[Bug]: Azure SSO with OpenId for Nginx and Librechat

[trevenen]

What happened?

Azure SSO issues = "This site can't provide a secure connection"
subdomain.domain.ext sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

Steps to Reproduce

git clone https://github.com/danny-avila/LibreChat.git
sudo dnf install docker.io && dnf install docker compose -y
cd LibreChat
vim client/nginx.conf (edits for ssl certs removed listen 80;)
vim Dockerfile.multi (adding lines for certs to be copied in the right places)
cp .env.example .env
vim .env
(changes for SSO and domain name.)
mv deploy-compose.yaml docker-compose.yaml
docker compose build
docker-compose up -d

changes to .env file.
HOST=subdomain.domain.ext
PORT=3080

DOMAIN_CLIENT=https://subdomain.domain.ext:3080
DOMAIN_SERVER=https://subdomain.domain.ext:3080

UID=1000
GID=1000

ALLOW_SOCIAL_LOGIN=true

OpenId

OPENID_CLIENT_ID=xxxxx # Correct Validated
OPENID_CLIENT_SECRET=xxxxx # Correct Validated
OPENID_ISSUER=https://login.microsoftonline.com/xxxxxx......xxx/v2.0/
OPENID_SESSION_SECRET=xxxxxxx
OPENID_SCOPE="openid profile email". # The one I used didn't have quotes. I have added quotes and tested and it still does work.
OPENID_CALLBACK_URL=/oauth/openid/callback

OPENID_BUTTON_LABEL=Azure SSO
OPENID_IMAGE_URL=azure.png

edits to Dockerfile.multi
COPY ./client/chat.key /etc/nginx/ssl/chat.key
COPY ./client/chat.crt /etc/nginx/ssl/chat.crt

additions to client/nginx.conf
listen 443 ssl;

ssl_certificate /etc/nginx/ssl/chat.crt;
ss_certificate_key /etc/nginx/ssl/chat.key;

The logs show me hitting the endpoints, and I am am also able to create accounts via the signup page and login, I am just not able to use SSO.

What browsers are you seeing the problem on?

No response

Relevant log output

docker ps
CONTAINER ID   IMAGE                                          COMMAND                  CREATED          STATUS          PORTS                                                                      NAMES
92f972f28edc   librechat-client                               "/docker-entrypoint.…"   19 minutes ago   Up 19 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   LibreChat-NGINX
8604f66ad63d   ghcr.io/danny-avila/librechat-dev-api:latest   "docker-entrypoint.s…"   19 minutes ago   Up 19 minutes   0.0.0.0:3080->3080/tcp, :::3080->3080/tcp                                  LibreChat-API
9a2188b283f8   getmeili/meilisearch:v1.0                      "tini -- /bin/sh -c …"   19 minutes ago   Up 19 minutes   7700/tcp                                                                   chat-meilisearch
a6037867cc1d   mongo 


docker logs 92f972f28edc (librechat-client) 
" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-"
$IP_ADDRESS - - [17/Dec/2023:01:08:14 +0000] "GET /api/config HTTP/1.1" 304 0 "https://subdomain.domain.ext/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-"


From my Browser 
This site can't provide a secure connection
subdomain.domain.ext sent an invalid response. 
ERR_SSL_PROTOCOL_ERROR
  


### Code of Conduct

- [X] I agree to follow this project's Code of Conduct

[danny-avila]

Hi, thanks for the report. I've tested Azure through OpenID before and it was working last I checked. I will have to set it up again to double-check, but I'm leaning toward something with your network or the OpenID setup on the Azure end.

Did you follow this guide? https://docs.librechat.ai/install/user_auth_system.html#openid-authentication-with-azure-ad

When I go to join Discord I get an error as well.

Again this might be a network issue, it's working on my end: https://discord.librechat.ai

[trevenen]

Yes I did follow -https://docs.librechat.ai/install/user_auth_system.html#openid-authentication-with-azure-ad. I am using a domain that is secured with tls. When switching to localhost I still get errors. Is there a way to work around using localhost as it doesn't work for my application?

Is there a way to ensure this works without localhost?

I was able to get Discord working as well and just joined.

[trevenen]

The fix for this is to remove the ports:

DOMAIN_CLIENT=https://subdomain.domain.ext
DOMAIN_SERVER=https://subdomain.domain.ext

for those using deploy-compose.yaml this is the way.