Skip to content

Commit 1330e9d

Browse files
authored
🧭 docs: Clarify SharePoint OBO Setup (#569)
1 parent 257c309 commit 1330e9d

3 files changed

Lines changed: 70 additions & 8 deletions

File tree

content/docs/configuration/authentication/OAuth2-OIDC/azure.mdx

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,7 @@ LibreChat can integrate with SharePoint Online and OneDrive for Business, allowi
132132

133133
1. All requirements from [Token Reuse](#advanced-token-reuse) must be met
134134
2. Your Azure app registration needs additional SharePoint permissions
135+
3. Your Azure app registration must expose and grant a LibreChat API scope, such as `api://<client-id>/access_as_user`
135136

136137
### Adding SharePoint Permissions
137138

@@ -153,7 +154,14 @@ LibreChat can integrate with SharePoint Online and OneDrive for Business, allowi
153154

154155
### Configuration
155156

157+
Before enabling the SharePoint variables, make sure the OpenID token reuse configuration requests the LibreChat app API scope. This gives Azure an app-audience access token that can be used as the on-behalf-of assertion for SharePoint and Graph token exchange.
158+
156159
```bash filename=".env"
160+
# OpenID token reuse and OBO-compatible audience
161+
OPENID_REUSE_TOKENS=true
162+
OPENID_SCOPE=openid profile email offline_access api://<client-id>/access_as_user
163+
OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=true
164+
157165
# Enable SharePoint file picker
158166
ENABLE_SHAREPOINT_FILEPICKER=true
159167

@@ -180,4 +188,3 @@ The SharePoint integration respects all existing SharePoint permissions. Users c
180188
</Callout>
181189

182190
For detailed troubleshooting and advanced configuration, see: [SharePoint Integration Guide](/docs/configuration/sharepoint)
183-

content/docs/configuration/dotenv.mdx

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1110,7 +1110,10 @@ LibreChat supports direct integration with SharePoint Online and OneDrive for Bu
11101110
**All of the following must be configured for SharePoint integration to work:**
11111111
- Azure Entra ID authentication must be fully configured
11121112
- **`OPENID_REUSE_TOKENS=true`** is mandatory (uses on-behalf-of token flow)
1113+
- `OPENID_SCOPE` must include your LibreChat app API scope, for example `api://<client-id>/access_as_user`
1114+
- `OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=true` is required when using that app-audience scope with Azure Entra ID
11131115
- Your Azure app registration must have SharePoint and Graph API permissions
1116+
- Your Azure app registration must expose the LibreChat API scope used in `OPENID_SCOPE`
11141117
- All four SharePoint environment variables must be set
11151118
- HTTPS is required in production environments
11161119
</Callout>

content/docs/configuration/sharepoint.mdx

Lines changed: 59 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,9 @@ Before configuring SharePoint integration, ensure you have:
2525

2626
1. **Azure Entra ID Authentication** configured and working
2727
2. **Token Reuse** enabled (`OPENID_REUSE_TOKENS=true`)
28-
3. **Admin access** to your Azure tenant for app permissions
29-
4. **HTTPS** enabled (required for production environments)
28+
3. **An exposed API scope** for LibreChat, such as `api://<client-id>/access_as_user`
29+
4. **Admin access** to your Azure tenant for app permissions
30+
5. **HTTPS** enabled (required for production environments)
3031

3132
<Callout type="error" title="Critical Requirement">
3233
SharePoint integration will not function without `OPENID_REUSE_TOKENS=true` as it relies on the on-behalf-of token flow to access Microsoft Graph APIs.
@@ -40,7 +41,33 @@ SharePoint integration will not function without `OPENID_REUSE_TOKENS=true` as i
4041
2. Go to **API permissions** in the left menu
4142
3. Click **Add a permission**
4243

43-
### Step 2: Add SharePoint Permissions
44+
### Step 2: Expose and Grant a LibreChat API Scope
45+
46+
The on-behalf-of flow needs the initial OpenID access token to target your LibreChat app API, not Microsoft Graph. Expose an API scope so Azure can issue a token with LibreChat as the audience.
47+
48+
1. Go to **Expose an API** in the left menu
49+
2. Set the **Application ID URI** to `api://<client-id>` if it is not already configured
50+
3. Click **Add a scope**
51+
4. Name the scope `access_as_user`
52+
5. Save the scope, then copy the full scope value:
53+
54+
```text
55+
api://<client-id>/access_as_user
56+
```
57+
58+
Then grant that scope to the app registration:
59+
60+
1. Go back to **API permissions**
61+
2. Click **Add a permission**
62+
3. Select **APIs my organization uses**
63+
4. Search for and select your LibreChat app registration
64+
5. Choose **Delegated permissions**
65+
6. Select `access_as_user`
66+
7. Click **Add permissions**
67+
68+
Use the full `api://<client-id>/access_as_user` scope value in `OPENID_SCOPE` later in this guide.
69+
70+
### Step 3: Add SharePoint Permissions
4471

4572
For the file picker interface:
4673

@@ -50,7 +77,7 @@ For the file picker interface:
5077
- `AllSites.Read` - Read items in all site collections
5178
4. Click **Add permissions**
5279

53-
### Step 3: Add Microsoft Graph Permissions
80+
### Step 4: Add Microsoft Graph Permissions
5481

5582
For file downloads:
5683

@@ -61,9 +88,9 @@ For file downloads:
6188
- `Files.Read.All` - Read all files that user can access
6289
5. Click **Add permissions**
6390

64-
### Step 4: Grant Admin Consent
91+
### Step 5: Grant Admin Consent
6592

66-
1. After adding both permissions, you'll see them listed
93+
1. After adding the permissions, you'll see them listed
6794
2. Click **Grant admin consent for [Your Organization]**
6895
3. Confirm the consent in the popup
6996

@@ -73,12 +100,18 @@ Your permissions should look like this:
73100
|------------------------|------|-------------|---------|
74101
| Microsoft Graph - Files.Read.All | Delegated | Read all files that user can access | ✅ Granted |
75102
| SharePoint - AllSites.Read | Delegated | Read items in all site collections | ✅ Granted |
103+
| LibreChat - access_as_user | Delegated | Allow LibreChat to receive an OBO-compatible token | ✅ Granted |
76104

77105
## Environment Configuration
78106

79107
Add the following environment variables to your `.env` file:
80108

81109
```bash filename=".env"
110+
# OpenID token reuse and OBO-compatible audience
111+
OPENID_REUSE_TOKENS=true
112+
OPENID_SCOPE=openid profile email offline_access api://<client-id>/access_as_user
113+
OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=true
114+
82115
# Enable SharePoint file picker
83116
ENABLE_SHAREPOINT_FILEPICKER=true
84117

