OIDC Keycloak login results in /oauth/openid/undefined 404 not found

[janonym1]

What happened?

After clicking the OIDC login button and login in, I always get redirect to https://domain.com/oauth/openid/undefined which says 404 not found instead of just showing https://domain.com. When using https://domain.com directly (after logging in), librechat works fine and I can see a successfully logged in user

Version Information

I am using kubernetes v1.31.6+rke2r1 (with containerd 2.0) with the latest helm chart+values as of today (librechat v0.8.1-rc1) . I dont have a special librechat config file.

Steps to Reproduce

Hi and thanks for your work!

I tried the helm chart (for the values.yaml see below) and got almost everything running but I cant get the keycloak OIDC login to work properly.

After clicking the OIDC login button, I always get redirect to https://domain.com/oauth/openid/undefined which says:

{
  "timestamp": "2025-11-13T13:40:08.035Z",
  "browser": {
    "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36",
    "platform": "Linux",
    "platformVersion": "6.17.7",
    "language": "en-US",
    "windowSize": "842x1309"
  },
  "error": {
    "message": "An unexpected error occurred",
    "status": 404,
    "statusText": "Not Found",
    "data": "Error: No route matches URL \"/oauth/openid/undefined\""
  }
}

However, if I delete the oauth/openid/undefined in the URL afterwards and just load the base domain URL directly (after the whole authentication), I am correctly logged in, as I can see the right email and username. I followed the OIDC Keycloak docs here

When looking at the librechat logs, I can see an issue with the /app/api/data/auth.json ENOENT: no such file or directory, stat '/app/api/data/auth.json' when starting up (and this only shows up in the beginning) but I am not sure why or how to fix it. However, the OIDC login with my testuser seems to be successful either way.

I have set the following librechat-credentials-env as a secret and can see the ENV being correctly set within the librechat container:

OPENID_SCOPE: openid profile email
JWT_REFRESH_SECRET: -
OPENAI_API_KEY: -
OPENID_SESSION_SECRET: -
CREDS_IV: -
OPENID_CLIENT_ID: oidc-client-id
JWT_SECRET: -
MEILI_MASTER_KEY: -
OPENID_CLIENT_SECRET: -
CREDS_KEY: -
OPENID_CALLBACK_URL: /oauth/openid/callback
OPENID_ISSUER: https://domain.com/auth/realms/realm1

I used the following used values.yaml for the helm chart:

librechat:
  configEnv:
    PLUGIN_MODELS: gpt-4o-mini
    OPENAI_MODELS: gpt-4o-mini
    ALLOW_EMAIL_LOGIN: "false"
    ALLOW_REGISTRATION: "false"
    ALLOW_SOCIAL_LOGIN: "true"
    ALLOW_SOCIAL_REGISTRATION: "false"
    DOMAIN_SERVER: "https://domain.com"
    CLIENT_SERVER: "https://domain.com"
    OPENID_ENABLED: "true"
    #OPENID_AUTO_REDIRECT: "true"
    OPENID_BUTTON_LABEL: "LOGIN"
    #DEBUG_OPENID_REQUESTS: "true"
    OPENID_SCOPE: "openid profile email"
  existingSecretName: "librechat-credentials-env"

  # For adding a custom config yaml-file you can set the contents in this var. See https://www.librechat.ai/docs/configuration/librechat_yaml/example
  configYamlContent: |
    version: 1.3.1
    cache: true
    interface:
      privacyPolicy:
        externalUrl: 'https://librechat.ai/privacy-policy'
        openNewTab: true
      termsOfService:
        externalUrl: 'https://librechat.ai/tos'
        openNewTab: true
  # name of existing Yaml configmap, key must be librechat.yaml
  existingConfigYaml: ""

image:
  repository: danny-avila/librechat
  registry: ghcr.io
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
  tag: "v0.8.1-rc1"

ingress:
  enabled: true
  className: ""
  annotations:
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: prod-acme-cissuer 
  hosts:
    - host: domain.com
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - hosts:
        - domain.com
      secretName: domain.com-ingress-tls 

(I have ommited imho unrelated info in the values.yaml)

I can use the OIDC Login button (which points to domain.com/oauth/openid) as well the Keycloak login flow afterwards when clicking it. After the successful auth (otherwise I couldnt just ignore the 404 undefined message), I get the above error but if I ignore the error and go to the baseURL, I can use librechat normally and as expected.

