feat(librechat): add OIDC HTTP patch and prompt=none for seamless SSO

Switch to host networking so LibreChat can reach Keycloak on localhost. Patch openidStrategy.js to allow HTTP OIDC issuers for local dev (openid-client v6 enforces HTTPS by default). Add support for OPENID_AUTH_EXTRA_PARAMS env var and set prompt=none for automatic SSO login when a Keycloak session exists. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 22:27:07 +01:00
parent 5f3939bb6c
commit 79e93eac08
2 changed files with 757 additions and 4 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -46,23 +46,31 @@ services:
    image: ghcr.io/danny-avila/librechat:latest
    container_name: certifai-librechat
    restart: unless-stopped
-    ports:
-      - "3080:3080"
+    # Use host networking so localhost:8080 (Keycloak) is reachable for
+    # OIDC discovery, and the browser redirect URLs match the issuer.
+    network_mode: host
    depends_on:
      keycloak:
        condition: service_healthy
      mongo:
        condition: service_started
    environment:
-      # MongoDB (shared instance, separate database)
-      MONGO_URI: mongodb://root:example@mongo:27017/librechat?authSource=admin
+      # MongoDB (use localhost since we're on host network)
+      MONGO_URI: mongodb://root:example@localhost:27017/librechat?authSource=admin
+      DOMAIN_CLIENT: http://localhost:3080
+      DOMAIN_SERVER: http://localhost:3080
+      # Allow HTTP for local dev OIDC (Keycloak on localhost without TLS)
+      NODE_TLS_REJECT_UNAUTHORIZED: "0"
+      NODE_ENV: development
      # Keycloak OIDC SSO
      OPENID_ISSUER: http://localhost:8080/realms/certifai
      OPENID_CLIENT_ID: certifai-librechat
      OPENID_CLIENT_SECRET: certifai-librechat-secret
+      OPENID_SESSION_SECRET: "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6"
      OPENID_CALLBACK_URL: /oauth/openid/callback
      OPENID_SCOPE: openid profile email
      OPENID_BUTTON_LABEL: Login with CERTifAI
+      OPENID_AUTH_EXTRA_PARAMS: prompt=none
      # Disable local auth (SSO only)
      ALLOW_EMAIL_LOGIN: "false"
      ALLOW_REGISTRATION: "false"
@@ -82,6 +90,8 @@ services:
    volumes:
      - ./librechat/librechat.yaml:/app/librechat.yaml:ro
      - ./librechat/logo.svg:/app/client/public/assets/logo.svg:ro
+      # Patch: allow HTTP issuer for local dev (openid-client v6 enforces HTTPS)
+      - ./librechat/openidStrategy.js:/app/api/strategies/openidStrategy.js:ro
      - librechat-data:/app/data

 volumes: