Solution: Preventing Entra Access Token Expiration on Authenticated Entra App Proxy causing CORS errors for LibreChat

[JasperE84]

The following PowerShell commands configure Entra to extend the access token lifetime specifically for the LibreChat application (or any other Entra application).
Documentation or examples on this specific configuration scenario (LibreChat + Entra authenticated reverse proxy + CORS issues) is scarce online. I hope this helps others facing similar issues.

• This configuration applies only to the specific Entra application where your Entra App Proxy with authentication (so not pass through mode) for LibreChat are configured
• It does not affect token expiration for other applications in your tenant
• This resolved the CORS errors that were requiring manual application reloads
• Make sure you don't have additional Entra Conditional Access rules cutting off the entra access token despite this setting.

Problem

When LibreChat is configured behind an Entra (formerly Azure AD) reverse proxy with authentication:

• The Entra access token expires after 60-90 minutes
• This causes API calls to fail, resulting in CORS errors
• Users must manually reload the application to continue using it (Librechat shows an error with the message user should try refreshing the page)
• This occurs even when the app proxy is configured as "persistent"

PS C:\Users\usrnm> Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration", "Application.Read.All"

PS C:\Users\usrnm> $params = @{
     Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"23:59:59"}}')
     DisplayName = "PreventCorsPolicy-24HoursToken"
     IsOrganizationDefault = $false
 }

PS C:\Users\usrnm> New-MgPolicyTokenLifetimePolicy -BodyParameter $params
PS C:\Users\usrnm> $policy = Get-MgPolicyTokenLifetimePolicy -Filter "displayName eq 'PreventCorsPolicy-24HoursToken'"
PS C:\Users\usrnm> $application = Get-MgApplication -Filter "displayName eq 'INSERT_NAMEOFLIBRE_ENTRA_APPLICATION_HERE'"

PS C:\Users\usrnm> Write-Host "Found Application ID: $($application.Id)"
PS C:\Users\usrnm> Write-Host "Found Policy ID: $($policy.Id)"

PS C:\Users\usrnm> $ref = @{"@odata.id" = "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/$($policy.Id)"}
PS C:\Users\usrnm> New-MgApplicationTokenLifetimePolicyByRef -ApplicationId $application.Id -BodyParameter $ref

PS C:\Users\usrnm> Get-MgApplicationTokenLifetimePolicy -ApplicationId $application.Id | Format-Table Id, DisplayName

Id                                   DisplayName
--                                   -----------
aaaaaaaa-1a80-48aa-bc48-06e4dsdwe23d PreventCorsPolicy-24HoursToken

[danny-avila]

You can set the LC session expiry time, maybe align it as much as possible (scroll to "Session and Refresh Token Settings:")
https://www.librechat.ai/docs/configuration/dotenv#registration-and-login

Also, I know your auth. scenario is different, but when using Entra via OpenID, there's an option to reuse auth tokens, so sessions are tied to auth tokens from Entra:
https://www.librechat.ai/docs/configuration/authentication/OAuth2-OIDC/token-reuse

[danny-avila]

Also I appreciate you documenting your process, thank you!

[JasperE84]

Thanks, I changed the text to put better emphasis on that this solution is about the auth session with the app proxy, not the auth session with oidc at LC. Currently thats functioning great now.

I have configured the refresh token settings to align with my current Entra token (e.g. equal to the 24hrs of the entrance token), but I didnt know about the reuse token settings. I'll make sure to experiment with that when I get a chance to.

The way I've set it up now is I created an Entra app proxy in Entra first which makes it possible to reach LC from the internet without any portforwards on the local firewall. Because I enabled auth in the app proxy (so not using pass through mode), only known users on my Entra tenant can even reach the LC instance authentication page.

Adding an Entra app proxy, actually creates a enterprise app for LC in Entra. I then enabled single sign on on that app in Entra, and configured OIDC in LC, so that when the user is authed with the Entra reverse proxy, the user is also automatically authed using OIDC with LC (pressing log in with openid button does not prompt for user/pass again but works with the Entra token already set during Entra app proxy auth).

I apply this to most of the apps I can expose through app proxies. I really like the extra layer of security this provides, making any vulnerability in exposed apps only exploitable by approved Entra users (which in my case requires MDM compliant company owned devices).