[Bug] Admin SSO PKCE issue still exists for Azure EntraID

[IlyyA]

What Happened?

When using Azure EntraID SSO to login to an Admin Panel deployed via helm chart in a Kubernetes cluster, along with a deployed Librechat instance, logging in with an Admin account returns a 401 page with minimal logs

Authentication failed / Authorization code has expired. Please try again.

URL: /admin/auth/openid/callback

Expected Behaviour

Admin User should successfully be redirected after authenticating via Azure EntraID to the Admin Panel.

Actual Behaviour

401 page when attempting to use OpenID SSO with Azure EntraID

Version Information

Admin panel image:
ghcr.io/clickhouse/librechat-admin-panel latest fork (only to manually set VITE_BASE_PATH=/admin at docker build time)

Librechat version 0.8.6

Steps to Reproduce

1. Deploy LibreChat v0.8.6 with Azure EntraID configured
2. Deploy the LibreChat Admin Panel (ghcr.io/clickhouse/librechat-admin-panel:latest)
   with ADMIN_SSO_ONLY=true and a valid SESSION_SECRET, and below variables
3. Set ADMIN_PANEL_URL on the LibreChat side to the admin panel's URL.
4. Grant a user the ADMIN role in MongoDB:
   db.users.updateOne({ email: "user@example.com" }, { $set: { role: "ADMIN" } })
5. Open the admin panel in a browser and click "Login with SSO" or have it attempt to auto-login if you are already logged in
6. Complete the login successfully.
7. Observe that the admin panel shows:
   "Authentication failed / Authorization code has expired. Please try again."

Relevant Logs

Here are the logs in the main Librechat Deployment:

2026-06-18 01:02:23 info: [openidStrategy] login success openidId: <obfuscated> | email: user@email.com | username: user@email.com
2026-06-18 01:02:23 warn: [admin/oauth/openid/callback] State present but no PKCE challenge found; PKCE will not be enforced for this request

Here is part of the deployment-admin-panel.yaml:

          ports:
            - name: http
              containerPort: 3000
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /
              port: http
          readinessProbe:
            httpGet:
              path: /
              port: http
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          env:
            - name: NODE_ENV
              value: "development"
            - name: SESSION_SECRET
              value: {{ .Values.adminPanel.sessionSecret | quote }}
            - name: SESSION_COOKIE_SECURE
              value: {{ .Values.adminPanel.cookie | quote }}
            - name: TRUST_PROXY
              value: "3"
            - name: ADMIN_SSO_ENABLED
              value: {{ .Values.adminPanel.sso | quote }}
            - name: ADMIN_SSO_ONLY
              value: {{ .Values.adminPanel.ssoOnly | quote }}
            - name: API_SERVER_URL
              value: {{ printf "https://%s" (index .Values.ingress.hosts 0).host | quote }}
            - name: VITE_API_BASE_URL
              value: {{ printf "https://%s" (index .Values.ingress.hosts 0).host | quote }}
            - name: VITE_BASE_PATH
              value: {{ .Values.adminPanel.path }}

Here is part of the values.yaml:

adminPanel:
  sso: true
  ssoOnly: true
  path: "/admin/"
  cookie: false
  deployment:
    enabled: true
  service:
    enabled: true
  ingress:
    enabled: true
  enabled: true
  sessionSecret: <secret>
.
.
.
librechat:
  adminPanelUrl: https://example.com/admin/
  SESSION_COOKIE_SECURE: "false"
  TRUST_PROXY: "3"
  configEnv:
    SESSION_COOKIE_SECURE: "false"
    TRUST_PROXY: "3"

Here are the redirect_uris set in my Azure App Registration:
https://example.com/oauth/openid/callback
https://example.com/api/admin/oauth/openid/callback
https://example.com/admin/auth/openid/callback
https://example.com/