OIDC login fails with 401 in v0.7.9 – previously worked in v0.7.8 using client_secret_basic

[munsteraner]

Hi,

after successfully running LibreChat v0.7.8 with an OpenID Connect (OIDC) login via a SATOSA-based OIDC proxy, I’m encountering a 401 Unauthorized error after upgrading to v0.7.9 using the new helm chart "librechat-1.8.9":

Environment:

• LibreChat deployed via Helm in Kubernetes
• Upgraded from v0.7.8 → v0.7.9
• Authentication via OpenID Connect (OIDC)
• Reverse proxy: Istio Gateway + VirtualService
• External OIDC provider using standard endpoints (discovery + token)

---

🔧 OIDC Setup

The following environment variables are configured:

librechat:
  configEnv:
    ALLOW_SOCIAL_LOGIN: "true"
    ALLOW_REGISTRATION: "false"
    ALLOW_EMAIL_LOGIN: "false"

    OPENID_ISSUER: https://auth.example.org
    OPENID_TOKEN_ENDPOINT_AUTH_METHOD: client_secret_basic
    OPENID_AUTHORIZATION_URL: https://auth.example.org/saml2/oidc/authorization
    OPENID_TOKEN_URL: https://auth.example.org/oidc/token
    OPENID_USERINFO_URL: https://auth.example.org/oidc/userinfo
    OPENID_CALLBACK_URL: /oauth/openid/callback
    OPENID_SCOPE: "openid profile email"
    OPENID_IDENTIFIER_KEY: email
    OPENID_DISPLAY_LABEL: "SSO Login"
    OPENID_PROMPT: login

    DEBUG_OPENID_REQUESTS: "true"
    DEBUG: openid-client:*
    DEBUG_CONSOLE: "true" 

The OPENID_CLIENT_ID and OPENID_CLIENT_SECRET are inside my k8s secret and can be read in the container. This is also enabled :

  librechat:
    existingSecretName: "librechat-credentials-env"

The image is also set correctly:

image:
  registry: ghcr.io
  repository: danny-avila/librechat
  tag: v0.7.9

OIDC login worked correctly with v0.7.8.
After upgrading to v0.7.9, the login still redirects to the identity provider, but fails during the token exchange phase. This is the log output:

2025-07-25T14:12:52.036Z debug: [openidStrategy] Request to: https://auth.example.org/oidc/token
2025-07-25T14:12:52.036Z debug: [openidStrategy] Request method: POST
2025-07-25T14:12:52.037Z debug: [openidStrategy] Request headers: No headers available
2025-07-25T14:12:52.037Z debug: [openidStrategy] Request body: redirect_uri=https...(removed to not show url) [truncated]
2025-07-25T14:12:52.080Z debug: [openidStrategy] Response status: 401 Unauthorized
2025-07-25T14:12:52.081Z debug: [openidStrategy] Response headers: {"access-control-allow-origin":"*","content-type":"application/json","date":"Fri, 25 Jul 2025 14:12:52 GMT","server... [truncated]
2025-07-25T14:12:52.085Z error: ErrorController => error server responded with an error in the response body

Changing the auth method to client_secret_post makes no difference. The same credentials work in the earlier version.

Does anyone of you has a clue what changed from 0.7.8 to 0.7.9? Maybe you can help me. Many thanks!

[danny-avila]

Does anyone of you has a clue what changed from 0.7.8 to 0.7.9?

We have upgraded the library openid-client which is now stricter with OIDC handshakes and will error if anything is non-compliant. We made some workarounds to help improve compatibility, especially in cases like yours where it worked before, so we'd be open to helping resolve.

First off, it'd be helpful to see the full output of your logs:

Log locations:

• Docker: Project root directory ./logs
• npm: ./api/logs

There are two types of logs that can help diagnose the issue:

• debug logs (debug-YYYY-MM-DD.log)
• error logs (error-YYYY-MM-DD.log)

Error logs contain exact stack traces and are especially helpful, but both can provide valuable information.

Please only include the relevant portions of logs that correspond to when you reproduced the error.

Secondly, your OIDC setup seems a bit complex. If there's any way to simplify it or given thorough instructions on standing it up, we could more easily take a look at resolving this.

