Enhancement: Add support for load balancer terminated OIDC authentication

[jameslamine]

Summary

Add support for OIDC authentication when it's terminated at the load balancer level. The load balancer handles the OIDC handshake and passes authenticated user information via OIDC headers. LibreChat never sees the OIDC flow, it just sees the resulting headers.

All unauthenticated traffic is rejected at the load-balancer level, so LibreChat will never see an unauthenticated user save for calls to /health and similar.

Details

Currently, LibreChat supports direct OIDC integration, but our company uses a load balancer to handle OIDC authentication. Unauthenticated users are rejected by the load balancer and never make it to the application.

Authenticated users are proxied to the application with OIDC headers added. We also need the ability to customize the header names, since they have a company-specific prefix.

Requirements:

1. Support configurable header names for:
   • Access token header (example: xxx-oidc-accesstoken)
   • Identity/subject header (example: xxx-oidc-identity)
   • User claims/data header (example: xxx-oidc-data)

Either via environment variables, or librechat.yml

2. Automatic, just-in-time user account creation on first access using the information from these headers

User Profile Creation:

• Extract email from sub claim in access token
• Generate display name from email (e.g., "[email protected]" → "Mary Smith")

3. Do not verify the headers
   Since the load balancer handles the OIDC handshake and validation, you can assume the headers are valid. Everything should work even without OPENID_CLIENT_SECRET, OPENID_CLIENT_ID and OPENID_SESSION_SECRET

Note that there's no callback URL - the callback happens at the load balancer level.

More details

Relevant fields in the OIDC headers. My guess is LibreChat's existing OIDC supports this, but for completeness:
xxx-oidc-accesstoken payload:

• sub - user's email
• uid - internal user id. You could use this if you want, but don't have to. Totally fine to ignore.

Which components are impacted by your request?

General

Pictures

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[jameslamine]

Closing. I ended up just using LibreChat's native oidc