Dealing with Error 'Unknown authentication strategy "openid"' when Logging in with OpenID under Proxy Environment

[nakata-daisuke-mb]

Contact Details

microdairen@gmail.com

What happened?

Under a proxy environment with ALLOW_SOCIAL_LOGIN set to true and various OpenID settings (such as OPENID_CLIENT_ID) configured, running docker-compose up results in the following errors:

LibreChat             | RPError: outgoing request timed out after 3500ms
LibreChat             |     at /app/node_modules/openid-client/lib/helpers/request.js:137:13
LibreChat             |     at async Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:171:22)
LibreChat             |     at async setupOpenId (/app/api/strategies/openidStrategy.js:39:20)

Moreover, when clicking on "Login with OpenID" on the UI, the screen displays "Internal Server Error" and logs the error below, preventing successful login:

LibreChat             | Error: Unknown authentication strategy "openid"
LibreChat             |     at attempt (/app/node_modules/passport/lib/middleware/authenticate.js:193:39)
LibreChat             |     at authenticate (/app/node_modules/passport/lib/middleware/authenticate.js:370:7)
LibreChat             |     at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
LibreChat             |     at next (/app/node_modules/express/lib/router/route.js:144:13)
LibreChat             |     at Route.dispatch (/app/node_modules/express/lib/router/route.js:114:3)
LibreChat             |     at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
LibreChat             |     at /app/node_modules/express/lib/router/index.js:284:15
LibreChat             |     at Function.process_params (/app/node_modules/express/lib/router/index.js:346:12)
LibreChat             |     at next (/app/node_modules/express/lib/router/index.js:280:10)
LibreChat             |     at /app/node_modules/express-rate-limit/dist/index.cjs:659:7

Detailed steps to reproduce are listed below, but the issue occurs under the following conditions:

• Using Azure AD
• Docker on Apple M1 Chip
• api, mongodb, meilisearch services assigned to Internal Network
• squid as a proxy and haproxy as a reverse proxy service added, assigned to both Internal and Bridge Networks

The issue has been resolved in the following two ways, suggesting that the OpenID related code is not compatible with proxy environments:

1. Switching api, mongodb, meilisearch services from Internal Network to Bridge Network results in successful OpenID authentication.
2. Keeping the services on the Internal Network and slightly modifying api/strategies/openidStrategy.js to include proxy settings via global-agent also leads to successful authentication.

Due to limited knowledge in next.js, it's unclear if providing global-agent in openidStrategy.js is appropriate, hence this is posted as a bug issue instead of a pull request.

Steps to Reproduce

1. Prepare haproxy.cfg with the following content:

   global
       log stdout format raw local0
   
   defaults
       log     global
       timeout connect 5000ms
       timeout client  50000ms
       timeout server  50000ms
   
   frontend http_front
       mode http
       bind *:80
       default_backend http_back
   
   backend http_back
       mode http
       server api api:3080
   

2. Set up the .env file with mainly the following changes:

   ...
   OPENAI_API_KEY=****
   ...
   PROXY=http://squid:3128
   ...
   ALLOW_SOCIAL_LOGIN=true
   ...
   OPENID_CLIENT_ID=****
   OPENID_CLIENT_SECRET=****
   OPENID_ISSUER=https://login.microsoftonline.com/****/v2.0/
   OPENID_SESSION_SECRET=****
   ....
   DOMAIN_CLIENT=http://localhost
   DOMAIN_SERVER=http://localhost
   ....
   

3. Modify docker-compose.yml slightly:

   ...
   services:
   ...
     api:
       networks:
         - internal_network
    ...
     mongodb:
       networks:
         - internal_network
   ...
     meilisearch:
       networks:
         - internal_network
   ...
     squid:
       image: ubuntu/squid
       networks:
         - internal_network
         - bridge_network
       ports:
         - 3128:3128
   
     haproxy:
       image: haproxy:latest
       restart: unless-stopped
       volumes:
         - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
       ports:
         - "80:80"
       networks:
         - internal_network
         - bridge_network
   
   networks:
     internal_network:
       driver: bridge
       internal: true
   
     bridge_network:
       driver: bridge

4. Execute docker-compose up.

5. After startup, the error RPError: outgoing request timed out after 3500ms is logged.

6. Access the application in a browser and press "Login with OpenID." This results in an "Internal Server Error" on the screen and the error Error: Unknown authentication strategy "openid" in the logs.

