From d9401d4be5efb0acffdc7a7575570b0f15538c16 Mon Sep 17 00:00:00 2001
From: Sharang Parnerkar <parnerkarsharang@gmail.com>
Date: Mon, 23 Feb 2026 22:27:07 +0100
Subject: [PATCH] feat(librechat): add OIDC HTTP patch and prompt=none for
 seamless SSO

Switch to host networking so LibreChat can reach Keycloak on localhost.
Patch openidStrategy.js to allow HTTP OIDC issuers for local dev
(openid-client v6 enforces HTTPS by default). Add support for
OPENID_AUTH_EXTRA_PARAMS env var and set prompt=none for automatic
SSO login when a Keycloak session exists.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docker-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index d13949e..1d8b2ef 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -70,6 +70,7 @@ services:
       OPENID_CALLBACK_URL: /oauth/openid/callback
       OPENID_SCOPE: openid profile email
       OPENID_BUTTON_LABEL: Login with CERTifAI
+      OPENID_AUTH_EXTRA_PARAMS: prompt=none
       # Disable local auth (SSO only)
       ALLOW_EMAIL_LOGIN: "false"
       ALLOW_REGISTRATION: "false"