AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' with SharePoint File Picker (v0.8.4)

[sidanaabhi]

What happened?

After upgrading to v0.8.4 and enabling the SharePoint File Picker feature, we encounter the following Azure AD error when attempting to use the picker:

This error occurs during the On-Behalf-Of (OBO) token exchange flow when LibreChat tries to acquire a SharePoint/Graph token using the user's id_token.

Version Information

v0.8.4

Steps to Reproduce

Configure the following environment variables to enable SharePoint File Picker:
Log in via OpenID Connect (Entra ID / Azure AD)
Attempt to open the SharePoint File Picker in the chat UI

Expected Behavior
The SharePoint File Picker opens and allows the user to browse/select files from SharePoint.

Actual Behavior
The OBO token exchange fails with:

Root Cause
Azure AD's OBO flow requires an access token, not an id_token, as the assertion. If LibreChat is forwarding the id_token instead of the access_token in the OBO grant, Azure AD will reject it with this error.

The Entra ID app registration may also need:

access_as_user delegated permission or the app needs to be configured to accept OBO flows
The id_token must not be used as the bearer assertion — only access_token is valid

What browsers are you seeing the problem on?

No response

Relevant log output

{"cause":{"correlation_id":"29e34110-02a4-4504-826c-e5e6952001da","error":"invalid_request","error_codes":[240002],"error_description":"AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant.

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

this was already fixed here. What is your openid config? Are you using OPENID_REUSE_TOKENS?

#11857

[sidanaabhi]

Yes i do have this setting enabled OPENID_REUSE_TOKENS : true Along with

OPENID_GRAPH_SCOPES : User.Read,People.Read,GroupMember.Read.All,User.ReadBasic.All
OPENID_ISSUER : https://login.microsoftonline.com/<tenant>/v2.0/
OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED : true
OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE : User.Read
OPENID_REUSE_TOKENS : true
OPENID_SCOPE : <client-id>/.default openid profile email offline_access

[omni-front]

What is the full configuration for your Entra ID app registration, specifically regarding permissions and the setup for the OBO flow? It seems like ensuring the proper access_as_user delegated permission is essential. Also, could you provide the complete configuration for OPENID_ISSUER to verify there are no typos or misconfigurations?

[sidanaabhi]

We are still facing the same issue

issuer: https://login.microsoftonline.com//v2.0/
Scope: /.default openid profile email offline_access

Can you share your config if it's working?

[omni-front]

Make sure your app registration has the proper API permissions, including access_as_user, and that the openid, profile, and email scopes are granted admin consent. Also, double-check that the OPENID_ISSUER matches the format in your app registration without any typos.

[sidanaabhi]

@omni-front is there a documentation for this?

[omni-front]

You can refer to Microsoft's official documentation on configuring OAuth 2.0 and OpenID Connect in Azure AD for detailed guidance. It provides a step-by-step process for setting up permissions and the OBO flow correctly.