Back to Signal Feed
CodeTracked since May 19, 2026

Enable opt-in first-call OIDC user provisioning for remote agents

Adds a default-off flow in LibreChat remote-agent auth to resolve or create users from trusted remote OIDC claims on first call, with optional userinfo profile enrichment and Entra group sync, plus helper components for later browser OIDC reuse.

LibreChat remote agentOIDCJWKSopenidAccount

What Happened

  • Adds a default-off flow in LibreChat remote-agent auth to resolve or create users from trusted remote OIDC claims on first call, with optional userinfo profile enrichment and Entra group sync, plus helper components for later browser OIDC reuse.
  • Adds a default-off flow in LibreChat remote-agent auth to resolve or create users from trusted remote OIDC claims on first call, with optional userinfo profile enrichment and Entra group sync, plus helper components for later browser OIDC reuse.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Introduces remote-agent OIDC user provisioning with safe defaults (disabled by default) that links or creates users from trusted claims, optionally syncs profile fields via userinfo, and syncs Entra groups for created users while enforcing tenant context before any user mutation and routing unresolved token access through a dedicated federated reconciliation path.

Why Track This

Why It Matters

Operators integrating remote agents with OIDC can enable automatic first-call account onboarding and avoid manual user setup or silent identity fallback behavior, but they should monitor cache-driven profile freshness and sync scope settings because stale data or misconfigured claims can leave users with incorrect roles or metadata. The PR also hardens the auth path so unresolved trusted tokens no longer degrade to API-key identity, and it adds shared OpenID primitives (`openidAccount`, `openidUserInfo`, `entraGroupSync`) intended for later browser login integration.

Impact

Operators integrating remote agents with OIDC can enable automatic first-call account onboarding and avoid manual user setup or silent identity fallback behavior, but they should monitor cache-driven profile freshness and sync scope settings because stale data or misconfigured claims can leave users with incorrect roles or metadata. The PR also hardens the auth path so unresolved trusted tokens no longer degrade to API-key identity, and it adds shared OpenID primitives (`openidAccount`, `openidUserInfo`, `entraGroupSync`) intended for later browser login integration.

What To Watch Next

  • Watch whether LibreChat remote agent becomes a repeated pattern.
  • Track follow-up changes around AI Governance and Compliance.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: tenant_context_enforcement_blocking_legitimate_users, federated_auth_cache_ttl_staleness.
Open Topic TimelineOpen Technical EventOpen Original Sourcetenant_context_enforcement_blocking_legitimate_users / federated_auth_cache_ttl_staleness / userinfo_scope_or_network_latency_issues / entra_group_sync_permission_mismatch / default_off_behavior_leads_to_no_provisioning_in_tests

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

danny-avila/LibreChat PR #13184: feat: remote agent OIDC user creation

Remote-agent requests can now trigger first-call identity provisioning from trusted OIDC tokens, avoiding reliance on API-key fallback paths.