OAuth flow Agent Action is not passing Basic Authorization Headers to the token endpoint

[roman-doubrava]

What happened?

In a OAuth flow Agent Action is not passing Basic Authorization Headers to the token endpoint after successfully receiving auth code from authorization endpoint.

1. We have configured an Action with OpenAPI Spec and configured oAuth + Basic Authorization Headers

2. the oAuth Flow starts and the button we can open the Auth

3. After we confirm the API Access in the new browser tag we are redirected to the action callback URL but it gives an error:

https://ai.data-business.de/api/actions/okkzXNwmQB_84V7eG-P5Q/oauth/callback?code=F1HoTLJDH9CR4Kiz3EHnQWWJm-DeP1ojEKLsS9t3yE7OGvy8&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJub25jZSI6ImNYOGZpNEV5cHhZaHA5LWZpUUo4RyIsInVzZXIiOiI2NjI3OWE0NjMwYmI5NjIyNzA3ZjU0MmQiLCJhY3Rpb25faWQiOiJva2t6WE53bVFCXzg0VjdlRy1QNVEiLCJpYXQiOjE3NDk2NzQ3OTgsImV4cCI6MTc0OTY3NTM5OH0.TWXtyH4_Z-Z7nBH0S5A6QxnZ1_LFqxxzX71Dsq91bqk
Authentication failed. Please try again.

4. In our Backend OpenAPI endpoint we have traced the request and can see that the Basic Authorization Headers are not passed into the token Endpoint and therefore the token exchange fails with HTTP 401 Unauthorized

5. We have simulated the oAuth flow succesfully with a small snippet which sets the Authorization headers like this:

// Step 3: Exchange code for token
console.log('\nExchanging code for token...');

const auth = Buffer.from(${CLIENT_ID}:${CLIENT_SECRET}).toString('base64');

try {
const response = await axios.post(
TOKEN_URL,
new URLSearchParams({
grant_type: 'authorization_code',
code: code,
redirect_uri: REDIRECT_URI
}),
{
headers: {
'Authorization': Basic ${auth},
'Content-Type': 'application/x-www-form-urlencoded'
},
httpsAgent: new https.Agent({ rejectUnauthorized: false })
}
);

Could it be that the Basic Auth headers are missing in the librechat Action oAuth flow ?

Version Information

6488873

Steps to Reproduce

1. Configure Action + OAuth + Basic Authorization Headers
2. Call Action with a prompt
3. OAuth Flow starts and callback url is returned

What browsers are you seeing the problem on?