Maybe I am missing something obvious or have something missconfigured? The keycloak I use is also providing OIDC for about 10 other services, which are working fine. I couldnt figure out, where or what exactly triggers the undefinded. I assume, an empty/null value somewhere?

What browsers are you seeing the problem on?

Chrome, Firefox

Relevant log output

relevant logs for librechat when starting it up and logging in with a user over OIDC:


> [email protected] backend
> cross-env NODE_ENV=production node api/server/index.js

2025-11-13 13:30:44 info: Mongo Connection options
2025-11-13 13:30:44 info: {
  "bufferCommands": false
}
2025-11-13 13:30:44 info: Connected to MongoDB
2025-11-13 13:30:44 info: [getAppConfig] App configuration not initialized. Initializing AppService...
2025-11-13 13:30:44 info: Custom config file loaded:
2025-11-13 13:30:44 info: {
  "version": "1.3.1",
  "cache": true,
  "interface": {
    "privacyPolicy": {
      "externalUrl": "https://librechat.ai/privacy-policy",
      "openNewTab": true
    },
    "termsOfService": {
      "externalUrl": "https://librechat.ai/tos",
      "openNewTab": true
    }
  }
}
2025-11-13 13:30:44 warn: RAG API is either not running or not reachable at undefined, you may experience errors with file uploads.
2025-11-13 13:30:44 info: Configuring social logins...
2025-11-13 13:30:44 info: Configuring OpenID Connect...
2025-11-13 13:30:44 info: [openidStrategy] OpenID authentication configuration
2025-11-13 13:30:44 info: OpenID Connect configured successfully.
2025-11-13 13:30:44 info: Server listening on all interfaces at port 3080. Use http://localhost:3080 to access it
2025-11-13 13:30:44 info: OAuth reconnect manager initialized successfully.
2025-11-13 13:36:04 info: [openidStrategy] login success openidId: b4c9a830-e9b3-4808-8b35-385785594121 | email: [email protected] | username: [email protected] 
2025-11-13 13:40:43 warn: [OAuthReconnectionManager] MCPManager not available, skipping OAuth MCP server reconnection
2025-11-13 13:40:43 error: Failed to load service key from file: /app/api/data/auth.json ENOENT: no such file or directory, stat '/app/api/data/auth.json'
2025-11-13 13:43:18 warn: [OAuthReconnectionManager] MCPManager not available, skipping OAuth MCP server reconnection
2025-11-13 13:43:49 info: [openidStrategy] login success openidId: b4c9a830-e9b3-4808-8b35-385785594121 | email: [email protected] | username: [email protected] 




When logging in, I can see a (chromium) console error in the browser, but not sure if related:

workbox-4c320e2c.js:1 Uncaught (in promise) non-precached-url: non-precached-url :: [{"url":"index.html"}]
    at O.createHandlerBoundToURL (workbox-4c320e2c.js:1:13245)
    at Object.createHandlerBoundToURL (workbox-4c320e2c.js:1:14916)
    at sw.js:1:2796
    at sw.js:1:565
createHandlerBoundToURL @ workbox-4c320e2c.js:1
(anonymous) @ workbox-4c320e2c.js:1
(anonymous) @ sw.js:1
(anonymous) @ sw.js:1

More verbose librechat logs while logging in:

