OpenID Connect Token Reuse with Auth0 (Support JWE format and openid audience)

[SollalF]

What happened?

Problem Description

When using OPENID_REUSE_TOKENS=true with Auth0 as the OpenID provider, LibreChat enters an infinite refresh loop where the client continuously makes token refresh requests, preventing normal application usage.

Root Cause

Auth0 returns encrypted access tokens (JWE format) by default, which cannot be validated as JWTs by LibreChat. The strategy expects standard JWT tokens for validation using JWKS, but receives encrypted tokens

This causes authentication to fail repeatedly, triggering the refresh loop.

Environment

• LibreChat Version: [current version]
• OpenID Provider: Auth0
• Configuration:

  OPENID_REUSE_TOKENS=true
  OPENID_SCOPE=openid profile email offline_access

Current Workaround

Two possible workarounds were identified:

Option 1: Use ID Token for Authentication

// In setOpenIDAuthTokens function
const clientToken = tokenset.id_token || token;
return clientToken;

Option 2: Configure Audience for JWT Access Tokens

OPENID_AUDIENCE=https://api.yourapp.com

class CustomOpenIDStrategy extends OpenIDStrategy {
  currentUrl(req) {
    const hostAndProtocol = process.env.DOMAIN_SERVER;
    return new URL(`${hostAndProtocol}${req.originalUrl ?? req.url}`);
  }
  authorizationRequestParams(req, options) {
    const params = super.authorizationRequestParams(req, options);
    if (options?.state && !params.has('state')) {
      params.set('state', options.state);
    }

    // Add audience parameter if specified
    if (process.env.OPENID_AUDIENCE) {
      params.set('audience', process.env.OPENID_AUDIENCE);
      logger.debug(
        `[openidStrategy] Adding audience to authorization request: ${process.env.OPENID_AUDIENCE}`,
      );
    }

    return params;
  }
}

However, LibreChat currently seems to lack built-in support for setting the openid audience parameter.

Files Affected

• api/strategies/openidStrategy.js
• api/server/services/AuthService.js
• .env.example (for documentation)

Would you like me to help you format this differently or add any additional technical details?

Version Information

6fd3b56

Steps to Reproduce

1. Configure LibreChat with Auth0 as OpenID provider
2. Set OPENID_REUSE_TOKENS=true
3. Set OPENID_SCOPE=openid profile email offline_access
4. Attempt to log in
5. Observe infinite refresh requests in browser network tab

What browsers are you seeing the problem on?

Chrome

Relevant log output

N/A

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Hi @SollalF this seems more like a feature request, would you be open to submitting a PR for a solution that works for you?

Documentation so I can help test it would be appreciated as well.

[SollalF]

Done, I added some steps to reproduce in the comments, let me know. #8837