Back to Signal Feed
CodeTracked since May 19, 2026

Add OBO single-sign-on flow for LibreChat MCP server auth

LibreChat introduced OAuth 2.0 On-Behalf-Of (OBO) support for MCP server connections, so OIDC-authenticated users can access protected MCP servers using their existing identity without starting a separate OAuth redirect flow for each server.

LibreChatOAuth 2.0 OBOMCPopenid-client

What Happened

  • LibreChat introduced OAuth 2.0 On-Behalf-Of (OBO) support for MCP server connections, so OIDC-authenticated users can access protected MCP servers using their existing identity without starting a separate OAuth redirect flow for each server.
  • LibreChat introduced OAuth 2.0 On-Behalf-Of (OBO) support for MCP server connections, so OIDC-authenticated users can access protected MCP servers using their existing identity without starting a separate OAuth redirect flow for each server.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Implemented an `OboTokenService` that centralizes OBO token exchange logic and delegated `GraphTokenService` to it, added `resolveOboToken` validation/exchange flow in `packages/api`, added OBO configuration (`obo.scopes`) in both YAML and UI, and switched MCP tool calls to use refreshed, OBO-derived tokens via headers with explicit erroring on exchange failure.

Why Track This

Why It Matters

Users of LibreChat authenticated with OpenID Connect can use MCP tool integrations without being prompted to re-login per MCP server, which reduces operational friction and should lower authentication-related support incidents for multi-server setups; teams should monitor deployments where scopes or app registration settings are incomplete, since that can still break MCP access.

Impact

Users of LibreChat authenticated with OpenID Connect can use MCP tool integrations without being prompted to re-login per MCP server, which reduces operational friction and should lower authentication-related support incidents for multi-server setups; teams should monitor deployments where scopes or app registration settings are incomplete, since that can still break MCP access.

What To Watch Next

  • Watch whether LibreChat becomes a repeated pattern.
  • Track follow-up changes around Model Context Protocol.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: obo_scope_misconfiguration, idp_does_not_support_jwt_bearer_obo.
Open Topic TimelineOpen Technical EventOpen Original Sourceobo_scope_misconfiguration / idp_does_not_support_jwt_bearer_obo / obo_token_refresh_failure / token_cache_staleness / no_fallback_when_exchange_fails

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

danny-avila/LibreChat PR #12986: 🔒feat: Add On-Behalf-Of (OBO) token exchange support for MCP server connections

PR #12986 adds an OBO token exchange path in packages/api and UI/YAML MCP config, with per-user/scope token caching and request-header injection of MCP OAuth tokens.