property returned from OpenID Provider to store as the User's username
OPENID_USERNAME_CLAIM=
# Set to determine which user info property returned from OpenID Provider to store as the User's name
OPENID_NAME_CLAIM=
OPENID_BUTTON_LABEL="ADFS"
OPENID_IMAGE_URL=

If I check the ADFS server debug event logs, there is event 1000 about input claims. If I check other openid clients in ADFS server event log, then logs are very similar.

I have read, that problem could be that id_token contains only sub claim and no email or any other claims. They should be included in the access_token claims part... Can somebody confirm it?

LibreChat docker is with minimal setup - no SSL, no engines. LDAP is configured, but I guess for ADFS I do not need it.

ADFS server is configured for automatic login (WIA) so I do not have to insert username and password.

What could help me forward - how can I check id_token for what it contains. It is not possible to capture it if the LibreChat application does not log in?

Only ADFS transform rule, I need is like this?

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("email"), query = ";mail;{0}", param = c.Value);

[veix90]

Little more progress. I learned to view token. If I visit link with app id:
https://adfs.ad.com/adfs/oauth2/authorize?client_id=2962946f-f01f-419d-8d75-12c5424b4adf&response_type=id_token&redirect_uri=http://ubuntu.ad.com:3080/oauth/openid/callback&scope=openid%20email%20profile%20allatclaims&nonce=123456

then the familiar error is diplayed but I will be returned to web page:
http://ubuntu.ad.com:3080/oauth/openid/callback?code=V9fI8BTbAU2K3fonC3CxIg.QJuD73dR3QgCAGr2IZmbWVoJ0Ls.pFKiAzPW2kluuSYzyuXOpxECWbsWRAg1N3OgkDF5WiQMyeVZMzKiCV_j72qWqLrXJ2y_gQNAdvRMckW8js3Nek7gP5MYwyCULwhlDX-dZiHqEEN4yCwJsnAVEnvN1Z7qGlrTP0Rdrp5C0yjZImrMT5Mvm9gytav5R6O04RlyPL-yJS6lFTQq0o6dSzYwBNfYywl-Ad68Hu-L-kEaesunIfjxT8fCibjVH-Jg_EKwQVh-9zKt7bVN-1Iw9o3eC6rUNzsC_VYEQ22UmvaLfLNRk7fRD9qqe_lhDQnsQfscxY4wRvP7mxSstQkVRRNk8SCb-p3CVYl37YPl7R9-kdzKMniEQPX7hAuX3Ev1-_kbAnXs-x9nU3vs8fJu9aDIPWXSo6-ZEAROq05y2xkjCp3BBSow2iW7YChHY1i-SXhCPfYlgCiuUBrk5WwX5ipLTBzYeXuZ-eosCf_TcwwcdVGzrynv1UXd8WDa7gAz6OuHyezoM3oukpwK-etKTFlGgAmAujJh_rDv9OuEcOuVIoybTaGou3PSROCSjiUg_gKLJtVGYLBaiVCGu1KVRJadeba49uux9Tb_Q3OFeBxP7xC19-b1S9JaaUclP3leEp4RBCUcqZwA6aCfQrv-u98NsiEZpczxrGuKnsicTMmRX0rZkKfCZ2D62lJufr2ZOUfqzIM&state=ax4rXiEAtzx3BffWiCL4W-2wld_09bgJT1i3a4_cKeQ#id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImRIRGQ5ZWs3ZmMzOXRFZkQyajVHdXhwSzcwRSIsImtpZCI6ImRIRGQ5ZWs3ZmMzOXRFZkQyajVHdXhwSzcwRSJ9.eyJhdWQiOiIyOTYyOTQ2Zi1mMDFmLTQxOWQtOGQ3NS0xMmM1NDI0YjRhZGYiLCJpc3MiOiJodHRwczovL2FkZnMuYWQuY29tL2FkZnMiLCJpYXQiOjE3NDAwMzI5NzEsIm5iZiI6MTc0MDAzMjk3MSwiZXhwIjoxNzQwMDM2NTcxLCJhdXRoX3RpbWUiOjE3NDAwMzI5NDgsIm5vbmNlIjoiMTIzNDU2Iiwic3ViIjoiNFFnd01NbGdraDU0K1RBaCtSVXFCZ091bE5QdkxTREhndmFKbFdxK2Y4dz0iLCJ1cG4iOiJhZG1pbmlzdHJhdG9yQGFkLmNvbSIsInVuaXF1ZV9uYW1lIjoiQURcXEFkbWluaXN0cmF0b3IiLCJzaWQiOiJTLTEtNS0yMS0xOTA1NzQ1ODEzLTQ2Nzc2ODQ4NS00MDkwODg3OTQyLTUwMCJ9.i5WWajFMaELyobKWCvPEId_9ppYDjfLDZvOdTkPg6m1JotQ7uYE-dQ6Y7RuTffEzNbDj-q9RXWXM8k0kHXtPjzyXKDtDJOOqLmBWkziAN6cpkk0kHEutccCQnmPFEIPsOla9a9rwfq-9IozlCudD0RFxDIvCjAe7jdCmkr2ZuNnWODLSQrAwPz-ly68kNeQZRVanbWYCxF_YF4RqKmeks_wSRBAyKf07vd9xpIpiVdouQhOo0Zxs0ym2Yt19WTlBDu7lb7I2_Y2-JGSibE_LQO1Dqr-8Vit4usFrBu7KIVAVMnNQPy9oxF78bupjSGLd4eG5uNj-wFkZJStqCz00vBV9eG3v-QR4EfVfZWJeO_UTO7e6kh0zs2bd_gs50a0NrpO-ZxwyDDFL00s1_dDTahHT47clnUq4gOKGV6u4SlglVw-IJ_QsxFutYLEMUCiM8KJ2lBncVtM5tulm7rsoZ6-bL_eRov0eNDjilixT4OmLGMhy_iwUOdtxQUNehgKincMRv9ezL_L9zqQvQWGV7LEtPKrbdDuGFc4OuhiLp8xTAtJdYTBXd5A2AXh_1dyd0xFq4FIYek6tMsPKdzGj-t8n4Dr-Kh9BkNsdEkjpmP9H5ntjPZqS2PAp5w9OP5V69TNbF0XpmQXEVwh2ZoJYoVS-gZrnb2rPmba2G0NagYQ