Chrome

Relevant log output

{"level":"debug","message":"[oauth_login:66279a4630bb9622707f542d:okkzXNwmQB_84V7eG-P5Q:oauth_login:a28da398-c77c-424b-b020-48aad50d48b6:5c40776a-ed46-4d68-9b76-2bcedf2b51f9] Creating initial flow state","timestamp":"2025-06-11T20:35:02.603Z"}
{"action_id":"okkzXNwmQB_84V7eG-P5Q","identifier":"66279a4630bb9622707f542d:okkzXNwmQB_84V7eG-P5Q","level":"debug","message":"Sent OAuth login request to client","timestamp":"2025-06-11T20:35:02.604Z"}
{"action_id":"okkzXNwmQB_84V7eG-P5Q","identifier":"66279a4630bb9622707f542d:okkzXNwmQB_84V7eG-P5Q","level":"debug","message":"Waiting for OAuth Authorization response","timestamp":"2025-06-11T20:35:02.605Z"}
{"0":"o","1":"a","10":"9","11":"a","12":"4","13":"6","14":"3","15":"0","16":"b","17":"b","18":"9","19":"6","2":"u","20":"2","21":"2","22":"7","23":"0","24":"7","25":"f","26":"5","27":"4","28":"2","29":"d","3":"t","30":":","31":"o","32":"k","33":"k","34":"z","35":"X","36":"N","37":"w","38":"m","39":"Q","4":"h","40":"B","41":"_","42":"8","43":"4","44":"V","45":"7","46":"e","47":"G","48":"-","49":"P","5":":","50":"5","51":"Q","6":"6","7":"6","8":"2","9":"7","level":"debug","message":"Creating initial flow state:","timestamp":"2025-06-11T20:35:02.856Z"}
{"level":"debug","message":"[oauth:66279a4630bb9622707f542d:okkzXNwmQB_84V7eG-P5Q] Flow state elapsed time: 2000, checking again...","timestamp":"2025-06-11T20:35:04.859Z"}
{"level":"debug","message":"[oauth:66279a4630bb9622707f542d:okkzXNwmQB_84V7eG-P5Q] Flow state elapsed time: 4000, checking again...","timestamp":"2025-06-11T20:35:06.859Z"}
{"level":"debug","message":"[oauth:66279a4630bb9622707f542d:okkzXNwmQB_84V7eG-P5Q] Flow state elapsed time: 6000, checking again...","timestamp":"2025-06-11T20:35:08.859Z"}
{"level":"debug","message":"[oauth:66279a4630bb9622707f542d:okkzXNwmQB_84V7eG-P5Q] Flow state elapsed time: 8000, checking again...","timestamp":"2025-06-11T20:35:10.860Z"}
401 error, refreshing token
{"level":"error","message":"Error exchanging OAuth code An error occurred while setting up the request: Invalid URL","stack":"TypeError: Invalid URL\n    at new URL (node:internal/url:818:25)\n    at dispatchHttpRequest (/usr/local/LibreChat/node_modules/axios/dist/node/axios.cjs:2783:20)\n    at /usr/local/LibreChat/node_modules/axios/dist/node/axios.cjs:2703:5\n    at new Promise ...","timestamp":"2025-06-11T20:35:12.220Z"}
{"level":"error","message":"Error in OAuth callback: Error exchanging OAuth code An error occurred while setting up the request: Invalid URL","stack":"Error: Error exchanging OAuth code An error occurred while setting up the request: Invalid URL\n    at getAccessToken (/usr/local/LibreChat/api/server/services/TokenService.js:160:11)\n    at process.processTicksAndRejections (node:internal/process/task_que...","timestamp":"2025-06-11T20:35:12.220Z"}
{"level":"debug","message":"[oauth:66279a4630bb9622707f542d:okkzXNwmQB_84V7eG-P5Q] Flow completed","timestamp":"2025-06-11T20:35:12.860Z"}
{"level":"error","message":"Failed to authenticate OAuth tool Error exchanging OAuth code An error occurred while setting up the request: Invalid URL","stack":"Error: Error exchanging OAuth code An error occurred while setting up the request: Invalid URL\n    at G.<anonymous> (/usr/local/LibreChat/packages/api/dist/index.js:1:27020)\n    at Generator.next (<anonymous>)\n    at o (/usr/local/LibreChat/packages/api/d...","timestamp":"2025-06-11T20:35:12.862Z"}
{"level":"error","message":"API call to s23.local.com failed: An error occurred while setting up the request: Authentication failed: Failed to authenticate OAuth tool","stack":"Error: Authentication failed: Failed to authenticate OAuth tool\n    at _call (/usr/local/LibreChat/api/server/services/ActionService.js:300:17)\n    at async DynamicStructuredTool.call (/usr/local/LibreChat/node_modules/@langchain/core/dist/tools/index.cjs...","timestamp":"2025-06-11T20:35:12.862Z"}
{"completionTokens":244,"level":"debug","message":"[spendTokens] conversationId: a28da398-c77c-424b-b020-48aad50d48b6 | Context: message | Token usage: ","promptTokens":1110,"timestamp":"2025-06-11T20:35:17.069Z"}
{"completionTokens":152,"level":"debug","message":"[spendTokens] conversationId: a28da398-c77c-424b-b020-48aad50d48b6 | Context: message | Token usage: ","promptTokens":1664,"timestamp":"2025-06-11T20:35:17.070Z"}

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[roman-doubrava]

Maybe related to this code place:

LibreChat/packages/data-provider/src/actions.ts

Line 285 in 6488873

this.authHeaders['Authorization'] = `Bearer ${this.authToken}`;

[danny-avila]

Hi @roman-doubrava

I'm taking a second look at this, thanks for your report!

[roman-doubrava]

@danny-avila we found and tested a possible fix here:

LibreChat/api/server/services/TokenService.js

Line 122 in 6488873

const getAccessToken = async ({

`
const getAccessToken = async ({
code,
userId,
identifier,
client_url,
redirect_uri,
encrypted_oauth_client_id,
encrypted_oauth_client_secret,
}) => {
const oauth_client_id = await decryptV2(encrypted_oauth_client_id);
const oauth_client_secret = await decryptV2(encrypted_oauth_client_secret);

// Create Basic Auth header
const basicAuth = Buffer.from(${oauth_client_id}:${oauth_client_secret}).toString('base64'); // Added Basic Auth header

const params = new URLSearchParams({
code,
client_id: oauth_client_id,
client_secret: oauth_client_secret,
grant_type: 'authorization_code',
redirect_uri,
});

try {
const response = await axios({
method: 'POST',
url: client_url,
headers: {
'Authorization': Basic ${basicAuth}, // Added Basic Auth header
'Content-Type': 'application/x-www-form-urlencoded',
Accept: 'application/json',
},
data: params.toString(),
});

await processAccessTokens(response.data, {
  userId,
  identifier,
});
logger.debug(`Access tokens successfully created for ${identifier}`);
return response.data;

} catch (error) {
const message = 'Error exchanging OAuth code';
throw new Error(
logAxiosError({
message,
error,
}),
);
}
};
`

I think it will be needed also in the refresh token method...

[danny-avila]

Thanks, indeed this is missing. This part of the OAuth flow has not been implemented and fell off my radar due to little use.

I was able to patch this up quickly, testing with Spotify API which uses Basic for Token Exchange Method:

Will have this merged tonight, thank you for reporting it.