What browsers are you seeing the problem on?

Chrome

Relevant log output

Immediately After Service Startup:

LibreChat             | RPError: outgoing request timed out after 3500ms
LibreChat             |     at /app/node_modules/openid-client/lib/helpers/request.js:137:13
LibreChat             |     at async Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:171:22)
LibreChat             |     at async setupOpenId (/app/api/strategies/openidStrategy.js:39:20)

After Clicking on 'Login with OpenID':

LibreChat             | Error: Unknown authentication strategy "openid"
LibreChat             |     at attempt (/app/node_modules/passport/lib/middleware/authenticate.js:193:39)
LibreChat             |     at authenticate (/app/node_modules/passport/lib/middleware/authenticate.js:370:7)
LibreChat             |     at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
LibreChat             |     at next (/app/node_modules/express/lib/router/route.js:144:13)
LibreChat             |     at Route.dispatch (/app/node_modules/express/lib/router/route.js:114:3)
LibreChat             |     at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
LibreChat             |     at /app/node_modules/express/lib/router/index.js:284:15
LibreChat             |     at Function.process_params (/app/node_modules/express/lib/router/index.js:346:12)
LibreChat             |     at next (/app/node_modules/express/lib/router/index.js:280:10)
LibreChat             |     at /app/node_modules/express-rate-limit/dist/index.cjs:659:7

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Hi @nakata-daisuke-mb

Thanks for your issue. Due to the highly specific nature of this configuration, I've moved it to a discussion as I can't set it up nor debug under the same configuration.

If anyone with the same configuration runs into this, it will be found here.

Due to limited knowledge in next.js, it's unclear if providing global-agent in openidStrategy.js is appropriate, hence this is posted as a bug issue instead of a pull request.

This project is not using Next.js. global-agent would be useful as it could simplify proxy requests in the backend (/api/) and the contribution would be welcome provided it is non-breaking to all external fetching.

[nakata-daisuke-mb]

Hi, @danny-avila

Thank you for moving the issue to a discussion and for your advice. As my JavaScript knowledge is somewhat limited, I'm unsure about the broader implications of using global-agent beyond openidStrategy.js. However, I've attempted a solution that seems to work in my specific case. Below are the steps I took:

1. Added global-agent to api/package.json:

   "dependencies": {
       "global-agent": "^3.0.0"
   }

2. Updated package-lock.json at the root directory:

   npm install --package-lock-only

3. Modified docker-compose.yml to include an environment variable for global-agent:

   services:
   ...
     api:
   ...
       environment:
         - GLOBAL_AGENT_HTTP_PROXY=http://squid:3128
   ...

4. Added require('global-agent/bootstrap') in api/strategies/openidStrategy.js:

   const passport = require('passport');
   const { Issuer, Strategy: OpenIDStrategy } = require('openid-client');
   const axios = require('axios');
   const fs = require('fs');
   const path = require('path');
   require('global-agent/bootstrap'); // Added this line
   ...

5. Rebuilt the Docker images with no cache:

   docker-compose build --no-cache

6. Started the services:

   docker-compose up

With these changes, the OpenID login process works correctly under my proxy setup.

[hamedf62]

dear @danny-avila
kindly advice about this problem,
as after 3 days i cant solve it i decided to switch alternative app,
i have installed Librechat and Keycloak in seperate containers in local machine, but LibreChat never redirected to keycloak login page due to "Internal Seerver Error".
regards.

[RolandRitt]

I fixed it by not using localhost but host.docker.internal in the OPENID_ISSUER variable

OPENID_ISSUER=http://host.docker.internal:8080/realms/test_librechat