@@ -98,6 +131,14 @@ SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All
98131
Ensure you replace `contoso` in the examples above with your actual SharePoint tenant name. This must match your SharePoint URL exactly.
99132
</Callout>
100133

134+
<Callout type="warning" title="OpenID Scope Audience">
135+
Replace `<client-id>` with your Azure app registration's Application (client) ID. The `api://<client-id>/access_as_user` scope gives Azure an app-specific audience for the OBO assertion. If `OPENID_SCOPE` only includes standard OpenID scopes, Azure may issue a Graph-audience access token that cannot be exchanged again for SharePoint or Graph access.
136+
</Callout>
137+
138+
<Callout type="info" title="Userinfo Token Exchange">
139+
`OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=true` lets LibreChat exchange the app-audience access token for a userinfo-compatible token before calling the OpenID userinfo endpoint. This is required for Azure Entra ID setups where the `OPENID_SCOPE` includes the LibreChat API scope above.
140+
</Callout>
141+
101142
## How It Works
102143

103144
### Authentication Flow
@@ -183,7 +224,18 @@ When properly configured, users will see a new option in the file attachment men
183224
1. Verify SharePoint permissions are granted in Azure
184225
2. Ensure admin consent was provided
185226
3. Check that `SHAREPOINT_BASE_URL` matches your tenant exactly
186-
4. Confirm HTTPS is enabled in production
227+
4. Confirm `SHAREPOINT_PICKER_SHAREPOINT_SCOPE` uses the full tenant URL, such as `https://contoso.sharepoint.com/AllSites.Read`
228+
5. Confirm HTTPS is enabled in production
229+
230+
#### File picker opens to a blank white page
231+
232+
**Cause**: Azure may be rejecting the on-behalf-of exchange because the OpenID access token has the wrong audience, or because the userinfo token exchange is not enabled.
233+
234+
**Solutions**:
235+
1. Confirm your Azure app registration has an exposed API scope, such as `api://<client-id>/access_as_user`
236+
2. Add that full scope to `OPENID_SCOPE`
237+
3. Set `OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=true`
238+
4. Restart LibreChat and sign in again so Azure issues fresh OpenID tokens
187239

188240
#### Downloads fail or timeout
189241

0 commit comments

Comments
 (0)