🔐 feat: OIDC Bearer Token Authentication for Remote Agent API

api/server/controllers/AuthController.js

@@ -2,7 +2,7 @@ const cookies = require('cookie');
 const jwt = require('jsonwebtoken');
 const openIdClient = require('openid-client');
 const { logger } = require('@librechat/data-schemas');
-const { isEnabled, findOpenIDUser } = require('@librechat/api');
+const { isEnabled, findOpenIDUser, getOpenIdIssuer } = require('@librechat/api');
 const {
   requestPasswordReset,
   setOpenIDAuthTokens,
@@ -85,10 +85,12 @@ const refreshController = async (req, res) => {
         refreshParams,
       );
       const claims = tokenset.claims();
+      const openidIssuer = getOpenIdIssuer(claims, openIdConfig);
       const { user, error, migration } = await findOpenIDUser({
         findUser,
         email: getOpenIdEmail(claims),
         openidId: claims.sub,
+        openidIssuer,
         idOnTheSource: claims.oid,
         strategyName: 'refreshController',
       });
@@ -111,6 +113,7 @@ const refreshController = async (req, res) => {
         await updateUser(user._id.toString(), {
           provider: 'openid',
           openidId: claims.sub,
+          ...(openidIssuer ? { openidIssuer } : {}),
         });
         logger.info(
           `[refreshController] Updated user ${user.email} openidId (${reason}): ${user.openidId ?? 'null'} -> ${claims.sub}`,

api/server/controllers/AuthController.spec.js

@@ -23,6 +23,7 @@ jest.mock('~/models', () => ({
 jest.mock('@librechat/api', () => ({
   isEnabled: jest.fn(),
   findOpenIDUser: jest.fn(),
+  getOpenIdIssuer: jest.fn(() => 'https://issuer.example.com'),
 }));
 
 const openIdClient = require('openid-client');
@@ -157,6 +158,7 @@ describe('refreshController – OpenID path', () => {
   };
 
   const baseClaims = {
+    iss: 'https://issuer.example.com',
     sub: 'oidc-sub-123',
     oid: 'oid-456',
     email: 'user@example.com',
@@ -204,7 +206,10 @@ describe('refreshController – OpenID path', () => {
 
     expect(getOpenIdEmail).toHaveBeenCalledWith(baseClaims);
     expect(findOpenIDUser).toHaveBeenCalledWith(
-      expect.objectContaining({ email: baseClaims.email }),
+      expect.objectContaining({
+        email: baseClaims.email,
+        openidIssuer: baseClaims.iss,
+      }),
     );
     expect(res.status).toHaveBeenCalledWith(200);
   });
@@ -225,7 +230,10 @@ describe('refreshController – OpenID path', () => {
 
     expect(getOpenIdEmail).toHaveBeenCalledWith(claimsWithUpn);
     expect(findOpenIDUser).toHaveBeenCalledWith(
-      expect.objectContaining({ email: 'user@corp.example.com' }),
+      expect.objectContaining({
+        email: 'user@corp.example.com',
+        openidIssuer: baseClaims.iss,
+      }),
     );
     expect(res.status).toHaveBeenCalledWith(200);
   });
@@ -236,7 +244,10 @@ describe('refreshController – OpenID path', () => {
     await refreshController(req, res);
 
     expect(findOpenIDUser).toHaveBeenCalledWith(
-      expect.objectContaining({ email: baseClaims.email }),
+      expect.objectContaining({
+        email: baseClaims.email,
+        openidIssuer: baseClaims.iss,
+      }),
     );
   });
 
@@ -267,7 +278,11 @@ describe('refreshController – OpenID path', () => {
 
     expect(updateUser).toHaveBeenCalledWith(
       'user-db-id',
-      expect.objectContaining({ provider: 'openid', openidId: baseClaims.sub }),
+      expect.objectContaining({
+        provider: 'openid',
+        openidId: baseClaims.sub,
+        openidIssuer: baseClaims.iss,
+      }),
     );
     expect(res.status).toHaveBeenCalledWith(200);
   });