2025-11-13T14:45:40.115Z info: Configuring social logins...
2025-11-13T14:45:40.115Z info: Configuring OpenID Connect...
2025-11-13T14:45:40.116Z debug: [openidStrategy] Request to: https://keycloak-domain.com/auth/realms/realm1/.well-known/openid-configuration
2025-11-13T14:45:40.116Z debug: [openidStrategy] Request method: GET
2025-11-13T14:45:40.116Z debug: [openidStrategy] Request headers: No headers available
2025-11-13T14:45:40.162Z debug: [openidStrategy] Response status: 200 OK
2025-11-13T14:45:40.162Z debug: [openidStrategy[] Response headers: {"cache-control":"no-cache, must-revalidate, no-transform, no-store","content-length":"7019","content-type":"applic... [truncated]
2025-11-13T14:45:40.163Z info: [openidStrategy] OpenID authentication configuration
2025-11-13T14:45:40.164Z info: OpenID Connect configured successfully.
2025-11-13T14:45:40.166Z info: Server listening on all interfaces at port 3080. Use http://localhost:3080 to access it
2025-11-13T14:45:40.167Z info: OAuth reconnect manager initialized successfully.
2025-11-13T14:45:40.167Z debug: Checking if agent permissions migration is needed
2025-11-13T14:45:40.168Z debug: Ensuring required collections exist for permission system
2025-11-13T14:45:40.169Z debug: Collection already exists: aclentries
2025-11-13T14:45:40.170Z debug: Collection already exists: groups
2025-11-13T14:45:40.171Z debug: Collection already exists: accessroles
2025-11-13T14:45:40.171Z debug: Collection already exists: agents
2025-11-13T14:45:40.172Z debug: Collection already exists: promptgroups
2025-11-13T14:45:40.172Z debug: Collection already exists: projects
2025-11-13T14:45:40.172Z debug: All required collections have been checked/created
2025-11-13T14:45:40.180Z debug: Agent migration check completed



2025-11-13T14:46:23.916Z debug: X-Forwarded headers detected in OAuth request:
{
  x-forwarded-for: "1.2.3.4",
  x-forwarded-host: "domain.com",
  x-forwarded-proto: "https",
}
2025-11-13T14:46:40.718Z debug: X-Forwarded headers detected in OAuth request:
{
  x-forwarded-for: "1.2.3.4",
  x-forwarded-host: "domain.com",
  x-forwarded-proto: "https",
}
2025-11-13T14:46:40.719Z debug: [openidStrategy] Request to: https://keycloak-domain.com/auth/realms/realm1/protocol/openid-connect/token
2025-11-13T14:46:40.719Z debug: [openidStrategy] Request method: POST
2025-11-13T14:46:40.719Z debug: [openidStrategy] Request headers: No headers available
2025-11-13T14:46:40.719Z debug: [openidStrategy[] Request body: redirect_uri=https%3A%2F%2Fdomain.com%2Foauth%2Fopenid%2Fcallback&code=87c400f7-5517-a2eb-8228-1a3b2224bbe7.... [truncated]
2025-11-13T14:46:40.747Z debug: [openidStrategy] Response status: 200 OK
2025-11-13T14:46:40.747Z debug: [openidStrategy[] Response headers: {"cache-control":"no-store","content-length":"3331","content-type":"application/json","pragma":"no-cache","strict-t... [truncated]
2025-11-13T14:46:40.749Z debug: [openidStrategy] Request to: https://keycloak-domain.com/auth/realms/realm1/protocol/openid-connect/userinfo
2025-11-13T14:46:40.750Z debug: [openidStrategy] Request method: GET
2025-11-13T14:46:40.750Z debug: [openidStrategy] Request headers: No headers available
2025-11-13T14:46:40.765Z debug: [openidStrategy] Response status: 200 OK
2025-11-13T14:46:40.765Z debug: [openidStrategy[] Response headers: {"cache-control":"no-cache","content-length":"285","content-type":"application/json","strict-transport-security":"m... [truncated]
2025-11-13T14:46:40.773Z info: [openidStrategy[] login success openidId: b4c9a830-e9b3-4808-8b35-385785594121 | email: [email protected] | username: firstname.lastname@d... [truncated]
2025-11-13T14:46:40.792Z debug: X-Forwarded headers detected in OAuth request:
{
  x-forwarded-for: "1.2.3.4",
  x-forwarded-host: "domain.com",
  x-forwarded-proto: "https",
}

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

check these environment variables:

DOMAIN_CLIENT=
DOMAIN_SERVER=

[danny-avila]

CLIENT_SERVER is not a valid variable

[janonym1]

Yes, that was it. Thanks for the fast reaction and sorry for bothering you because of a typo^^