diff --git a/.env.example b/.env.example index 959f50a2d..bd212cc7b 100644 --- a/.env.example +++ b/.env.example @@ -316,6 +316,9 @@ OPENID_ISSUER= OPENID_SESSION_SECRET= OPENID_SCOPE="openid profile email" OPENID_CALLBACK_URL=/oauth/openid/callback +OPENID_REQUIRED_ROLE= +OPENID_REQUIRED_ROLE_TOKEN_KIND= +OPENID_REQUIRED_ROLE_PARAMETER_PATH= OPENID_BUTTON_LABEL= OPENID_IMAGE_URL= diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js index 7219f24ba..b6abd8f70 100644 --- a/api/strategies/openidStrategy.js +++ b/api/strategies/openidStrategy.js @@ -2,6 +2,7 @@ const fs = require('fs'); const path = require('path'); const axios = require('axios'); const passport = require('passport'); +const jwtDecode = require('jsonwebtoken/decode'); const { Issuer, Strategy: OpenIDStrategy } = require('openid-client'); const { logger } = require('~/config'); const User = require('~/models/User'); @@ -44,7 +45,9 @@ async function setupOpenId() { client_secret: process.env.OPENID_CLIENT_SECRET, redirect_uris: [process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL], }); - + const requiredRole = process.env.OPENID_REQUIRED_ROLE; + const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH; + const requiredRoleTokenKind = process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND; const openidLogin = new OpenIDStrategy( { client, @@ -71,6 +74,36 @@ async function setupOpenId() { fullName = userinfo.username || userinfo.email; } + if (requiredRole) { + let decodedToken = ''; + if (requiredRoleTokenKind === 'access') { + decodedToken = jwtDecode(tokenset.access_token); + } else if (requiredRoleTokenKind === 'id') { + decodedToken = jwtDecode(tokenset.id_token); + } + const pathParts = requiredRoleParameterPath.split('.'); + let found = true; + let roles = pathParts.reduce((o, key) => { + if (o === null || o === undefined || !(key in o)) { + found = false; + return []; + } + return o[key]; + }, decodedToken); + + if (!found) { + console.error( + `Key '${requiredRoleParameterPath}' not found in ${requiredRoleTokenKind} token!`, + ); + } + + if (!roles.includes(requiredRole)) { + return done(null, false, { + message: `You must have the "${requiredRole}" role to log in.`, + }); + } + } + if (!user) { user = new User({ provider: 'openid', diff --git a/docs/install/configuration/OAuth2-and-OIDC/aws.md b/docs/install/configuration/OAuth2-and-OIDC/aws.md new file mode 100644 index 000000000..8d3cc803d --- /dev/null +++ b/docs/install/configuration/OAuth2-and-OIDC/aws.md @@ -0,0 +1,114 @@ +--- +title: AWS Cognito +description: Learn how to configure LibreChat to use AWS Cognito for user authentication. +weight: -7 +--- + +# AWS Cognito + +## Create a new User Pool in Cognito + +- Visit: **[https://console.aws.amazon.com/cognito/](https://console.aws.amazon.com/cognito/)** +- Sign in as Root User +- Click on `Create user pool` + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/e9b412c3-2cf1-4f54-998c-d1d6c12581a5) + +## Configure sign-in experience + +Your Cognito user pool sign-in options should include `User Name` and `Email`. + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/d2cf362d-469e-4993-8466-10282da114c2) + +## Configure Security Requirements + +You can configure the password requirements now if you desire + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/e125e8f1-961b-4a38-a6b7-ed1faf29c4a3) + +## Configure sign-up experience + +Choose the attributes required at signup. The minimum required is `name`. If you want to require users to use their full name at sign up use: `given_name` and `family_name` as required attributes. + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/558b8e2c-afbd-4dd1-87f3-c409463b5f7c) + +## Configure message delivery + +Send email with Cognito can be used for free for up to 50 emails a day + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/fcb2323b-708e-488c-9420-7eb482974648) + +## Integrate your app + +Select `Use Cognitio Hosted UI` and chose a domain name + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/111b3dd4-3b20-4e3e-80e1-7167d2ad0f62) + +Set the app type to `Confidential client` +Make sure `Generate a client secret` is set. +Set the `Allowed callback URLs` to `https://YOUR_DOMAIN/oauth/openid/callback` + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/1f92a532-7c4d-4632-a55d-9d00bf77fc4d) + +Under `Advanced app client settings` make sure `Profile` is included in the `OpenID Connect scopes` (in the bottom) + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/5b035eae-4a8e-482c-abd5-29cee6502eeb) + +## Review and create +You can now make last minute changes, click on `Create user pool` when you're done reviewing the configuration + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/dc8b2374-9adb-4065-85dc-a087d625372d) + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/67efb1e9-dfe3-4ebd-9ebb-92186c514b5c) + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/9f819175-ace1-44b1-ba68-af21ac9f6735) + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/3e7b8b17-4e12-49af-99cf-78981d6331df) + +## Get your environment variables + +1. Open your User Pool + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/b658ff2a-d252-4f3d-90a7-9fbde42c01db) + +2. The `User Pool ID` and your AWS region will be used to construct the `OPENID_ISSUER` (see below) + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/dc8ae403-cbff-4aae-9eee-42d7cf3485e7) +![image](https://github.com/danny-avila/LibreChat/assets/32828263/d606f5c8-c60b-4d20-bdb2-d0d69e49ea1e) + +3. Go to the `App Integrations` tab + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/58713bdc-24bc-47de-bdca-020dc321e997) + +4. Open the app client + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/271bf7d2-3df2-43a7-87fc-e50294e49b2e) + +5. Toggle `Show Client Secret` + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/a844fe65-313d-4754-81b4-380336e0e336) + +- Use the `Client ID` for `OPENID_CLIENT_ID` + +- Use the `Client secret` for `OPENID_CLIENT_SECRET` + +- Generate a random string for the `OPENID_SESSION_SECRET` + +> The `OPENID_SCOPE` and `OPENID_CALLBACK_URL` are pre-configured with the correct values + +6. Open the `.env` file at the root of your LibreChat folder and add the following variables with the values you copied: + +```bash +DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain +DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain + +OPENID_CLIENT_ID=Your client ID +OPENID_CLIENT_SECRET=Your client secret +OPENID_ISSUER=https://cognito-idp.[AWS REGION].amazonaws.com/[USER POOL ID]/.well-known/openid-configuration +OPENID_SESSION_SECRET=Any random string +OPENID_SCOPE=openid profile email +OPENID_CALLBACK_URL=/oauth/openid/callback +``` +7. Save the .env file + +> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes diff --git a/docs/install/configuration/OAuth2-and-OIDC/azure.md b/docs/install/configuration/OAuth2-and-OIDC/azure.md new file mode 100644 index 000000000..bf6a637b0 --- /dev/null +++ b/docs/install/configuration/OAuth2-and-OIDC/azure.md @@ -0,0 +1,59 @@ +--- +title: Azure Entra +description: Learn how to configure LibreChat to use Azure Entra for user authentication. +weight: -6 +--- + +# OpenID with Azure Entra + +1. Go to the [Azure Portal](https://portal.azure.com/) and sign in with your account. +2. In the search box, type "Azure Entra" and click on it. +3. On the left menu, click on App registrations and then on New registration. +4. Give your app a name and select Web as the platform type. +5. In the Redirect URI field, enter `http://localhost:3080/oauth/openid/callback` and click on Register. + +![image](https://github.com/danny-avila/LibreChat/assets/6623884/2b1aabce-850e-4165-bf76-3c1984f10b6c) + +6. You will see an Overview page with some information about your app. Copy the Application (client) ID and the +Directory (tenant) ID and save them somewhere. + +![image](https://github.com/danny-avila/LibreChat/assets/6623884/e67d5e97-e26d-48a5-aa6e-50de4450b1fd) + +7. On the left menu, click on Authentication and check the boxes for Access tokens and ID tokens under Implicit +grant and hybrid flows. + +![image](https://github.com/danny-avila/LibreChat/assets/6623884/88a16cbc-ff68-4b3a-ba7b-b380cc3d2366) + +8. On the left menu, click on Certificates & Secrets and then on New client secret. Give your secret a +name and an expiration date and click on Add. You will see a Value column with your secret. Copy it and +save it somewhere. Don't share it with anyone! + +![image](https://github.com/danny-avila/LibreChat/assets/6623884/31aa6cee-5402-4ce0-a950-1b7e147aafc8) + +9. If you want to restrict access by groups you should add the groups claim to the token. To do this, go to +Token configuration and click on Add group claim. Select the groups you want to include in the token and click on Add. + +![image](https://github.com/danny-avila/LibreChat/assets/6623884/c9d353f5-2cb2-4f00-b4f0-493cfec8fe9a) + +10. Open the .env file in your project folder and add the following variables with the values you copied: + +```bash +DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain +DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain + +OPENID_CLIENT_ID=Your Application (client) ID +OPENID_CLIENT_SECRET=Your client secret +OPENID_ISSUER=https://login.microsoftonline.com/Your Directory (tenant ID)/v2.0/ +OPENID_SESSION_SECRET=Any random string +OPENID_SCOPE=openid profile email #DO NOT CHANGE THIS +OPENID_CALLBACK_URL=/oauth/openid/callback # this should be the same for everyone + +# If you want to restrict access by groups +OPENID_REQUIRED_ROLE_TOKEN_KIND=id +OPENID_REQUIRED_ROLE_PARAMETER_PATH="roles" +OPENID_REQUIRED_ROLE="Your Group Name" +``` +11. Save the .env file + +> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes + diff --git a/docs/install/configuration/OAuth2-and-OIDC/discord.md b/docs/install/configuration/OAuth2-and-OIDC/discord.md new file mode 100644 index 000000000..b0413c9d0 --- /dev/null +++ b/docs/install/configuration/OAuth2-and-OIDC/discord.md @@ -0,0 +1,49 @@ +--- +title: Discord +description: Learn how to configure LibreChat to use Discord for user authentication. +weight: -11 +--- + +# Discord + +## Create a new Discord Application + +- Go to **[Discord Developer Portal](https://discord.com/developers)** + +- Create a new Application and give it a name + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/7e7cdfa0-d1d6-4b6b-a8a9-905aaa40d135) + +## Discord Application Configuration + +- In the OAuth2 general settings add a valid redirect URL: + - Example for localhost: `http://localhost:3080/oauth/discord/callback` + - Example for a domain: `https://example.com/oauth/discord/callback` + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/6c56fb92-f4ab-43b9-981b-f98babeeb19d) + +- In `Default Authorization Link`, select `In-app Authorization` and set the scopes to `applications.commands` + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ce94670-9422-48d2-97e9-ec40bd331573) + +- Save changes and reset the Client Secret + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/3af164fc-66ed-4e5e-9f5a-9bcab3df37b4) +![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ece3935-68e6-4f2e-8656-9721cba5388a) + +## .env Configuration + +- Paste your `Client ID` and `Client Secret` in the `.env` file: + +```bash +DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain +DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain + +DISCORD_CLIENT_ID=your_client_id +DISCORD_CLIENT_SECRET=your_client_secret +DISCORD_CALLBACK_URL=/oauth/discord/callback +``` + +- Save the `.env` file + +> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes diff --git a/docs/install/configuration/OAuth2-and-OIDC/facebook.md b/docs/install/configuration/OAuth2-and-OIDC/facebook.md new file mode 100644 index 000000000..eabc6b6fa --- /dev/null +++ b/docs/install/configuration/OAuth2-and-OIDC/facebook.md @@ -0,0 +1,83 @@ +--- +title: Facebook +description: Learn how to configure LibreChat to use Facebook for user authentication. +weight: -8 +--- + +# Facebook - WIP + +> ⚠️ **Warning: Work in progress, not currently functional** + +> ❗ Note: Facebook Authentication will not work from `localhost` + +## Create a Facebook Application + +- Go to the **[Facebook Developer Portal](https://developers.facebook.com/)** + +- Click on "My Apps" in the header menu + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/b75ccb8b-d56b-41b7-8b0d-a32c2e762962) + +- Create a new application + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/706f050d-5423-44cc-80f0-120913695d8f) + +- Select "Authenticate and request data from users with Facebook Login" + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ebbb571-afe8-429e-ab39-be6e83d12c01) + +- Choose "No, I'm not creating a game" + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/88b5160a-9c72-414a-bbcc-7717b81106f3) + +- Provide an `app name` and `App contact email` and click `Create app` + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/e1282c9e-4e7d-4cbe-82c9-cc76967f83e1) + +## Facebook Application Configuration + +- In the side menu, select "Use cases" and click "Customize" under "Authentication and account creation." + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/39f4bb70-d9dc-4d1c-8443-2666fe56499b) + +- Add the `email permission` + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/dfa20879-2cb8-4daf-883d-3790854afca0) + +- Now click `Go to settings` + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/512213a2-bd8b-4fd3-96c7-0de6d3222ddd) + +- Ensure that `Client OAuth login`, `Web OAuth login` and `Enforce HTTPS` are **enabled**. + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/3a7d935b-97bf-493b-b909-39ecf9b3432b) + +- Add a `Valid OAuth Redirect URIs` and "Save changes" + - Example for a domain: `https://example.com/oauth/facebook/callback` + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/ef8e54ee-a766-4871-9719-d4eff7a770b6) + +- Click `Go back` and select `Basic` in the `App settings` tab + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/0d14f702-5183-422e-a12c-5d1b6031581b) + +- Click "Show" next to the App secret. + +![image](https://github.com/danny-avila/LibreChat/assets/32828263/9a009e37-2bb6-4da6-b5c7-9139c3db6185) + +## .env Configuration + +- Copy the `App ID` and `App Secret` and paste them into the `.env` file as follows: + +```bash +DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain +DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain + +FACEBOOK_CLIENT_ID=your_app_id +FACEBOOK_CLIENT_SECRET=your_app_secret +FACEBOOK_CALLBACK_URL=/oauth/facebook/callback +``` + +- Save the `.env` file. + +> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes diff --git a/docs/install/configuration/OAuth2-and-OIDC/github.md b/docs/install/configuration/OAuth2-and-OIDC/github.md new file mode 100644 index 000000000..2fabc2c83 --- /dev/null +++ b/docs/install/configuration/OAuth2-and-OIDC/github.md @@ -0,0 +1,65 @@ +--- +title: GitHub +description: Learn how to configure LibreChat to use GitHub for user authentication. +weight: -10 +--- + +# GitHub + +## Create a GitHub Application + +- Go to your **[Github Developer settings](https://github.com/settings/apps)** +- Create a new Github app + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/3a8b88e7-78f8-426e-bfc2-c5e3f8b21ccb) + +## GitHub Application Configuration + +- Give it a `GitHub App name` and set your `Homepage URL` + - Example for localhost: `http://localhost:3080` + - Example for a domain: `https://example.com` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/f10d497d-460b-410f-9504-08735662648b) + +- Add a valid `Callback URL`: + - Example for localhost: `http://localhost:3080/oauth/github/callback` + - Example for a domain: `https://example.com/oauth/github/callback` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/4e7e6dba-0afb-4ed8-94bf-4c61b0f29240) + +- Uncheck the box labeled `Active` in the `Webhook` section + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/aaeb3ecb-2e76-4ea5-8264-edfbdd53de1a) + +- Scroll down to `Account permissions` and set `Email addresses` to `Access: Read-only` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/3e561aa4-1f9e-4cb7-ace8-dbba8f0c0d55) + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/7b5f99af-7bde-43ee-9b43-6d3ce79ee00a) + +- Click on `Create GitHub App` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/4cc48550-eac3-4970-939b-81a23fa9c7cf) + +## .env Configuration + +- Click `Generate a new client secret` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/484c7851-71dd-4167-a59e-9a56c4e08c36) + +- Copy the `Client ID` and `Client Secret` in the `.env` file + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/aaf78840-48a9-44e1-9625-4109ed91d965) + +```bash +DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain +DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain + +GITHUB_CLIENT_ID=your_client_id +GITHUB_CLIENT_SECRET=your_client_secret +GITHUB_CALLBACK_URL=/oauth/github/callback +``` + +- Save the `.env` file + +> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes diff --git a/docs/install/configuration/OAuth2-and-OIDC/google.md b/docs/install/configuration/OAuth2-and-OIDC/google.md new file mode 100644 index 000000000..6e2de60f6 --- /dev/null +++ b/docs/install/configuration/OAuth2-and-OIDC/google.md @@ -0,0 +1,97 @@ +--- +title: Google +description: Learn how to configure LibreChat to use Google for user authentication. +weight: -9 +--- + +# Google + +## Create a Google Application + +- Visit: **[Google Cloud Console](https://cloud.google.com)** and open the `Console` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/a7d290ea-6031-43b3-b367-36ce00e46f20) + +- Create a New Project and give it a name + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/ce71c9ca-7ddd-4021-9133-a872c64c20c4) + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/8abbd41e-8332-4851-898d-9cddb373c527) + +## Google Application Configuration + +- Select the project you just created and go to `APIs and Services` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/c6265582-2cf6-430f-ae51-1edbdd9f2c48) + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/006e16ba-56b8-452d-b324-5f2d202637ab) + +- Select `Credentials` and click `CONFIGURE CONSENT SCREEN` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/e4285cbb-833f-4366-820d-addf04a2ad77) + +- Select `External` then click `CREATE` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/232d46c0-dd00-4637-b538-3ba3bdbdc0b2) + +- Fill in your App information + +> Note: You can get a logo from your LibreChat folder here: `docs\assets\favicon_package\android-chrome-192x192.png` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/e6c4c8ec-2f02-4af5-9458-c72394d0b7c5) + +- Configure your `App domain` and add your `Developer contact information` then click `SAVE AND CONTINUE` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/6c2aa557-9b9b-412d-bc2b-76a0dc11f394) + +- Configure the `Sopes` + - Add `email`,`profile` and `openid` + - Click `UPDATE` and `SAVE AND CONTINUE` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/46af2fb9-8cfd-41c5-a763-814b308e45c3) + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/4e832970-d392-4c67-bb38-908a5c51660a) + +- Click `SAVE AND CONTINUE` +- Review your app and go back to dashboard + +- Go back to the `Credentials` tab, click on `+ CREATE CREDENTIALS` and select `OAuth client ID` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/beef1982-55a3-4837-8e8c-20bad8d846ba) + +- Select `Web application` and give it a name + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/badde864-f6b5-468f-a72f-bac93326ffa5) + +- Configure the `Authorized JavaScript origins`, you can add both your domain and localhost if you desire + - Example for localhost: `http://localhost:3080` + - Example for a domain: `https://example.com` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/f7e3763a-5f74-4850-8638-44f81693b9ac) + +- Add a valid `Authorized redirect URIs` + - Example for localhost: `http://localhost:3080/oauth/google/callback` + - Example for a domain: `https://example.com/oauth/google/callback` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/0db34b19-d780-4651-9c2f-d33e24a74d55) + +## .env Configuration + +- Click `CREATE` and copy your `Client ID` and `Client secret` + +![image](https://github.com/danny-avila/LibreChat/assets/138638445/fa8572bf-f482-457a-a285-aec7d41af76b) + +- Add them to your `.env` file: + +```bash +DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain +DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain + +GOOGLE_CLIENT_ID=your_client_id +GOOGLE_CLIENT_SECRET=your_client_secret +GOOGLE_CALLBACK_URL=/oauth/github/callback +``` + +- Save the `.env` file + +> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes diff --git a/docs/install/configuration/OAuth2-and-OIDC/keycloak.md b/docs/install/configuration/OAuth2-and-OIDC/keycloak.md new file mode 100644 index 000000000..07478f1ee --- /dev/null +++ b/docs/install/configuration/OAuth2-and-OIDC/keycloak.md @@ -0,0 +1,68 @@ +--- +title: Keycloak +description: Learn how to configure LibreChat to use Keycloak for user authentication. +weight: -5 +--- + +# Keycloak + +1. **Access Keycloak Admin Console:** +- Open the Keycloak Admin Console in your web browser. This is usually +found at a URL like `http://localhost:8080/auth/admin/`. + +2. **Create a Realm (if necessary):** +- If you don't already have a realm for your application, create one. Click on 'Add Realm' and give it a name. + +3. **Create a Client:** +- Within your realm, click on 'Clients' and then 'Create'. +- Enter a client ID and select 'openid-connect' as the Client Protocol. +- Set 'Client Authentication' to 'On'. +- In 'Valid Redirect URIs', enter `http://localhost:3080/oauth/openid/callback` or the appropriate URI for +your application. + +![image](https://github.com/danny-avila/LibreChat/assets/6623884/d956de3d-e1f7-4327-818a-f146eb86a949) + +![image](https://github.com/danny-avila/LibreChat/assets/6623884/fbefbc05-b4ec-4122-8229-54a0a5876d76) + +![image](https://github.com/danny-avila/LibreChat/assets/6623884/f75c7b0f-030e-4182-bf87-ccf3aeae17d4) + + +4. **Configure Client:** +- After creating the client, you will be redirected to its settings page. +- Note the 'Client ID' and 'Secret' from the 'Credentials' tab – you'll need these for your application. + +![image](https://github.com/danny-avila/LibreChat/assets/6623884/b1c1f0b6-641b-4cf7-a7f1-a9a32026d51b) + + +5. **Add Roles (Optional):** +If you want to restrict access to users with specific roles, you can define roles in