mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-17 17:00:15 +01:00
🛂 feat: Required OpenID Role (#2279)
* feat: add possibility to filter by roles for OpenID provider --------- Co-authored-by: Sirius <siriusfrk@gmail.com>
This commit is contained in:
Danny Avila
GitHub
parent
49753a35e5
commit
1bafe80e78
11 changed files with 599 additions and 441 deletions
|
|
@ -166,431 +166,16 @@ EMAIL_FROM_NAME="My LibreChat Server"
|
|||
|
||||
---
|
||||
|
||||
## Social Authentication - Setup and Configuration
|
||||
## Social Authentication
|
||||
|
||||
|
||||
|
||||
### Discord
|
||||
|
||||
#### Create a new Discord Application
|
||||
|
||||
- Go to **[Discord Developer Portal](https://discord.com/developers)**
|
||||
|
||||
- Create a new Application and give it a name
|
||||
|
||||
|
||||
|
||||
#### Discord Application Configuration
|
||||
|
||||
- In the OAuth2 general settings add a valid redirect URL:
|
||||
- Example for localhost: `http://localhost:3080/oauth/discord/callback`
|
||||
- Example for a domain: `https://example.com/oauth/discord/callback`
|
||||
|
||||
|
||||
|
||||
- In `Default Authorization Link`, select `In-app Authorization` and set the scopes to `applications.commands`
|
||||
|
||||
|
||||
|
||||
- Save changes and reset the Client Secret
|
||||
|
||||
|
||||
|
||||
|
||||
#### .env Configuration
|
||||
|
||||
- Paste your `Client ID` and `Client Secret` in the `.env` file:
|
||||
|
||||
```bash
|
||||
DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
|
||||
DISCORD_CLIENT_ID=your_client_id
|
||||
DISCORD_CLIENT_SECRET=your_client_secret
|
||||
DISCORD_CALLBACK_URL=/oauth/discord/callback
|
||||
```
|
||||
|
||||
- Save the `.env` file
|
||||
|
||||
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
|
||||
|
||||
---
|
||||
|
||||
### Facebook - WIP
|
||||
|
||||
> ⚠️ **Warning: Work in progress, not currently functional**
|
||||
|
||||
> ❗ Note: Facebook Authentication will not work from `localhost`
|
||||
|
||||
#### Create a Facebook Application
|
||||
|
||||
- Go to the **[Facebook Developer Portal](https://developers.facebook.com/)**
|
||||
|
||||
- Click on "My Apps" in the header menu
|
||||
|
||||
|
||||
|
||||
- Create a new application
|
||||
|
||||
|
||||
|
||||
- Select "Authenticate and request data from users with Facebook Login"
|
||||
|
||||
|
||||
|
||||
- Choose "No, I'm not creating a game"
|
||||
|
||||
|
||||
|
||||
- Provide an `app name` and `App contact email` and click `Create app`
|
||||
|
||||
|
||||
|
||||
#### Facebook Application Configuration
|
||||
|
||||
- In the side menu, select "Use cases" and click "Customize" under "Authentication and account creation."
|
||||
|
||||
|
||||
|
||||
- Add the `email permission`
|
||||
|
||||
|
||||
|
||||
- Now click `Go to settings`
|
||||
|
||||
|
||||
|
||||
- Ensure that `Client OAuth login`, `Web OAuth login` and `Enforce HTTPS` are **enabled**.
|
||||
|
||||
|
||||
|
||||
- Add a `Valid OAuth Redirect URIs` and "Save changes"
|
||||
- Example for a domain: `https://example.com/oauth/facebook/callback`
|
||||
|
||||
|
||||
|
||||
- Click `Go back` and select `Basic` in the `App settings` tab
|
||||
|
||||
|
||||
|
||||
- Click "Show" next to the App secret.
|
||||
|
||||
|
||||
|
||||
#### .env Configuration
|
||||
|
||||
- Copy the `App ID` and `App Secret` and paste them into the `.env` file as follows:
|
||||
|
||||
```bash
|
||||
DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
|
||||
FACEBOOK_CLIENT_ID=your_app_id
|
||||
FACEBOOK_CLIENT_SECRET=your_app_secret
|
||||
FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
|
||||
```
|
||||
|
||||
- Save the `.env` file.
