You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/docs/configuration/authentication/OAuth2-OIDC/azure.mdx
+8-1Lines changed: 8 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -132,6 +132,7 @@ LibreChat can integrate with SharePoint Online and OneDrive for Business, allowi
132
132
133
133
1. All requirements from [Token Reuse](#advanced-token-reuse) must be met
134
134
2. Your Azure app registration needs additional SharePoint permissions
135
+
3. Your Azure app registration must expose and grant a LibreChat API scope, such as `api://<client-id>/access_as_user`
135
136
136
137
### Adding SharePoint Permissions
137
138
@@ -153,7 +154,14 @@ LibreChat can integrate with SharePoint Online and OneDrive for Business, allowi
153
154
154
155
### Configuration
155
156
157
+
Before enabling the SharePoint variables, make sure the OpenID token reuse configuration requests the LibreChat app API scope. This gives Azure an app-audience access token that can be used as the on-behalf-of assertion for SharePoint and Graph token exchange.
3.**Admin access** to your Azure tenant for app permissions
29
-
4.**HTTPS** enabled (required for production environments)
28
+
3.**An exposed API scope** for LibreChat, such as `api://<client-id>/access_as_user`
29
+
4.**Admin access** to your Azure tenant for app permissions
30
+
5.**HTTPS** enabled (required for production environments)
30
31
31
32
<Callouttype="error"title="Critical Requirement">
32
33
SharePoint integration will not function without `OPENID_REUSE_TOKENS=true` as it relies on the on-behalf-of token flow to access Microsoft Graph APIs.
@@ -40,7 +41,33 @@ SharePoint integration will not function without `OPENID_REUSE_TOKENS=true` as i
40
41
2. Go to **API permissions** in the left menu
41
42
3. Click **Add a permission**
42
43
43
-
### Step 2: Add SharePoint Permissions
44
+
### Step 2: Expose and Grant a LibreChat API Scope
45
+
46
+
The on-behalf-of flow needs the initial OpenID access token to target your LibreChat app API, not Microsoft Graph. Expose an API scope so Azure can issue a token with LibreChat as the audience.
47
+
48
+
1. Go to **Expose an API** in the left menu
49
+
2. Set the **Application ID URI** to `api://<client-id>` if it is not already configured
50
+
3. Click **Add a scope**
51
+
4. Name the scope `access_as_user`
52
+
5. Save the scope, then copy the full scope value:
53
+
54
+
```text
55
+
api://<client-id>/access_as_user
56
+
```
57
+
58
+
Then grant that scope to the app registration:
59
+
60
+
1. Go back to **API permissions**
61
+
2. Click **Add a permission**
62
+
3. Select **APIs my organization uses**
63
+
4. Search for and select your LibreChat app registration
64
+
5. Choose **Delegated permissions**
65
+
6. Select `access_as_user`
66
+
7. Click **Add permissions**
67
+
68
+
Use the full `api://<client-id>/access_as_user` scope value in `OPENID_SCOPE` later in this guide.
69
+
70
+
### Step 3: Add SharePoint Permissions
44
71
45
72
For the file picker interface:
46
73
@@ -50,7 +77,7 @@ For the file picker interface:
50
77
-`AllSites.Read` - Read items in all site collections
51
78
4. Click **Add permissions**
52
79
53
-
### Step 3: Add Microsoft Graph Permissions
80
+
### Step 4: Add Microsoft Graph Permissions
54
81
55
82
For file downloads:
56
83
@@ -61,9 +88,9 @@ For file downloads:
61
88
-`Files.Read.All` - Read all files that user can access
62
89
5. Click **Add permissions**
63
90
64
-
### Step 4: Grant Admin Consent
91
+
### Step 5: Grant Admin Consent
65
92
66
-
1. After adding both permissions, you'll see them listed
93
+
1. After adding the permissions, you'll see them listed
67
94
2. Click **Grant admin consent for [Your Organization]**
68
95
3. Confirm the consent in the popup
69
96
@@ -73,12 +100,18 @@ Your permissions should look like this:
Replace `<client-id>` with your Azure app registration's Application (client) ID. The `api://<client-id>/access_as_user` scope gives Azure an app-specific audience for the OBO assertion. If `OPENID_SCOPE` only includes standard OpenID scopes, Azure may issue a Graph-audience access token that cannot be exchanged again for SharePoint or Graph access.
`OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=true` lets LibreChat exchange the app-audience access token for a userinfo-compatible token before calling the OpenID userinfo endpoint. This is required for Azure Entra ID setups where the `OPENID_SCOPE` includes the LibreChat API scope above.
140
+
</Callout>
141
+
101
142
## How It Works
102
143
103
144
### Authentication Flow
@@ -183,7 +224,18 @@ When properly configured, users will see a new option in the file attachment men
183
224
1. Verify SharePoint permissions are granted in Azure
184
225
2. Ensure admin consent was provided
185
226
3. Check that `SHAREPOINT_BASE_URL` matches your tenant exactly
186
-
4. Confirm HTTPS is enabled in production
227
+
4. Confirm `SHAREPOINT_PICKER_SHAREPOINT_SCOPE` uses the full tenant URL, such as `https://contoso.sharepoint.com/AllSites.Read`
228
+
5. Confirm HTTPS is enabled in production
229
+
230
+
#### File picker opens to a blank white page
231
+
232
+
**Cause**: Azure may be rejecting the on-behalf-of exchange because the OpenID access token has the wrong audience, or because the userinfo token exchange is not enabled.
233
+
234
+
**Solutions**:
235
+
1. Confirm your Azure app registration has an exposed API scope, such as `api://<client-id>/access_as_user`
236
+
2. Add that full scope to `OPENID_SCOPE`
237
+
3. Set `OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=true`
238
+
4. Restart LibreChat and sign in again so Azure issues fresh OpenID tokens
0 commit comments