What happened?
After upgrading to v0.8.4 and enabling the SharePoint File Picker feature, we encounter the following Azure AD error when attempting to use the picker:
This error occurs during the On-Behalf-Of (OBO) token exchange flow when LibreChat tries to acquire a SharePoint/Graph token using the user's id_token.
Version Information
v0.8.4
Steps to Reproduce
Configure the following environment variables to enable SharePoint File Picker:
Log in via OpenID Connect (Entra ID / Azure AD)
Attempt to open the SharePoint File Picker in the chat UI
Expected Behavior
The SharePoint File Picker opens and allows the user to browse/select files from SharePoint.
Actual Behavior
The OBO token exchange fails with:
Root Cause
Azure AD's OBO flow requires an access token, not an id_token, as the assertion. If LibreChat is forwarding the id_token instead of the access_token in the OBO grant, Azure AD will reject it with this error.
The Entra ID app registration may also need:
access_as_user delegated permission or the app needs to be configured to accept OBO flows
The id_token must not be used as the bearer assertion — only access_token is valid
What browsers are you seeing the problem on?
No response
Relevant log output
{"cause":{"correlation_id":"29e34110-02a4-4504-826c-e5e6952001da","error":"invalid_request","error_codes":[240002],"error_description":"AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant.Screenshots
No response
Code of Conduct
What happened?
After upgrading to v0.8.4 and enabling the SharePoint File Picker feature, we encounter the following Azure AD error when attempting to use the picker:
This error occurs during the On-Behalf-Of (OBO) token exchange flow when LibreChat tries to acquire a SharePoint/Graph token using the user's id_token.
Version Information
v0.8.4
Steps to Reproduce
Configure the following environment variables to enable SharePoint File Picker:
Log in via OpenID Connect (Entra ID / Azure AD)
Attempt to open the SharePoint File Picker in the chat UI
Expected Behavior
The SharePoint File Picker opens and allows the user to browse/select files from SharePoint.
Actual Behavior
The OBO token exchange fails with:
Root Cause
Azure AD's OBO flow requires an access token, not an id_token, as the assertion. If LibreChat is forwarding the id_token instead of the access_token in the OBO grant, Azure AD will reject it with this error.
The Entra ID app registration may also need:
access_as_user delegated permission or the app needs to be configured to accept OBO flows
The id_token must not be used as the bearer assertion — only access_token is valid
What browsers are you seeing the problem on?
No response
Relevant log output
{"cause":{"correlation_id":"29e34110-02a4-4504-826c-e5e6952001da","error":"invalid_request","error_codes":[240002],"error_description":"AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant.Screenshots
No response
Code of Conduct