Part after "id_token=" I copy and paste to jwt.io for decoding the id_token:
HEADER:

{
"typ": "JWT",
"alg": "RS256",
"x5t": "dHDd9ek7fc39tEfD2j5GuxpK70E",
"kid": "dHDd9ek7fc39tEfD2j5GuxpK70E"
}
PAYLOAD:

{
"aud": "2962946f-f01f-419d-8d75-12c5424b4adf",
"iss": "https://adfs.ad.com/adfs",
"iat": 1740032971,
"nbf": 1740032971,
"exp": 1740036571,
"auth_time": 1740032948,
"nonce": "123456",
"sub": "4QgwMMlgkh54+TAh+RUqBgOulNPvLSDHgvaJlWq+f8w=",
"upn": "[email protected]",
"unique_name": "AD\Administrator",
"sid": "S-1-5-21-1905745813-467768485-4090887942-500"
}

Now no matter how many rules in the ADFS server I try I cannot manage to change the PAYLOAD fields on the token at all. I understand I need "mail" field/claim.

[alfo-dev]

@VeiX: I got ADFS to work. The OpenID strategy in LibreChat natively supports this, it's all an ADFS configuration issue. The steps are:

1. Create an ADFS Web API with the scopes: allatclaims, email, openid, profile
2. Create an ADFS server application in the same application group of the Web API, use the same identifier as for the Web API
3. Add claims to the Web API - e.g. “E-Mail Addresses” – “E-Mail Address”
4. Configure LibreChat with OPENID_SCOPE="allatclaims email openid profile"

@danny-avila: Shall I provide a more detailed PR to the docs?