added feature for oidc auto redirection #6066

leondape · 2025-02-26T14:50:33Z

As described in #5683

Goal

If OIDC is the only option the click on the button is a little redundant.
This option enables automatic redirection to the OIDC provider if set to true

Change Type

Basically the Login page and config types were changed. Please review if any security questions have been touched. If think t should be fine.

New feature (non-breaking change which adds functionality)
This change requires a documentation update

Documented in:

Please delete any irrelevant options.

My code adheres to this project's style guidelines
I have performed a self-review of my own code
I have commented in any complex areas of my code
I have made pertinent documentation changes
Local unit tests pass with my changes
Any changes dependent on mine have been merged and published in downstream modules.
A pull request for updating the documentation has been submitted. here

rubentalstra

please have a look at my comment :)

rubentalstra · 2025-02-26T14:54:56Z

client/src/components/Auth/Login.tsx

+  const redirectAttemptedRef = useRef(false);
+
+  // Auto-redirect to OpenID provider if enabled
+  // This is controlled by the OPENID_AUTO_REDIRECT environment variable
+  // When enabled, users will be automatically redirected to the OpenID provider
+  // without seeing the login form at all
+  useEffect(() => {
+    // Simple check if redirect is needed and not yet attempted
+    if (
+      !redirectAttemptedRef.current &&
+      startupConfig?.openidLoginEnabled &&
+      startupConfig?.openidAutoRedirect &&
+      startupConfig?.serverDomain
+    ) {
+      // Mark that we've attempted to redirect
+      redirectAttemptedRef.current = true;
+
+      // Log and redirect
+      console.log('Auto-redirecting to OpenID provider...');
+      window.location.href = `${startupConfig.serverDomain}/oauth/openid`;
+    }
+  }, [startupConfig]);
+


what if the callback fails and returns back to the login page? then we have a infantent loop right? and then the OpenID endpoint will then finally return with a 429 status?

Good catch!
I added some cookies and cooldown logic to prevent that.
It works, however I would really be greatful if someone can review it thoroughly for security questions.

api/server/routes/oauth.js

@@ -22,6 +22,13 @@
      return;
    }
    await setAuthTokens(req.user._id, res);
+


api/server/routes/oauth.js

@@ -22,6 +22,13 @@
      return;
    }
    await setAuthTokens(req.user._id, res);
+
+    // On successful login, let's clear any openid redirect flags
+    res.cookie('successful_login', 'true', { 


api/server/routes/oauth.js

+    // On successful login, let's clear any openid redirect flags
+    res.cookie('successful_login', 'true', { 
+      maxAge: 1000, // very short-lived, just for client-side detection
+      httpOnly: false // client needs to read this


api/server/routes/oauth.js

+      maxAge: 1000, // very short-lived, just for client-side detection
+      httpOnly: false // client needs to read this
+    });
+


api/server/routes/oauth.js

@@ -31,7 +38,9 @@
 router.get('/error', (req, res) => {
  // A single error message is pushed by passport when authentication fails.
  logger.error('Error in OAuth authentication:', { message: req.session.messages.pop() });
-  res.redirect(`${domains.client}/login`);
+


client/src/components/Auth/Login.tsx

+        authFailed
+      })


client/src/components/Auth/Login.tsx

+    if (successfulLogin) {
+      // Clear the redirect flag in localStorage
+      clearOpenIDRedirectFlag();
+


client/src/utils/localStorage.ts

+  // Get timestamp of last redirect attempt from localStorage
+  const lastRedirectAttempt = localStorage.getItem(OPENID_REDIRECT_KEY);
+  const currentTime = Date.now();
+


client/src/utils/localStorage.ts

+    localStorage.setItem(OPENID_REDIRECT_KEY, currentTime.toString());
+    return true;
+  }
+


rubentalstra · 2025-02-27T16:39:06Z

@leondape thank you for updating the code.

What do you think about instead of using the default url for redirecting have a parameter in the url to trigger this? So we don't need to make too many changes in the code?

This will also solve the infinite redirect loop?

leondape · 2025-02-28T05:22:04Z

@rubentalstra could you elaborate your idea? I don’t quite get what you mean. :)

added feature for oidc auto redirection

caaadf2

leondape mentioned this pull request Feb 26, 2025

adding documentation for PR in Librechat #5683 LibreChat-AI/librechat.ai#250

Open

rubentalstra requested changes Feb 26, 2025

View reviewed changes

rubentalstra marked this pull request as draft February 27, 2025 09:06

Added Cooldown logic for OIDC auto redirect for failed login attempts

bfc7179

github-advanced-security bot found potential problems Feb 27, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

added feature for oidc auto redirection #6066

added feature for oidc auto redirection #6066

leondape commented Feb 26, 2025

rubentalstra left a comment

rubentalstra Feb 26, 2025

leondape Feb 27, 2025

rubentalstra commented Feb 27, 2025

leondape commented Feb 28, 2025

added feature for oidc auto redirection #6066

Are you sure you want to change the base?

added feature for oidc auto redirection #6066

Conversation

leondape commented Feb 26, 2025

Goal

Change Type

rubentalstra left a comment

Choose a reason for hiding this comment

rubentalstra Feb 26, 2025

Choose a reason for hiding this comment

leondape Feb 27, 2025

Choose a reason for hiding this comment

rubentalstra commented Feb 27, 2025

leondape commented Feb 28, 2025