OAuth2 Redirect Causes CORS Error When Session is Missing and API is Accessed via XHR/Fetch

[hiep0810]

What happened?

I'm self-hosting LibreChat with Google OAuth2 enabled.

After logging in successfully, when the __Host-GCP_IAP_AUTH_TOKEN cookie expires (e.g., after fully closing the browser, since its expiration is tied to the session), any subsequent XHR/fetch request to the backend (e.g., loading conversations) triggers a redirect to the Google OAuth2 authorization URL. However, this redirect causes a CORS error in the browser console, and the frontend shows a blank screen instead of gracefully redirecting to the login page.

Version Information

• LibreChat v0.7.8

• Deployed via Docker

• Auth method: Google OAuth2 (IAP-style)

Steps to Reproduce

1. Log in to LibreChat using Google OAuth2.
2. Fully close the browser to expire the __Host-GCP_IAP_AUTH_TOKEN session cookie.
3. Reopen the browser and go to the LibreChat page.
4. Observe the following:
   • The request is redirected to the OAuth2 login URL (e.g., https://accounts.google.com/o/oauth2/v2/auth?...).
   • The browser console shows a CORS error.
   • The UI fails to recover (white screen, no redirect or fallback).

What browsers are you seeing the problem on?

Chrome, Safari

Relevant log output

Access to XMLHttpRequest at 'https://accounts.google.com/o/oauth2/v2/auth...' (redirected from 'https://my-domain.io/api/roles/ADMIN') from origin 'https://my-domain' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

This is expected behavior as Google's OAuth2 endpoints don't support CORS, so XHR requests redirected to their authorization URLs are blocked by design. LibreChat does not use CORS.

Also I suggest updating to the latest version:
https://www.librechat.ai/docs/local/docker#update-librechat

[hiep0810]

Do you have any suggestion to handle this?