Keycloak and assign them to users. +- Go to the 'Roles' tab in your client or realm (depending on where you want to define the roles). +- Create a new role that matches the value you have in `OPENID_REQUIRED_ROLE`. + +![image](https://github.com/danny-avila/LibreChat/assets/6623884/67ca635f-5082-4dcc-97ac-019029a81d7c) + +6. **Assign Roles to Users (Optional):** +- Go to 'Users', select a user, and go to the 'Role Mappings' tab. +- Assign the appropriate role (that matches `OPENID_REQUIRED_ROLE`) to the user. + +![image](https://github.com/danny-avila/LibreChat/assets/6623884/f2ea70ed-e16c-4ec8-b84f-79fbfca627be) + +7. **Get path of roles list inside token (Optional):** +- Decode your jwtToken from OpenID provider and determine path for roles list inside access token. For example, if you are + using Keycloak, the path is `realm_access.roles`. +- Put this path in `OPENID_REQUIRED_ROLE_PARAMETER_PATH` variable in `.env` file. +- By parameter `OPENID_REQUIRED_ROLE_TOKEN_KIND` you can specify which token kind you want to use. + Possible values are `access` and `id`. + +8**Update Your Project's Configuration:** +- Open the `.env` file in your project folder and add the following variables: + ``` + OPENID_ISSUER=http://localhost:8080/auth/realms/[YourRealmName] + OPENID_CLIENT_ID=[YourClientID] + OPENID_CLIENT_SECRET=[YourClientSecret] + OPENID_CALLBACK_URL=http://localhost:3080/oauth/openid/callback + OPENID_SCOPE="openid profile email" + OPENID_REQUIRED_ROLE=[YourRequiredRole] + OPENID_REQUIRED_ROLE_TOKEN_KIND=(access|id) + OPENID_REQUIRED_ROLE_PARAMETER_PATH="realm_access.roles" + ``` diff --git a/docs/install/configuration/dotenv.md b/docs/install/configuration/dotenv.md index d69d5289e..7bde77311 100644 --- a/docs/install/configuration/dotenv.md +++ b/docs/install/configuration/dotenv.md @@ -16,7 +16,7 @@ Alternatively, you can create a new file named `docker-compose.override.yml` in For more info see: - Our quick guide: - - **[Docker Override](../configuration/docker_override.md)** + - **[Docker Override](./docker_override.md)** - The official docker documentation: - **[docker docs - understanding-multiple-compose-files](https://docs.docker.com/compose/multiple-compose-files/extends/#understanding-multiple-compose-files)** @@ -274,7 +274,7 @@ DALLE2_API_KEY=your-azure-api-key-for-dall-e-2 ### BingAI Bing, also used for Sydney, jailbreak, and Bing Image Creator, see: [Bing Access token](./ai_setup.md#bingai) and [Bing Jailbreak](../../features/bing_jailbreak.md) -- Follow these instructions to get your bing access token (it's best to use the full cookie string for that purpose): **[Bing Access Token](../configuration/ai_setup.md#bingai)** +- Follow these instructions to get your bing access token (it's best to use the full cookie string for that purpose): **[Bing Access Token](./ai_setup.md#bingai)** - Leave `BINGAI_TOKEN=` blank to disable this endpoint - Set `BINGAI_TOKEN=` to "user_provided" to allow users to provide their own API key from the WebUI @@ -719,7 +719,7 @@ CHECK_BALANCE=false ``` ### Registration and Login -see: **[User/Auth System](../configuration/user_auth_system.md)** +see: **[User/Auth System](./user_auth_system.md)** ![image](https://github.com/danny-avila/LibreChat/assets/81851188/52a37d1d-7392-4a9a-a79f-90ed2da7f841) @@ -757,9 +757,9 @@ JWT_REFRESH_SECRET=eaa5191f2914e30b9387fd84e254e4ba6fc51b4654968a9b0803b456a54b8 ### Social Logins -#### [Discord Authentication](../configuration/user_auth_system.md#discord) +#### [Discord Authentication](./OAuth2-and-OIDC/discord.md) -for more information: **[Discord](../configuration/user_auth_system.md#discord)** +for more information: **[Discord](./OAuth2-and-OIDC/discord.md)** ```bash # Discord @@ -768,9 +768,9 @@ DISCORD_CLIENT_SECRET=your_client_secret DISCORD_CALLBACK_URL=/oauth/discord/callback ``` -#### [Facebook Authentication](../configuration/user_auth_system.md#facebook) +#### [Facebook Authentication](./OAuth2-and-OIDC/facebook.md) -for more information: **[Facebook Authentication](../configuration/user_auth_system.md#facebook)** +for more information: **[Facebook Authentication](./OAuth2-and-OIDC/facebook.md)** ```bash # Facebook @@ -779,9 +779,9 @@ FACEBOOK_CLIENT_SECRET= FACEBOOK_CALLBACK_URL=/oauth/facebook/callback ``` -#### [GitHub Authentication](../configuration/user_auth_system.md#github) +#### [GitHub Authentication](./OAuth2-and-OIDC/github.md) -for more information: **[GitHub Authentication](../configuration/user_auth_system.md#github)** +for more information: **[GitHub Authentication](./OAuth2-and-OIDC/github.md)** ```bash # GitHub @@ -790,9 +790,9 @@ GITHUB_CLIENT_SECRET=your_client_secret GITHUB_CALLBACK_URL=/oauth/github/callback ``` -#### [Google Authentication](../configuration/user_auth_system.md#google) +#### [Google Authentication](./OAuth2-and-OIDC/google.md) -for more information: **[Google Authentication](../configuration/user_auth_system.md#google)** +for more information: **[Google Authentication](./OAuth2-and-OIDC/google.md)** ```bash # Google @@ -801,9 +801,9 @@ GOOGLE_CLIENT_SECRET= GOOGLE_CALLBACK_URL=/oauth/google/callback ``` -#### [OpenID Authentication](../configuration/user_auth_system.md#openid-with-aws-cognito) +#### [OpenID Authentication](./OAuth2-and-OIDC/aws.md) -for more information: **[Azure OpenID Authentication](../configuration/user_auth_system.md#openid-with-azure-ad)** or **[AWS Cognito OpenID Authentication](../configuration/user_auth_system.md#openid-with-aws-cognito)** +for more information: **[Azure OpenID Authentication](./OAuth2-and-OIDC/azure.md)** or **[AWS Cognito OpenID Authentication](./OAuth2-and-OIDC/aws.md)** ```bash # OpenID @@ -813,13 +813,15 @@ OPENID_ISSUER= OPENID_SESSION_SECRET= OPENID_SCOPE="openid profile email" OPENID_CALLBACK_URL=/oauth/openid/callback - OPENID_BUTTON_LABEL= OPENID_IMAGE_URL= +OPENID_REQUIRED_ROLE_TOKEN_KIND= +OPENID_REQUIRED_ROLE= +OPENID_REQUIRED_ROLE_PARAMETER_PATH= ``` ### Email Password Reset -Email is used for password reset. See: **[Email Password Reset](../configuration/user_auth_system.md#email-and-password-reset)** +Email is used for password reset. See: **[Email Password Reset](./user_auth_system.md#email-and-password-reset)** - Note that all either service or host, username and password and the From address must be set for email to work. diff --git a/docs/install/configuration/user_auth_system.md b/docs/install/configuration/user_auth_system.md index 807b11272..5ab1bcb52 100644 --- a/docs/install/configuration/user_auth_system.md +++ b/docs/install/configuration/user_auth_system.md @@ -166,431 +166,16 @@ EMAIL_FROM_NAME="My LibreChat Server" --- -## Social Authentication - Setup and Configuration +## Social Authentication ![image](https://github.com/danny-avila/LibreChat/assets/138638445/cacc2ee0-acf9-4d05-883a-ca9952de1165) -### Discord - -#### Create a new Discord Application - -- Go to **[Discord Developer Portal](https://discord.com/developers)** - -- Create a new Application and give it a name - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/7e7cdfa0-d1d6-4b6b-a8a9-905aaa40d135) - -#### Discord Application Configuration - -- In the OAuth2 general settings add a valid redirect URL: - - Example for localhost: `http://localhost:3080/oauth/discord/callback` - - Example for a domain: `https://example.com/oauth/discord/callback` - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/6c56fb92-f4ab-43b9-981b-f98babeeb19d) - -- In `Default Authorization Link`, select `In-app Authorization` and set the scopes to `applications.commands` - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ce94670-9422-48d2-97e9-ec40bd331573) - -- Save changes and reset the Client Secret - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/3af164fc-66ed-4e5e-9f5a-9bcab3df37b4) -![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ece3935-68e6-4f2e-8656-9721cba5388a) - -#### .env Configuration - -- Paste your `Client ID` and `Client Secret` in the `.env` file: - -```bash -DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain -DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain - -DISCORD_CLIENT_ID=your_client_id -DISCORD_CLIENT_SECRET=your_client_secret -DISCORD_CALLBACK_URL=/oauth/discord/callback -``` - -- Save the `.env` file - -> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes - ---- - -### Facebook - WIP - -> ⚠️ **Warning: Work in progress, not currently functional** - -> ❗ Note: Facebook Authentication will not work from `localhost` - -#### Create a Facebook Application - -- Go to the **[Facebook Developer Portal](https://developers.facebook.com/)** - -- Click on "My Apps" in the header menu - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/b75ccb8b-d56b-41b7-8b0d-a32c2e762962) - -- Create a new application - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/706f050d-5423-44cc-80f0-120913695d8f) - -- Select "Authenticate and request data from users with Facebook Login" - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ebbb571-afe8-429e-ab39-be6e83d12c01) - -- Choose "No, I'm not creating a game" - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/88b5160a-9c72-414a-bbcc-7717b81106f3) - -- Provide an `app name` and `App contact email` and click `Create app` - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/e1282c9e-4e7d-4cbe-82c9-cc76967f83e1) - -#### Facebook Application Configuration - -- In the side menu, select "Use cases" and click "Customize" under "Authentication and account creation." - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/39f4bb70-d9dc-4d1c-8443-2666fe56499b) - -- Add the `email permission` - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/dfa20879-2cb8-4daf-883d-3790854afca0) - -- Now click `Go to settings` - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/512213a2-bd8b-4fd3-96c7-0de6d3222ddd) - -- Ensure that `Client OAuth login`, `Web OAuth login` and `Enforce HTTPS` are **enabled**. - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/3a7d935b-97bf-493b-b909-39ecf9b3432b) - -- Add a `Valid OAuth Redirect URIs` and "Save changes" - - Example for a domain: `https://example.com/oauth/facebook/callback` - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/ef8e54ee-a766-4871-9719-d4eff7a770b6) - -- Click `Go back` and select `Basic` in the `App settings` tab - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/0d14f702-5183-422e-a12c-5d1b6031581b) - -- Click "Show" next to the App secret. - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/9a009e37-2bb6-4da6-b5c7-9139c3db6185) - -#### .env Configuration - -- Copy the `App ID` and `App Secret` and paste them into the `.env` file as follows: - -```bash -DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain -DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain - -FACEBOOK_CLIENT_ID=your_app_id -FACEBOOK_CLIENT_SECRET=your_app_secret -FACEBOOK_CALLBACK_URL=/oauth/facebook/callback -``` - -- Save the `.env` file. - -> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes - ---- - -### GitHub - -#### Create a GitHub Application - -- Go to your **[Github Developer settings](https://github.com/settings/apps)** -- Create a new Github app - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/3a8b88e7-78f8-426e-bfc2-c5e3f8b21ccb) - -#### GitHub Application Configuration - -- Give it a `GitHub App name` and set