Openid oauth error WWWAuthenticateChallengeError

[gmerritt]

What happened?

Our openid authentication has been working fine through 0.7.8 release; jumping to commit 6bb7824 6bb7824 gives the user Internal server error upon authentication attempt, and librechat reports the following (reverse time order logs, most-recent message at the top!)

WWWAuthenticateChallengeError: server responded with a challenge in the WWW-Authenticate HTTP Header
at checkAuthenticationChallenges (file:///app/node_modules/oauth4webapi/build/index.js:1207:15)
at processGenericAccessTokenResponse (file:///app/node_modules/oauth4webapi/build/index.js:1140:5)
at processAuthorizationCodeOAuth2Response (file:///app/node_modules/oauth4webapi/build/index.js:1373:26)
at Module.processAuthorizationCodeResponse (file:///app/node_modules/oauth4webapi/build/index.js:1317:12)
at Module.authorizationCodeGrant (file:///app/api/node_modules/openid-client/build/index.js:934:21)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async CustomOpenIDStrategy.authorizationCodeGrant (file:///app/api/node_modules/openid-client/build/passport.js:135:28)
2025-06-04T15:07:14.915Z debug: X-Forwarded headers detected in OAuth request:
{
x-forwarded-for: <redcated_ip_address",
x-forwarded-proto: "https",
}
2025-06-04T15:07:14.770Z debug: X-Forwarded headers detected in OAuth request:

(FWIW I tried TRUST_PROXY=1 (and even TRUST_PROXY=5) for my AWS ECS deployment behind an ALB, but that does not fix.)

Version Information

Commit 6bb7824

Steps to Reproduce

1. Enjoy working openid authentication in 0.7.8
2. Update LC to commit 6bb7824
3. Find openid authentication broken as described

What browsers are you seeing the problem on?

Chrome

Relevant log output

Reverse time order!


WWWAuthenticateChallengeError: server responded with a challenge in the WWW-Authenticate HTTP Header
at checkAuthenticationChallenges (file:///app/node_modules/oauth4webapi/build/index.js:1207:15)
at processGenericAccessTokenResponse (file:///app/node_modules/oauth4webapi/build/index.js:1140:5)
at processAuthorizationCodeOAuth2Response (file:///app/node_modules/oauth4webapi/build/index.js:1373:26)
at Module.processAuthorizationCodeResponse (file:///app/node_modules/oauth4webapi/build/index.js:1317:12)
at Module.authorizationCodeGrant (file:///app/api/node_modules/openid-client/build/index.js:934:21)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async CustomOpenIDStrategy.authorizationCodeGrant (file:///app/api/node_modules/openid-client/build/passport.js:135:28)
2025-06-04T15:07:14.915Z debug: X-Forwarded headers detected in OAuth request:
{
x-forwarded-for: <redcated_ip_address",
x-forwarded-proto: "https",
}
2025-06-04T15:07:14.770Z debug: X-Forwarded headers detected in OAuth request:

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[gmerritt]

A note from a person on the team that runs our authentication service:

I don't think our IdP uses that header during the login flow so I'm not clear which "server" the error is referring to.

[danny-avila]

According to openid-client docs, it's usually due to bad credentials (secrets, client id).

https://github.com/panva/openid-client/blob/main/docs/classes/WWWAuthenticateChallengeError.md

We did upgrade openid-client to the latest version which did cause a breaking change for some providers, resolved already in this discussion:
#7520

Can you share any reproduction of the connection with the IdP so I can test this myself? Maybe the fix itself is what breaks it (adding the state parameter to the authentication request).

[gmerritt]

FWIW our admin set our dev authentication profile to client_secret_post but we experience the same error behavior.

[gmerritt]

The Internal server error dead-ends on a callback?code=OC-149-dv5N... url on our librechat; our admin tells me that at this point "the OIDC client is supposed to exchange the auth code for an identity token"

[danny-avila]

Hi @gmerritt

I would like to help you resolve this, feel free to send an email if you can share any of the authentication configuration.

Otherwise, if you could point me to the IdP being used, that would also be helpful.

I'm keen on rolling back the version of openid-client to avoid issues like this, and then still have the newer version for the reasons we need it.