api/server/routes/agents/middleware.js

@@ -0,0 +1,41 @@
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const {
+  generateCheckAccess,
+  preAuthTenantMiddleware,
+  createRequireApiKeyAuth,
+  createRemoteAgentAuth,
+  createCheckRemoteAgentAccess,
+} = require('@librechat/api');
+const { getEffectivePermissions } = require('~/server/services/PermissionService');
+const { getAppConfig } = require('~/server/services/Config');
+const db = require('~/models');
+
+const apiKeyMiddleware = createRequireApiKeyAuth({
+  validateAgentApiKey: db.validateAgentApiKey,
+  findUser: db.findUser,
+});
+
+const requireRemoteAgentAuth = createRemoteAgentAuth({
+  apiKeyMiddleware,
+  findUser: db.findUser,
+  updateUser: db.updateUser,
+  getAppConfig,
+});
+
+const checkRemoteAgentsFeature = generateCheckAccess({
+  permissionType: PermissionTypes.REMOTE_AGENTS,
+  permissions: [Permissions.USE],
+  getRoleByName: db.getRoleByName,
+});
+
+const checkAgentPermission = createCheckRemoteAgentAccess({
+  getAgent: db.getAgent,
+  getEffectivePermissions,
+});
+
+module.exports = {
+  checkAgentPermission,
+  preAuthTenantMiddleware,
+  requireRemoteAgentAuth,
+  checkRemoteAgentsFeature,
+};

api/server/routes/agents/openai.js

@@ -17,40 +17,23 @@
  *   }
  */
 const express = require('express');
-const { PermissionTypes, Permissions } = require('librechat-data-provider');
-const {
-  generateCheckAccess,
-  createRequireApiKeyAuth,
-  createCheckRemoteAgentAccess,
-} = require('@librechat/api');
 const {
   OpenAIChatCompletionController,
   ListModelsController,
   GetModelController,
 } = require('~/server/controllers/agents/openai');
-const { getEffectivePermissions } = require('~/server/services/PermissionService');
 const { configMiddleware } = require('~/server/middleware');
-const db = require('~/models');
+const {
+  checkAgentPermission,
+  preAuthTenantMiddleware,
+  requireRemoteAgentAuth,
+  checkRemoteAgentsFeature,
+} = require('./middleware');
 
 const router = express.Router();
 
-const requireApiKeyAuth = createRequireApiKeyAuth({
-  validateAgentApiKey: db.validateAgentApiKey,
-  findUser: db.findUser,
-});
-
-const checkRemoteAgentsFeature = generateCheckAccess({
-  permissionType: PermissionTypes.REMOTE_AGENTS,
-  permissions: [Permissions.USE],
-  getRoleByName: db.getRoleByName,
-});
-
-const checkAgentPermission = createCheckRemoteAgentAccess({
-  getAgent: db.getAgent,
-  getEffectivePermissions,
-});
-
-router.use(requireApiKeyAuth);
+router.use(preAuthTenantMiddleware);
+router.use(requireRemoteAgentAuth);
 router.use(configMiddleware);
 router.use(checkRemoteAgentsFeature);
 

api/server/routes/agents/responses.js

@@ -20,40 +20,23 @@
  * @see https://openresponses.org/specification
  */
 const express = require('express');
-const { PermissionTypes, Permissions } = require('librechat-data-provider');
-const {
-  generateCheckAccess,
-  createRequireApiKeyAuth,
-  createCheckRemoteAgentAccess,
-} = require('@librechat/api');
 const {
   createResponse,
   getResponse,
   listModels,
 } = require('~/server/controllers/agents/responses');
-const { getEffectivePermissions } = require('~/server/services/PermissionService');
 const { configMiddleware } = require('~/server/middleware');
-const db = require('~/models');
+const {
+  checkAgentPermission,
+  preAuthTenantMiddleware,
+  requireRemoteAgentAuth,
+  checkRemoteAgentsFeature,
+} = require('./middleware');
 
 const router = express.Router();
 
-const requireApiKeyAuth = createRequireApiKeyAuth({
-  validateAgentApiKey: db.validateAgentApiKey,
-  findUser: db.findUser,
-});
-
-const checkRemoteAgentsFeature = generateCheckAccess({
-  permissionType: PermissionTypes.REMOTE_AGENTS,
-  permissions: [Permissions.USE],
-  getRoleByName: db.getRoleByName,
-});
-
-const checkAgentPermission = createCheckRemoteAgentAccess({
-  getAgent: db.getAgent,
-  getEffectivePermissions,
-});
-
-router.use(requireApiKeyAuth);
+router.use(preAuthTenantMiddleware);
+router.use(requireRemoteAgentAuth);
 router.use(configMiddleware);
 router.use(checkRemoteAgentsFeature);
 

api/strategies/openIdJwtStrategy.js

@@ -3,9 +3,14 @@ const jwksRsa = require('jwks-rsa');
 const { logger } = require('@librechat/data-schemas');
 const { HttpsProxyAgent } = require('https-proxy-agent');
 const { SystemRoles } = require('librechat-data-provider');
-const { isEnabled, findOpenIDUser, math } = require('@librechat/api');
 const { Strategy: JwtStrategy, ExtractJwt } = require('passport-jwt');
-const { getOpenIdEmail } = require('./openidStrategy');
+const {
+  isEnabled,
+  findOpenIDUser,
+  getOpenIdEmail,
+  getOpenIdIssuer,
+  math,
+} = require('@librechat/api');
 const { updateUser, findUser } = require('~/models');
 