your `Homepage URL` - - Example for localhost: `http://localhost:3080` - - Example for a domain: `https://example.com` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/f10d497d-460b-410f-9504-08735662648b) - -- Add a valid `Callback URL`: - - Example for localhost: `http://localhost:3080/oauth/github/callback` - - Example for a domain: `https://example.com/oauth/github/callback` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/4e7e6dba-0afb-4ed8-94bf-4c61b0f29240) - -- Uncheck the box labeled `Active` in the `Webhook` section - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/aaeb3ecb-2e76-4ea5-8264-edfbdd53de1a) - -- Scroll down to `Account permissions` and set `Email addresses` to `Access: Read-only` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/3e561aa4-1f9e-4cb7-ace8-dbba8f0c0d55) - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/7b5f99af-7bde-43ee-9b43-6d3ce79ee00a) - -- Click on `Create GitHub App` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/4cc48550-eac3-4970-939b-81a23fa9c7cf) - -#### .env Configuration - -- Click `Generate a new client secret` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/484c7851-71dd-4167-a59e-9a56c4e08c36) - -- Copy the `Client ID` and `Client Secret` in the `.env` file - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/aaf78840-48a9-44e1-9625-4109ed91d965) - -```bash -DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain -DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain - -GITHUB_CLIENT_ID=your_client_id -GITHUB_CLIENT_SECRET=your_client_secret -GITHUB_CALLBACK_URL=/oauth/github/callback -``` - -- Save the `.env` file - -> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes - ---- - -### Google - -#### Create a Google Application - -- Visit: **[Google Cloud Console](https://cloud.google.com)** and open the `Console` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/a7d290ea-6031-43b3-b367-36ce00e46f20) - -- Create a New Project and give it a name - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/ce71c9ca-7ddd-4021-9133-a872c64c20c4) - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/8abbd41e-8332-4851-898d-9cddb373c527) - -#### Google Application Configuration - -- Select the project you just created and go to `APIs and Services` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/c6265582-2cf6-430f-ae51-1edbdd9f2c48) - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/006e16ba-56b8-452d-b324-5f2d202637ab) - -- Select `Credentials` and click `CONFIGURE CONSENT SCREEN` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/e4285cbb-833f-4366-820d-addf04a2ad77) - -- Select `External` then click `CREATE` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/232d46c0-dd00-4637-b538-3ba3bdbdc0b2) - -- Fill in your App information - -> Note: You can get a logo from your LibreChat folder here: `docs\assets\favicon_package\android-chrome-192x192.png` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/e6c4c8ec-2f02-4af5-9458-c72394d0b7c5) - -- Configure your `App domain` and add your `Developer contact information` then click `SAVE AND CONTINUE` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/6c2aa557-9b9b-412d-bc2b-76a0dc11f394) - -- Configure the `Sopes` - - Add `email`,`profile` and `openid` - - Click `UPDATE` and `SAVE AND CONTINUE` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/46af2fb9-8cfd-41c5-a763-814b308e45c3) - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/4e832970-d392-4c67-bb38-908a5c51660a) - -- Click `SAVE AND CONTINUE` -- Review your app and go back to dashboard - -- Go back to the `Credentials` tab, click on `+ CREATE CREDENTIALS` and select `OAuth client ID` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/beef1982-55a3-4837-8e8c-20bad8d846ba) - -- Select `Web application` and give it a name - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/badde864-f6b5-468f-a72f-bac93326ffa5) - -- Configure the `Authorized JavaScript origins`, you can add both your domain and localhost if you desire - - Example for localhost: `http://localhost:3080` - - Example for a domain: `https://example.com` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/f7e3763a-5f74-4850-8638-44f81693b9ac) - -- Add a valid `Authorized redirect URIs` - - Example for localhost: `http://localhost:3080/oauth/google/callback` - - Example for a domain: `https://example.com/oauth/google/callback` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/0db34b19-d780-4651-9c2f-d33e24a74d55) - -#### .env Configuration - -- Click `CREATE` and copy your `Client ID` and `Client secret` - -![image](https://github.com/danny-avila/LibreChat/assets/138638445/fa8572bf-f482-457a-a285-aec7d41af76b) - -- Add them to your `.env` file: - -```bash -DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain -DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain - -GOOGLE_CLIENT_ID=your_client_id -GOOGLE_CLIENT_SECRET=your_client_secret -GOOGLE_CALLBACK_URL=/oauth/github/callback -``` - -- Save the `.env` file - -> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes - ---- - -### OpenID with AWS Cognito - -#### Create a new User Pool in Cognito - -- Visit: **[https://console.aws.amazon.com/cognito/](https://console.aws.amazon.com/cognito/)** -- Sign in as Root User -- Click on `Create user pool` - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/e9b412c3-2cf1-4f54-998c-d1d6c12581a5) - -#### Configure sign-in experience - -Your Cognito user pool sign-in options should include `User Name` and `Email`. - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/d2cf362d-469e-4993-8466-10282da114c2) - -#### Configure Security Requirements - -You can configure the password