[openidStrategy] only requests to HTTPS are allowed

[qasimk30]

What happened?

I am setting up keycloack with librechat, and followed everything from guide

Version Information

ghcr.io/danny-avila/librechat-dev latest db1d3479aee1 12 days ago 1.11GB
ghcr.io/danny-avila/librechat-rag-api-dev-lite latest 0b5a9e43bafe 2 weeks ago 1.44GB

Steps to Reproduce

my env looks like this
OPENID_ISSUER=http://localhost:8080/realms/realm
OPENID_CLIENT_ID=clientid
OPENID_CLIENT_SECRET=secret
OPENID_SESSION_SECRET=secret
OPENID_CALLBACK_URL=/oauth/openid/callback
OPENID_SCOPE="openid profile email"
OPENID_REQUIRED_ROLE=
OPENID_REQUIRED_ROLE_TOKEN_KIND=
OPENID_REQUIRED_ROLE_PARAMETER_PATH=

What browsers are you seeing the problem on?

No response

Relevant log output

im running both librechat and keycloack in docker containers and i get this in my log:
OAUTH_HTTP_REQUEST_FORBIDDEN

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

The OAUTH_HTTP_REQUEST_FORBIDDEN error is thrown by the openid-client library when it receives a non-HTTPS request. While OIDC standards allow HTTP for localhost during development, many client libraries (including openid-client) enforce HTTPS by default for security reasons.

You have a few options to fix this:

Option 1: Use HTTPS (Recommended for production)
Set up Keycloak with HTTPS and update your issuer URL to use https://

Option 2: Docker container networking
Instead of localhost, use your Keycloak container name in the issuer URL:

OPENID_ISSUER=http://keycloak:8080/realms/realm

(Replace keycloak with your actual container name)

Option 3: Host networking
If using Docker Compose, you can use network_mode: host for both containers

---

We can also create a way to bypass the HTTPS strict requirement, but I'm hesitant to implement since it would also introduce a potential attack vector for allow insecure authentication requests.

[qasimk30]

Does this allow effect the MCPOAuth? If yes, how do i fix that, cuz im getting

[MCPOAuth] Failed to initiate OAuth flow
LibreChat | 2025-07-16 10:17:30 error: [MCP][Server] Failed to complete OAuth flow for Server fetch failed

and server log shows:

{"cause":{"code":"ECONNREFUSED"},"level":"error","message":"[MCP][Server] Failed to complete OAuth flow for Server fetch failed","stack":"TypeError: fetch failed\n at node:internal/deps/undici/undici:13510:13\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async Object.registerClient (/app/node_modules/@modelcontextprotocol/sdk/dist/cjs/client/auth.js:328:22)"}

Although my mcp server is working fine through mcp inspector.