Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-23 03:40:14 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🛂 feat: Required OpenID Role (#2279)

Browse source 
* feat: add possibility to filter by roles for OpenID provider

---------

Co-authored-by: Sirius <siriusfrk@gmail.com>
This commit is contained in:
Danny Avila 2024-04-02 03:08:17 -04:00 committed by GitHub
parent 49753a35e5
commit 1bafe80e78
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 599 additions and 441 deletions
Download patch file Download diff file Expand all files Collapse all files

114
docs/install/configuration/OAuth2-and-OIDC/aws.md Normal file
View file

@ -0,0 +1,114 @@
---
title: AWS Cognito
description: Learn how to configure LibreChat to use AWS Cognito for user authentication.
weight: -7
---
# AWS Cognito
## Create a new User Pool in Cognito
- Visit: **[https://console.aws.amazon.com/cognito/](https://console.aws.amazon.com/cognito/)**
- Sign in as Root User
- Click on `Create user pool`
![image](https://github.com/danny-avila/LibreChat/assets/32828263/e9b412c3-2cf1-4f54-998c-d1d6c12581a5)
## Configure sign-in experience
Your Cognito user pool sign-in options should include `User Name` and `Email`.
![image](https://github.com/danny-avila/LibreChat/assets/32828263/d2cf362d-469e-4993-8466-10282da114c2)
## Configure Security Requirements
You can configure the password requirements now if you desire
![image](https://github.com/danny-avila/LibreChat/assets/32828263/e125e8f1-961b-4a38-a6b7-ed1faf29c4a3)
## Configure sign-up experience
Choose the attributes required at signup. The minimum required is `name`. If you want to require users to use their full name at sign up use: `given_name` and `family_name` as required attributes.
![image](https://github.com/danny-avila/LibreChat/assets/32828263/558b8e2c-afbd-4dd1-87f3-c409463b5f7c)
## Configure message delivery
Send email with Cognito can be used for free for up to 50 emails a day
![image](https://github.com/danny-avila/LibreChat/assets/32828263/fcb2323b-708e-488c-9420-7eb482974648)
## Integrate your app
Select `Use Cognitio Hosted UI` and chose a domain name
![image](https://github.com/danny-avila/LibreChat/assets/32828263/111b3dd4-3b20-4e3e-80e1-7167d2ad0f62)
Set the app type to `Confidential client`
Make sure `Generate a client secret` is set.
Set the `Allowed callback URLs` to `https://YOUR_DOMAIN/oauth/openid/callback`
![image](https://github.com/danny-avila/LibreChat/assets/32828263/1f92a532-7c4d-4632-a55d-9d00bf77fc4d)
Under `Advanced app client settings` make sure `Profile` is included in the `OpenID Connect scopes` (in the bottom)
![image](https://github.com/danny-avila/LibreChat/assets/32828263/5b035eae-4a8e-482c-abd5-29cee6502eeb)
## Review and create
You can now make last minute changes, click on `Create user pool` when you're done reviewing the configuration
![image](https://github.com/danny-avila/LibreChat/assets/32828263/dc8b2374-9adb-4065-85dc-a087d625372d)
![image](https://github.com/danny-avila/LibreChat/assets/32828263/67efb1e9-dfe3-4ebd-9ebb-92186c514b5c)
![image](https://github.com/danny-avila/LibreChat/assets/32828263/9f819175-ace1-44b1-ba68-af21ac9f6735)
![image](https://github.com/danny-avila/LibreChat/assets/32828263/3e7b8b17-4e12-49af-99cf-78981d6331df)
## Get your environment variables
1. Open your User Pool
![image](https://github.com/danny-avila/LibreChat/assets/32828263/b658ff2a-d252-4f3d-90a7-9fbde42c01db)
2. The `User Pool ID` and your AWS region will be used to construct the `OPENID_ISSUER` (see below)
![image](https://github.com/danny-avila/LibreChat/assets/32828263/dc8ae403-cbff-4aae-9eee-42d7cf3485e7)
![image](https://github.com/danny-avila/LibreChat/assets/32828263/d606f5c8-c60b-4d20-bdb2-d0d69e49ea1e)
3. Go to the `App Integrations` tab
![image](https://github.com/danny-avila/LibreChat/assets/32828263/58713bdc-24bc-47de-bdca-020dc321e997)
4. Open the app client
![image](https://github.com/danny-avila/LibreChat/assets/32828263/271bf7d2-3df2-43a7-87fc-e50294e49b2e)
5. Toggle `Show Client Secret`
![image](https://github.com/danny-avila/LibreChat/assets/32828263/a844fe65-313d-4754-81b4-380336e0e336)
- Use the `Client ID` for `OPENID_CLIENT_ID`
- Use the `Client secret` for `OPENID_CLIENT_SECRET`
- Generate a random string for the `OPENID_SESSION_SECRET`
> The `OPENID_SCOPE` and `OPENID_CALLBACK_URL` are pre-configured with the correct values
6. Open the `.env` file at the root of your LibreChat folder and add the following variables with the values you copied:
```bash
DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
OPENID_CLIENT_ID=Your client ID
OPENID_CLIENT_SECRET=Your client secret
OPENID_ISSUER=https://cognito-idp.[AWS REGION].amazonaws.com/[USER POOL ID]/.well-known/openid-configuration
OPENID_SESSION_SECRET=Any random string
OPENID_SCOPE=openid profile email
OPENID_CALLBACK_URL=/oauth/openid/callback
```
7. Save the .env file
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes

59
docs/install/configuration/OAuth2-and-OIDC/azure.md Normal file
View file

@ -0,0 +1,59 @@
---
title: Azure Entra
description: Learn how to configure LibreChat to use Azure Entra for user authentication.
weight: -6
---
# OpenID with Azure Entra
1. Go to the [Azure Portal](https://portal.azure.com/) and sign in with your account.
2. In the search box, type "Azure Entra" and click on it.
3. On the left menu, click on App registrations and then on New registration.
4. Give your app a name and select Web as the platform type.
5. In the Redirect URI field, enter `http://localhost:3080/oauth/openid/callback` and click on Register.
![image](https://github.com/danny-avila/LibreChat/assets/6623884/2b1aabce-850e-4165-bf76-3c1984f10b6c)
6. You will see an Overview page with some information about your app. Copy the Application (client) ID and the
Directory (tenant) ID and save them somewhere.
![image](https://github.com/danny-avila/LibreChat/assets/6623884/e67d5e97-e26d-48a5-aa6e-50de4450b1fd)
7. On the left menu, click on Authentication and check the boxes for Access tokens and ID tokens under Implicit
grant and hybrid flows.
![image](https://github.com/danny-avila/LibreChat/assets/6623884/88a16cbc-ff68-4b3a-ba7b-b380cc3d2366)
8. On the left menu, click on Certificates & Secrets and then on New client secret. Give your secret a
name and an expiration date and click on Add. You will see a Value column with your secret. Copy it and
save it somewhere. Don't share it with anyone!
![image](https://github.com/danny-avila/LibreChat/assets/6623884/31aa6cee-5402-4ce0-a950-1b7e147aafc8)
9. If you want to restrict access by groups you should add the groups claim to the token. To do this, go to
Token configuration and click on Add group claim. Select the groups you want to include in the token and click on Add.
![image](https://github.com/danny-avila/LibreChat/assets/6623884/c9d353f5-2cb2-4f00-b4f0-493cfec8fe9a)
10. Open the .env file in your project folder and add the following variables with the values you copied:
```bash
DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
OPENID_CLIENT_ID=Your Application (client) ID
OPENID_CLIENT_SECRET=Your client secret
OPENID_ISSUER=https://login.microsoftonline.com/Your Directory (tenant ID)/v2.0/
OPENID_SESSION_SECRET=Any random string
OPENID_SCOPE=openid profile email #DO NOT CHANGE THIS
OPENID_CALLBACK_URL=/oauth/openid/callback # this should be the same for everyone
# If you want to restrict access by groups
OPENID_REQUIRED_ROLE_TOKEN_KIND=id
OPENID_REQUIRED_ROLE_PARAMETER_PATH="roles"
OPENID_REQUIRED_ROLE="Your Group Name"
```
11. Save the .env file
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes

49
docs/install/configuration/OAuth2-and-OIDC/discord.md Normal file
View file

@ -0,0 +1,49 @@
---
title: Discord
description: Learn how to configure LibreChat to use Discord for user authentication.
weight: -11
---
# Discord
## Create a new Discord Application
- Go to **[Discord Developer Portal](https://discord.com/developers)**
- Create a new Application and give it a name
![image](https://github.com/danny-avila/LibreChat/assets/32828263/7e7cdfa0-d1d6-4b6b-a8a9-905aaa40d135)
## Discord Application Configuration
- In the OAuth2 general settings add a valid redirect URL:
- Example for localhost: `http://localhost:3080/oauth/discord/callback`
- Example for a domain: `https://example.com/oauth/discord/callback`
![image](https://github.com/danny-avila/LibreChat/assets/32828263/6c56fb92-f4ab-43b9-981b-f98babeeb19d)
- In `Default Authorization Link`, select `In-app Authorization` and set the scopes to `applications.commands`
![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ce94670-9422-48d2-97e9-ec40bd331573)
- Save changes and reset the Client Secret
![image](https://github.com/danny-avila/LibreChat/assets/32828263/3af164fc-66ed-4e5e-9f5a-9bcab3df37b4)
![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ece3935-68e6-4f2e-8656-9721cba5388a)
## .env Configuration
- Paste your `Client ID` and `Client Secret` in the `.env` file:
```bash
DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
DISCORD_CLIENT_ID=your_client_id
DISCORD_CLIENT_SECRET=your_client_secret
DISCORD_CALLBACK_URL=/oauth/discord/callback
```
- Save the `.env` file
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes

83
docs/install/configuration/OAuth2-and-OIDC/facebook.md Normal file
View file

@ -0,0 +1,83 @@
---
title: Facebook
description: Learn how to configure LibreChat to use Facebook for user authentication.
weight: -8
---
# Facebook - WIP
> ⚠️ **Warning: Work in progress, not currently functional**
> ❗ Note: Facebook Authentication will not work from `localhost`
## Create a Facebook Application
- Go to the **[Facebook Developer Portal](https://developers.facebook.com/)**
- Click on "My Apps" in the header menu
![image](https://github.com/danny-avila/LibreChat/assets/32828263/b75ccb8b-d56b-41b7-8b0d-a32c2e762962)
- Create a new application
![image](https://github.com/danny-avila/LibreChat/assets/32828263/706f050d-5423-44cc-80f0-120913695d8f)
- Select "Authenticate and request data from users with Facebook Login"
![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ebbb571-afe8-429e-ab39-be6e83d12c01)
- Choose "No, I'm not creating a game"
![image](https://github.com/danny-avila/LibreChat/assets/32828263/88b5160a-9c72-414a-bbcc-7717b81106f3)
- Provide an `app name` and `App contact email` and click `Create app`
![image](https://github.com/danny-avila/LibreChat/assets/32828263/e1282c9e-4e7d-4cbe-82c9-cc76967f83e1)
## Facebook Application Configuration
- In the side menu, select "Use cases" and click "Customize" under "Authentication and account creation."
![image](https://github.com/danny-avila/LibreChat/assets/32828263/39f4bb70-d9dc-4d1c-8443-2666fe56499b)
- Add the `email permission`
![image](https://github.com/danny-avila/LibreChat/assets/32828263/dfa20879-2cb8-4daf-883d-3790854afca0)
- Now click `Go to settings`
![image](https://github.com/danny-avila/LibreChat/assets/32828263/512213a2-bd8b-4fd3-96c7-0de6d3222ddd)
- Ensure that `Client OAuth login`, `Web OAuth login` and `Enforce HTTPS` are **enabled**.
![image](https://github.com/danny-avila/LibreChat/assets/32828263/3a7d935b-97bf-493b-b909-39ecf9b3432b)
- Add a `Valid OAuth Redirect URIs` and "Save changes"
- Example for a domain: `https://example.com/oauth/facebook/callback`
![image](https://github.com/danny-avila/LibreChat/assets/32828263/ef8e54ee-a766-4871-9719-d4eff7a770b6)
- Click `Go back` and select `Basic` in the `App settings` tab
![image](https://github.com/danny-avila/LibreChat/assets/32828263/0d14f702-5183-422e-a12c-5d1b6031581b)
- Click "Show" next to the App secret.
![image](https://github.com/danny-avila/LibreChat/assets/32828263/9a009e37-2bb6-4da6-b5c7-9139c3db6185)
## .env Configuration
- Copy the `App ID` and `App Secret` and paste them into the `.env` file as follows:
```bash
DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
FACEBOOK_CLIENT_ID=your_app_id
FACEBOOK_CLIENT_SECRET=your_app_secret
FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
```
- Save the `.env` file.
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes

65
docs/install/configuration/OAuth2-and-OIDC/github.md Normal file
View file

@ -0,0 +1,65 @@
---
title: GitHub
description: Learn how to configure LibreChat to use GitHub for user authentication.
weight: -10
---
# GitHub
## Create a GitHub Application
- Go to your **[Github Developer settings](https://github.com/settings/apps)**
- Create a new Github app
![image](https://github.com/danny-avila/LibreChat/assets/138638445/3a8b88e7-78f8-426e-bfc2-c5e3f8b21ccb)
## GitHub Application Configuration
- Give it a `GitHub App name` and set your `Homepage URL`
- Example for localhost: `http://localhost:3080`
- Example for a domain: `https://example.com`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/f10d497d-460b-410f-9504-08735662648b)
- Add a valid `Callback URL`:
- Example for localhost: `http://localhost:3080/oauth/github/callback`
- Example for a domain: `https://example.com/oauth/github/callback`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/4e7e6dba-0afb-4ed8-94bf-4c61b0f29240)
- Uncheck the box labeled `Active` in the `Webhook` section
![image](https://github.com/danny-avila/LibreChat/assets/138638445/aaeb3ecb-2e76-4ea5-8264-edfbdd53de1a)
- Scroll down to `Account permissions` and set `Email addresses` to `Access: Read-only`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/3e561aa4-1f9e-4cb7-ace8-dbba8f0c0d55)
![image](https://github.com/danny-avila/LibreChat/assets/138638445/7b5f99af-7bde-43ee-9b43-6d3ce79ee00a)
- Click on `Create GitHub App`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/4cc48550-eac3-4970-939b-81a23fa9c7cf)
## .env Configuration
- Click `Generate a new client secret`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/484c7851-71dd-4167-a59e-9a56c4e08c36)
- Copy the `Client ID` and `Client Secret` in the `.env` file
![image](https://github.com/danny-avila/LibreChat/assets/138638445/aaf78840-48a9-44e1-9625-4109ed91d965)
```bash
DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
GITHUB_CLIENT_ID=your_client_id
GITHUB_CLIENT_SECRET=your_client_secret
GITHUB_CALLBACK_URL=/oauth/github/callback
```
- Save the `.env` file
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes

97
docs/install/configuration/OAuth2-and-OIDC/google.md Normal file
View file

@ -0,0 +1,97 @@
---
title: Google
description: Learn how to configure LibreChat to use Google for user authentication.
weight: -9
---
# Google
## Create a Google Application
- Visit: **[Google Cloud Console](https://cloud.google.com)** and open the `Console`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/a7d290ea-6031-43b3-b367-36ce00e46f20)
- Create a New Project and give it a name
![image](https://github.com/danny-avila/LibreChat/assets/138638445/ce71c9ca-7ddd-4021-9133-a872c64c20c4)
![image](https://github.com/danny-avila/LibreChat/assets/138638445/8abbd41e-8332-4851-898d-9cddb373c527)
## Google Application Configuration
- Select the project you just created and go to `APIs and Services`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/c6265582-2cf6-430f-ae51-1edbdd9f2c48)
![image](https://github.com/danny-avila/LibreChat/assets/138638445/006e16ba-56b8-452d-b324-5f2d202637ab)
- Select `Credentials` and click `CONFIGURE CONSENT SCREEN`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/e4285cbb-833f-4366-820d-addf04a2ad77)
- Select `External` then click `CREATE`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/232d46c0-dd00-4637-b538-3ba3bdbdc0b2)
- Fill in your App information
> Note: You can get a logo from your LibreChat folder here: `docs\assets\favicon_package\android-chrome-192x192.png`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/e6c4c8ec-2f02-4af5-9458-c72394d0b7c5)
- Configure your `App domain` and add your `Developer contact information` then click `SAVE AND CONTINUE`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/6c2aa557-9b9b-412d-bc2b-76a0dc11f394)
- Configure the `Sopes`
- Add `email`,`profile` and `openid`
- Click `UPDATE` and `SAVE AND CONTINUE`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/46af2fb9-8cfd-41c5-a763-814b308e45c3)
![image](https://github.com/danny-avila/LibreChat/assets/138638445/4e832970-d392-4c67-bb38-908a5c51660a)
- Click `SAVE AND CONTINUE`
- Review your app and go back to dashboard
- Go back to the `Credentials` tab, click on `+ CREATE CREDENTIALS` and select `OAuth client ID`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/beef1982-55a3-4837-8e8c-20bad8d846ba)
- Select `Web application` and give it a name
![image](https://github.com/danny-avila/LibreChat/assets/138638445/badde864-f6b5-468f-a72f-bac93326ffa5)
- Configure the `Authorized JavaScript origins`, you can add both your domain and localhost if you desire
- Example for localhost: `http://localhost:3080`
- Example for a domain: `https://example.com`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/f7e3763a-5f74-4850-8638-44f81693b9ac)
- Add a valid `Authorized redirect URIs`
- Example for localhost: `http://localhost:3080/oauth/google/callback`
- Example for a domain: `https://example.com/oauth/google/callback`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/0db34b19-d780-4651-9c2f-d33e24a74d55)
## .env Configuration
- Click `CREATE` and copy your `Client ID` and `Client secret`
![image](https://github.com/danny-avila/LibreChat/assets/138638445/fa8572bf-f482-457a-a285-aec7d41af76b)
- Add them to your `.env` file:
```bash
DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
GOOGLE_CLIENT_ID=your_client_id
GOOGLE_CLIENT_SECRET=your_client_secret
GOOGLE_CALLBACK_URL=/oauth/github/callback
```
- Save the `.env` file
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes

68
docs/install/configuration/OAuth2-and-OIDC/keycloak.md Normal file
View file

@ -0,0 +1,68 @@
---
title: Keycloak
description: Learn how to configure LibreChat to use Keycloak for user authentication.
weight: -5
---
# Keycloak
1. **Access Keycloak Admin Console:**
- Open the Keycloak Admin Console in your web browser. This is usually
found at a URL like `http://localhost:8080/auth/admin/`.
2. **Create a Realm (if necessary):**
- If you don't already have a realm for your application, create one. Click on 'Add Realm' and give it a name.
3. **Create a Client:**
- Within your realm, click on 'Clients' and then 'Create'.
- Enter a client ID and select 'openid-connect' as the Client Protocol.
- Set 'Client Authentication' to 'On'.
- In 'Valid Redirect URIs', enter `http://localhost:3080/oauth/openid/callback` or the appropriate URI for
your application.
![image](https://github.com/danny-avila/LibreChat/assets/6623884/d956de3d-e1f7-4327-818a-f146eb86a949)
![image](https://github.com/danny-avila/LibreChat/assets/6623884/fbefbc05-b4ec-4122-8229-54a0a5876d76)
![image](https://github.com/danny-avila/LibreChat/assets/6623884/f75c7b0f-030e-4182-bf87-ccf3aeae17d4)
4. **Configure Client:**
- After creating the client, you will be redirected to its settings page.
- Note the 'Client ID' and 'Secret' from the 'Credentials' tab you'll need these for your application.
![image](https://github.com/danny-avila/LibreChat/assets/6623884/b1c1f0b6-641b-4cf7-a7f1-a9a32026d51b)
5. **Add Roles (Optional):**
If you want to restrict access to users with specific roles, you can define roles in Keycloak and assign them to users.
- Go to the 'Roles' tab in your client or realm (depending on where you want to define the roles).
- Create a new role that matches the value you have in `OPENID_REQUIRED_ROLE`.
![image](https://github.com/danny-avila/LibreChat/assets/6623884/67ca635f-5082-4dcc-97ac-019029a81d7c)
6. **Assign Roles to Users (Optional):**
- Go to 'Users', select a user, and go to the 'Role Mappings' tab.
- Assign the appropriate role (that matches `OPENID_REQUIRED_ROLE`) to the user.
![image](https://github.com/danny-avila/LibreChat/assets/6623884/f2ea70ed-e16c-4ec8-b84f-79fbfca627be)
7. **Get path of roles list inside token (Optional):**
- Decode your jwtToken from OpenID provider and determine path for roles list inside access token. For example, if you are
using Keycloak, the path is `realm_access.roles`.
- Put this path in `OPENID_REQUIRED_ROLE_PARAMETER_PATH` variable in `.env` file.
- By parameter `OPENID_REQUIRED_ROLE_TOKEN_KIND` you can specify which token kind you want to use.
Possible values are `access` and `id`.
8**Update Your Project's Configuration:**
- Open the `.env` file in your project folder and add the following variables:
```
OPENID_ISSUER=http://localhost:8080/auth/realms/[YourRealmName]
OPENID_CLIENT_ID=[YourClientID]
OPENID_CLIENT_SECRET=[YourClientSecret]
OPENID_CALLBACK_URL=http://localhost:3080/oauth/openid/callback
OPENID_SCOPE="openid profile email"
OPENID_REQUIRED_ROLE=[YourRequiredRole]
OPENID_REQUIRED_ROLE_TOKEN_KIND=(access|id)
OPENID_REQUIRED_ROLE_PARAMETER_PATH="realm_access.roles"
```