requirements now if you desire - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/e125e8f1-961b-4a38-a6b7-ed1faf29c4a3) - -#### Configure sign-up experience - -Choose the attributes required at signup. The minimum required is `name`. If you want to require users to use their full name at sign up use: `given_name` and `family_name` as required attributes. - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/558b8e2c-afbd-4dd1-87f3-c409463b5f7c) - -#### Configure message delivery - -Send email with Cognito can be used for free for up to 50 emails a day - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/fcb2323b-708e-488c-9420-7eb482974648) - -#### Integrate your app - -Select `Use Cognitio Hosted UI` and chose a domain name - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/111b3dd4-3b20-4e3e-80e1-7167d2ad0f62) - -Set the app type to `Confidential client` -Make sure `Generate a client secret` is set. -Set the `Allowed callback URLs` to `https://YOUR_DOMAIN/oauth/openid/callback` - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/1f92a532-7c4d-4632-a55d-9d00bf77fc4d) - -Under `Advanced app client settings` make sure `Profile` is included in the `OpenID Connect scopes` (in the bottom) - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/5b035eae-4a8e-482c-abd5-29cee6502eeb) - -#### Review and create -You can now make last minute changes, click on `Create user pool` when you're done reviewing the configuration - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/dc8b2374-9adb-4065-85dc-a087d625372d) - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/67efb1e9-dfe3-4ebd-9ebb-92186c514b5c) - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/9f819175-ace1-44b1-ba68-af21ac9f6735) - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/3e7b8b17-4e12-49af-99cf-78981d6331df) - -#### Get your environment variables - -1. Open your User Pool - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/b658ff2a-d252-4f3d-90a7-9fbde42c01db) - -2. The `User Pool ID` and your AWS region will be used to construct the `OPENID_ISSUER` (see below) - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/dc8ae403-cbff-4aae-9eee-42d7cf3485e7) -![image](https://github.com/danny-avila/LibreChat/assets/32828263/d606f5c8-c60b-4d20-bdb2-d0d69e49ea1e) - -3. Go to the `App Integrations` tab - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/58713bdc-24bc-47de-bdca-020dc321e997) - -4. Open the app client - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/271bf7d2-3df2-43a7-87fc-e50294e49b2e) - -5. Toggle `Show Client Secret` - -![image](https://github.com/danny-avila/LibreChat/assets/32828263/a844fe65-313d-4754-81b4-380336e0e336) - -- Use the `Client ID` for `OPENID_CLIENT_ID` - -- Use the `Client secret` for `OPENID_CLIENT_SECRET` - -- Generate a random string for the `OPENID_SESSION_SECRET` - -> The `OPENID_SCOPE` and `OPENID_CALLBACK_URL` are pre-configured with the correct values - -6. Open the `.env` file at the root of your LibreChat folder and add the following variables with the values you copied: - -```bash -DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain -DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain - -OPENID_CLIENT_ID=Your client ID -OPENID_CLIENT_SECRET=Your client secret -OPENID_ISSUER=https://cognito-idp.[AWS REGION].amazonaws.com/[USER POOL ID]/.well-known/openid-configuration -OPENID_SESSION_SECRET=Any random string -OPENID_SCOPE=openid profile email -OPENID_CALLBACK_URL=/oauth/openid/callback -``` -7. Save the .env file - -> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes - - ---- - -### OpenID with Azure AD - -1. Go to the [Azure Portal](https://portal.azure.com/) and sign in with your account. -2. In the search box, type "Azure Active Directory" and click on it. -3. On the left menu, click on App registrations and then on New registration. -4. Give your app a name and select Web as the platform type. -5. In the Redirect URI field, enter `http://localhost:3080/oauth/openid/callback` and click on Register. -6. You will see an Overview page with some information about your app. Copy the Application (client) ID and the Directory (tenant) ID and save them somewhere. -7. On the left menu, click on Authentication and check the boxes for Access tokens and ID tokens under Implicit grant and hybrid flows. -8. On the left menu, click on Certificates & Secrets and then on New client secret. Give your secret a name and an expiration date and click on Add. -9. You will see a Value column with your secret. Copy it and save it somewhere. Don't share it with anyone! -10. Open the .env file in your project folder and add the following variables with the values you copied: - -```bash -DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain -DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain - -OPENID_CLIENT_ID=Your Application (client) ID -OPENID_CLIENT_SECRET=Your client secret -OPENID_ISSUER=https://login.microsoftonline.com/Your Directory (tenant ID)/v2.0/ -OPENID_SESSION_SECRET=Any random string -OPENID_SCOPE=openid profile email #DO NOT CHANGE THIS -OPENID_CALLBACK_URL=/oauth/openid/callback # this should be the same for everyone -``` -11. Save the .env file - -> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes - - ---- \ No newline at end of file +### OAuth2 + - [Discord](./OAuth2-and-OIDC/discord.md) + - [GitHub](./OAuth2-and-OIDC/github.md) + - [Google](./OAuth2-and-OIDC/google.md) + - [Facebook](./OAuth2-and-OIDC/facebook.md) +### OpenID Connect + - [AWS Cognito](./OAuth2-and-OIDC/aws.md) + - [Azure Entra/AD](./OAuth2-and-OIDC/azure.md) + - [Keycloak](./OAuth2-and-OIDC/keycloak.md) \ No newline at end of file