"Bad Request: TokenError" during Google OAuth login with nginx ingress

[Prabjot2507]

What happened?

Issue Description

Experiencing a "Bad Request: TokenError" during Google OAuth login with LibreChat running behind an NGINX ingress controller in Kubernetes. The OAuth flow initiates correctly and redirects to Google, but fails during the callback phase with a token error.

Error Details

Error Message:

TokenError: Bad Request
    at OAuth2Strategy.parseErrorResponse (/app/node_modules/passport-oauth2/lib/strategy.js:373:12)
    at OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:420:16)
    at /app/node_modules/passport-oauth2/lib/strategy.js:177:45
    at /app/node_modules/oauth/lib/oauth2.js:196:18
    at passBackControl (/app/node_modules/oauth/lib/oauth2.js:132:9)
    at IncomingMessage.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:157:7)
    at IncomingMessage.emit (node:events:536:35)
    at endReadableNT (node:internal/streams/readable:1698:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

Environment Configuration

Kubernetes Setup

• Ingress Controller: NGINX Ingress Controller
• SSL: Valid SSL certificate with proper domain verification
• Domain: chat.domain.com (accessible and working for other applications)

LibreChat Configuration

values.yaml:

env:
  PROXY: "true"
  TRUST_PROXY: "true"
  GOOGLE_CLIENT_ID: "your-client-id"
  GOOGLE_CLIENT_SECRET: "your-client-secret"
  GOOGLE_CALLBACK_URL: "https://chat.domain.com/oauth/google/callback"

ingress:
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $http_host;

Google OAuth Configuration

• OAuth Consent Screen: Properly configured with domain
• Authorized Domains: chat.domain.com included
• Authorized Redirect URIs: https://chat.domain.com/oauth/google/callback
• Other Applications: Using the same OAuth consent screen work correctly

Troubleshooting Steps Taken

1. Verified OAuth Configuration

• ✅ Google OAuth app settings are correct
• ✅ Callback URL matches exactly
• ✅ Domain is properly verified
• ✅ SSL certificate is valid
• ✅ Other applications using same OAuth work fine

2. Environment Variables

• ✅ PROXY=true - Enables proxy support
• ✅ TRUST_PROXY=true - Trusts proxy headers
• ✅ All OAuth environment variables properly set

3. NGINX Configuration Verification

The NGINX configuration shows correct proxy headers:

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;

Additional Context

• LibreChat Version: v0.7.8
• Kubernetes Version: 1.31
• NGINX Ingress Version: Latest stable
• OAuth Provider: Google OAuth 2.0

Version Information

v0.7.8

Steps to Reproduce

As mentioned in https://www.librechat.ai/docs/configuration/authentication/OAuth2-OIDC/google

What browsers are you seeing the problem on?

No response

Relevant log output

TokenError: Bad Request
    at OAuth2Strategy.parseErrorResponse (/app/node_modules/passport-oauth2/lib/strategy.js:373:12)
    at OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:420:16)
    at /app/node_modules/passport-oauth2/lib/strategy.js:177:45
    at /app/node_modules/oauth/lib/oauth2.js:196:18
    at passBackControl (/app/node_modules/oauth/lib/oauth2.js:132:9)
    at IncomingMessage.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:157:7)
    at IncomingMessage.emit (node:events:536:35)
    at endReadableNT (node:internal/streams/readable:1698:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Google OAuth login is working perfectly on my end, it must be a configuration issue on your end. Please make sure you are following this correctly:

https://www.librechat.ai/docs/configuration/authentication/OAuth2-OIDC/google

[Prabjot2507]

Yess followed everything correctly , Just instead of using external oauth screen we use internal oauth screen in all application this should not be the issue ?

[Prabjot2507]

Fixed the issue , was missing allow social registration env variable