 /**
@@ -27,7 +32,9 @@ const { updateUser, findUser } = require('~/models');
  */
 const openIdJwtLogin = (openIdConfig) => {
   let jwksRsaOptions = {
-    cache: isEnabled(process.env.OPENID_JWKS_URL_CACHE_ENABLED) || true,
+    cache: process.env.OPENID_JWKS_URL_CACHE_ENABLED
+      ? isEnabled(process.env.OPENID_JWKS_URL_CACHE_ENABLED)
+      : true,
     cacheMaxAge: math(process.env.OPENID_JWKS_URL_CACHE_TIME, 60000),
     jwksUri: openIdConfig.serverMetadata().jwks_uri,
   };
@@ -51,11 +58,13 @@ const openIdJwtLogin = (openIdConfig) => {
       try {
         const authHeader = req.headers.authorization;
         const rawToken = authHeader?.replace('Bearer ', '');
+        const openidIssuer = getOpenIdIssuer(payload, openIdConfig);
 
         const { user, error, migration } = await findOpenIDUser({
           findUser,
           email: payload ? getOpenIdEmail(payload) : undefined,
           openidId: payload?.sub,
+          openidIssuer,
           idOnTheSource: payload?.oid,
           strategyName: 'openIdJwtLogin',
         });
@@ -72,6 +81,9 @@ const openIdJwtLogin = (openIdConfig) => {
           if (migration) {
             updateData.provider = 'openid';
             updateData.openidId = payload?.sub;
+            if (openidIssuer) {
+              updateData.openidIssuer = openidIssuer;
+            }
           }
           if (!user.role) {
             user.role = SystemRoles.USER;

api/strategies/openIdJwtStrategy.spec.js

@@ -23,6 +23,8 @@ jest.mock('@librechat/data-schemas', () => ({
 jest.mock('@librechat/api', () => ({
   isEnabled: jest.fn(() => false),
   findOpenIDUser: jest.fn(),
+  getOpenIdEmail: jest.requireActual('@librechat/api').getOpenIdEmail,
+  getOpenIdIssuer: jest.fn(() => 'https://issuer.example.com'),
   math: jest.fn((val, fallback) => fallback),
 }));
 jest.mock('~/models', () => ({
@@ -47,7 +49,10 @@ const { findUser, updateUser } = require('~/models');
 
 // Helper: build a mock openIdConfig
 const mockOpenIdConfig = {
-  serverMetadata: () => ({ jwks_uri: 'https://example.com/.well-known/jwks.json' }),
+  serverMetadata: () => ({
+    issuer: 'https://issuer.example.com',
+    jwks_uri: 'https://example.com/.well-known/jwks.json',
+  }),
 };
 
 // Helper: invoke the captured verify callback
@@ -225,6 +230,7 @@ describe('openIdJwtStrategy – OPENID_EMAIL_CLAIM', () => {
       _id: 'user-id-1',
       provider: 'openid',
       openidId: payload.sub,
+      openidIssuer: 'https://issuer.example.com',
       email: payload.email,
       role: SystemRoles.USER,
     };
@@ -240,7 +246,9 @@ describe('openIdJwtStrategy – OPENID_EMAIL_CLAIM', () => {
 
     expect(findUser).toHaveBeenCalledWith(
       expect.objectContaining({
-        $or: expect.arrayContaining([{ openidId: payload.sub }]),
+        $or: expect.arrayContaining([
+          { openidId: payload.sub, openidIssuer: 'https://issuer.example.com' },
+        ]),
       }),
     );
   });
@@ -254,7 +262,9 @@ describe('openIdJwtStrategy – OPENID_EMAIL_CLAIM', () => {
 
     expect(findUser).toHaveBeenCalledTimes(2);
     expect(findUser.mock.calls[0][0]).toMatchObject({
-      $or: expect.arrayContaining([{ openidId: payload.sub }]),
+      $or: expect.arrayContaining([
+        { openidId: payload.sub, openidIssuer: 'https://issuer.example.com' },
+      ]),
     });
     expect(findUser.mock.calls[1][0]).toEqual({ email: 'test@corp.example.com' });
     expect(user).toBe(false);
@@ -367,7 +377,11 @@ describe('openIdJwtStrategy – OPENID_EMAIL_CLAIM', () => {
     expect(user).toBeTruthy();
     expect(updateUser).toHaveBeenCalledWith(
       'legacy-db-id',
-      expect.objectContaining({ provider: 'openid', openidId: payloadNoEmail.sub }),
+      expect.objectContaining({
+        provider: 'openid',
+        openidId: payloadNoEmail.sub,
+        openidIssuer: 'https://issuer.example.com',
+      }),
     );
   });
 });