For the time being, I would suggest looking at the openid-client repo, reviewing past issues if others had similar issues:

https://github.com/panva/openid-client/issues?q=is%3Aissue%20state%3Aclosed

[danny-avila]

Related discussions:

• OIDC login fails with “invalid_client (Incorrect client_secret)” after redirect #8198
• v0.7.8 - REGRESSION - Error: Unknown authentication strategy "openid" #7520

[munsteraner]

Debug logs contain:

2025-07-25T16:11:35.052Z info: {
  "version": "1.2.8",
  "cache": true,
  "registration": {
    "socialLogins": [
      "openid"
    ]
  },
  "endpoints": {
    "agents": {
      "c... [truncated]
2025-07-25T16:11:35.053Z debug: Custom config:
{
  version: "1.2.8",
  cache: true,
    // 1 socialLogin(s)
    registration.socialLogins: ["openid"],

...

2025-07-25T16:11:35.273Z info: Configuring social logins...
2025-07-25T16:11:35.274Z info: Configuring OpenID Connect...
2025-07-25T16:11:35.278Z debug: [openidStrategy] Request to: https://auth.example.org/.well-known/openid-configuration
2025-07-25T16:11:35.279Z debug: [openidStrategy] Request method: GET
2025-07-25T16:11:35.280Z debug: [openidStrategy] Request headers: No headers available
2025-07-25T16:11:35.489Z debug: [openidStrategy] Response status: 200 OK
2025-07-25T16:11:35.491Z debug: [openidStrategy] Response headers: {... [truncated]}
2025-07-25T16:11:35.495Z info: OpenID Connect configured.

2025-07-25T16:12:35.538Z debug: X-Forwarded headers detected in OAuth request:
{
  x-forwarded-for: "xxx.xxx.xxx.xxx",
  x-forwarded-proto: "https",
}
2025-07-25T16:12:36.665Z debug: [openidStrategy] Request to: https://auth.example.org/oidc/token
2025-07-25T16:12:36.665Z debug: [openidStrategy] Request method: POST
2025-07-25T16:12:36.666Z debug: [openidStrategy] Request headers: No headers available
2025-07-25T16:12:36.666Z debug: [openidStrategy] Request body: redirect_uri=https%3A%2F%2Fyour-app.example.org%2Foauth%2Fopenid%2Fcallback&code=... [truncated]
2025-07-25T16:12:36.751Z debug: [openidStrategy] Response status: 401 Unauthorized
2025-07-25T16:12:36.753Z debug: [openidStrategy] Response headers: {... [truncated]}
2025-07-25T16:12:36.765Z error: ErrorController => error server responded with an error in the response body

Error logs contain:
{"cause":{"error":"invalid_client","error_description":"Wrong authentication method used, MUST use 'client_secret_basic'"},"code":"OAUTH_RESPONSE_BODY_ERROR","error":"invalid_client","error_description":"Wrong authentication method used, MUST use 'client_secret_basic'","level":"error","message":"ErrorController => error server responded with an error in the response body","name":"ResponseBodyError","stack":"ResponseBodyError: server responded with an error in the response body\n at checkOAuthBodyError (file:///app/node_modules/oauth4webapi/build/index.js:889:19)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async processGenericAccessTokenResponse (file:///app/node_modules/oauth4webapi/build/index.js:1165:5)\n at async processAuthorizationCodeOAuth2Response (file:///app/node_modules/oauth4webapi/build/index.js:1397:20)\n at async Module.authorizationCodeGrant (file:///app/api/node_modules/openid-client/build/index.js:942:18)\n at async CustomOpenIDStrategy.authorizationCodeGrant (file:///app/api/node_modules/openid-client/build/passport.js:135:28)","status":401}

with Wrong authentication method used, MUST use 'client_secret_basic, which is odd, since I have the OPENID_TOKEN_ENDPOINT_AUTH_METHOD: client_secret_basic set in the values.yaml for the new librechat-1.8.9 helm chart.

Regarding the complexity of my OIDC setup: this stems from a trial-and-error approach while attempting to replicate other OIDC configurations, with additional guidance from tools like ChatGPT. Since I’m new to OpenID Connect, I’m still in the process of understanding its concepts and best practices.

[munsteraner]

UPDATE:
I reduced the environment variables to the bare minimum, now only including: OPENID_CLIENT_ID, OPENID_ISSUER, OPENID_CALLBACK_URL, OPENID_SCOPE, OPENID_SESSION_SECRET, and OPENID_CLIENT_SECRET.

This setups work fine with 0.7.8. I also tried to overwrite the "OPENID_TOKEN_ENDPOINT_AUTH_METHOD: client_secret_basic", but as far as I see in /api/strategies/openidStrategy.js and /api/strategies/openidStrategy.spec.js there isn't even the option to set it, right? The error still appears...