OpenId Nonce validation errors after upgrade to 0.7.9

[jasongilman]

I'm using the OPENID_* configuration environment variables with Cognito. After upgrade to V0.7.9 I started seeing these errors in the log ErrorController => error unexpected JWT claim value encountered

I was able to add additional logging and determined that the unexpected ID Token "nonce" claim value was the cause.

The oauth2 authorize request from my browser looks like this

https://...amazoncognito.com/oauth2/authorize?
  state=...&
  client_id=...&
  response_type=code&
  code_challenge=...&
  code_challenge_method=...&
  redirect_uri=...%2Foauth%2Fopenid%2Fcallback&
  scope=openid+profile+email

The server makes a request to cognito /oauth2/token and the decoded ID token from the JWT contains a nonce.

Do you have any suggestions on how to resolve this issue?

[danny-avila]

Did you follow this guide to setup Cognito?

https://www.librechat.ai/docs/configuration/authentication/OAuth2-OIDC/aws

The openid-client library was necessarily upgraded which led to increased strictness for OIDC. I would first try to troubleshoot with the guide and see if you have any success.

Discussion on the library update: #7520

[jasongilman]

I believe that we followed that guide when we set it up. I reviewed the instructions and our Cognito matches with the exception that we're using an external federated identity provider with Cognito. I was able to determine that we DO have the problem in v0.7.8 but it wasn't showing up as an internal error for the user but instead required them to login twice. I'm glad this identified the problem there.

I've been adding more and more logging to try and understand what's happening and digging into the openid client code. These are the set of requests

First redirect to Cognito
https://<userpool>.auth.us-east-1.amazoncognito.com/oauth2/authorize?

• client_id=...
• scope=openid profile email
• response_type=code
• redirect_uri=https://<hostname>/oauth/openid/callback
• state=...
• session=false
• code_challenge=...
• code_challenge_method=S256

Eliding some requests with our third party provider

Server Request to Cognito

https://<userpool>.auth.us-east-1.amazoncognito.com/oauth2/token

• grant_type=authorization_code
• code=...
• redirect_uri=https://<hostname>/oauth/openid/callback
• code_verifier=...

Cognito responds with the three tokens and the id token contains a nonce which triggers nonce validation in the openid-client code.

Tracing the requests and consulting with an AI it seems to suggest that this is expected behavior and "The OIDC spec doesn't prohibit providers from including nonces when they weren't requested." The AI then suggests to either configure a nonce as part of the initial authorize request to Cognito or to skip nonce validation which would be a change in librechat code. I'm really stuck at what to do at this point. I'd expect other people using Cognito with librechat to experience this same failure mode or there's something in the messages above that indicate that we've configured something incorrectly in librechat or Cognito or somehow the introduction of the external provider changes how Cognito behaves when it generates id tokens which seems unlikely.