|
||||
|
||||
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
|
||||
|
||||
---
|
||||
|
||||
### GitHub
|
||||
|
||||
#### Create a GitHub Application
|
||||
|
||||
- Go to your **[Github Developer settings](https://github.com/settings/apps)**
|
||||
- Create a new Github app
|
||||
|
||||
|
||||
|
||||
#### GitHub Application Configuration
|
||||
|
||||
- Give it a `GitHub App name` and set your `Homepage URL`
|
||||
- Example for localhost: `http://localhost:3080`
|
||||
- Example for a domain: `https://example.com`
|
||||
|
||||
|
||||
|
||||
- Add a valid `Callback URL`:
|
||||
- Example for localhost: `http://localhost:3080/oauth/github/callback`
|
||||
- Example for a domain: `https://example.com/oauth/github/callback`
|
||||
|
||||
|
||||
|
||||
- Uncheck the box labeled `Active` in the `Webhook` section
|
||||
|
||||
|
||||
|
||||
- Scroll down to `Account permissions` and set `Email addresses` to `Access: Read-only`
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- Click on `Create GitHub App`
|
||||
|
||||
|
||||
|
||||
#### .env Configuration
|
||||
|
||||
- Click `Generate a new client secret`
|
||||
|
||||
|
||||
|
||||
- Copy the `Client ID` and `Client Secret` in the `.env` file
|
||||
|
||||
|
||||
|
||||
```bash
|
||||
DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
|
||||
GITHUB_CLIENT_ID=your_client_id
|
||||
GITHUB_CLIENT_SECRET=your_client_secret
|
||||
GITHUB_CALLBACK_URL=/oauth/github/callback
|
||||
```
|
||||
|
||||
- Save the `.env` file
|
||||
|
||||
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
|
||||
|
||||
---
|
||||
|
||||
### Google
|
||||
|
||||
#### Create a Google Application
|
||||
|
||||
- Visit: **[Google Cloud Console](https://cloud.google.com)** and open the `Console`
|
||||
|
||||
|
||||
|
||||
- Create a New Project and give it a name
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Google Application Configuration
|
||||
|
||||
- Select the project you just created and go to `APIs and Services`
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- Select `Credentials` and click `CONFIGURE CONSENT SCREEN`
|
||||
|
||||
|
||||
|
||||
- Select `External` then click `CREATE`
|
||||
|
||||
|
||||
|
||||
- Fill in your App information
|
||||
|
||||
> Note: You can get a logo from your LibreChat folder here: `docs\assets\favicon_package\android-chrome-192x192.png`
|
||||
|
||||
|
||||
|
||||
- Configure your `App domain` and add your `Developer contact information` then click `SAVE AND CONTINUE`
|
||||
|
||||
|
||||
|
||||
- Configure the `Sopes`
|
||||
- Add `email`,`profile` and `openid`
|
||||
- Click `UPDATE` and `SAVE AND CONTINUE`
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- Click `SAVE AND CONTINUE`
|
||||
- Review your app and go back to dashboard
|
||||
|
||||
- Go back to the `Credentials` tab, click on `+ CREATE CREDENTIALS` and select `OAuth client ID`
|
||||
|
||||
|
||||
|
||||
- Select `Web application` and give it a name
|
||||
|
||||
|
||||
|
||||
- Configure the `Authorized JavaScript origins`, you can add both your domain and localhost if you desire
|
||||
- Example for localhost: `http://localhost:3080`
|
||||
- Example for a domain: `https://example.com`
|
||||
|
||||
|
||||
|
||||
- Add a valid `Authorized redirect URIs`
|
||||
- Example for localhost: `http://localhost:3080/oauth/google/callback`
|
||||
- Example for a domain: `https://example.com/oauth/google/callback`
|
||||
|
||||
|
||||
|
||||
#### .env Configuration
|
||||
|
||||
- Click `CREATE` and copy your `Client ID` and `Client secret`
|
||||
|
||||
|
||||
|
||||
- Add them to your `.env` file:
|
||||
|
||||
```bash
|
||||
DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
|
||||
GOOGLE_CLIENT_ID=your_client_id
|
||||
GOOGLE_CLIENT_SECRET=your_client_secret
|
||||
GOOGLE_CALLBACK_URL=/oauth/github/callback
|
||||
```
|
||||
|
||||
- Save the `.env` file
|
||||
|
||||
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
|
||||
|
||||
---
|
||||
|
||||
### OpenID with AWS Cognito
|
||||
|
||||
#### Create a new User Pool in Cognito
|
||||
|
||||
- Visit: **[https://console.aws.amazon.com/cognito/](https://console.aws.amazon.com/cognito/)**
|
||||
- Sign in as Root User
|
||||
- Click on `Create user pool`
|
||||
|
||||
|
||||
|
||||
#### Configure sign-in experience
|
||||
|
||||
Your Cognito user pool sign-in options should include `User Name` and `Email`.
|
||||
|
||||
|
||||
|
||||
#### Configure Security Requirements
|
||||
|
||||
You can configure the password requirements now if you desire
|
||||
|
||||
|
||||
|
||||
#### Configure sign-up experience
|
||||
|
||||
Choose the attributes required at signup. The minimum required is `name`. If you want to require users to use their full name at sign up use: `given_name` and `family_name` as required attributes.
|
||||
|
||||
|
||||
|
||||
#### Configure message delivery
|
||||
|
||||
Send email with Cognito can be used for free for up to 50 emails a day
|
||||
|
||||
|
||||
|
||||
#### Integrate your app
|
||||
|
||||
Select `Use Cognitio Hosted UI` and chose a domain name
|
||||
|
||||
|
||||
|
||||
Set the app type to `Confidential client`
|
||||
Make sure `Generate a client secret` is set.
|
||||
Set the `Allowed callback URLs` to `https://YOUR_DOMAIN/oauth/openid/callback`
|
||||
|
||||
|
||||
|
||||
Under `Advanced app client settings` make sure `Profile` is included in the `OpenID Connect scopes` (in the bottom)
|
||||
|
||||
|
||||
|
||||
#### Review and create
|
||||
You can now make last minute changes, click on `Create user pool` when you're done reviewing the configuration
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Get your environment variables
|
||||
|
||||
1. Open your User Pool
|
||||
|
||||
|
||||
|
||||
2. The `User Pool ID` and your AWS region will be used to construct the `OPENID_ISSUER` (see below)
|
||||
|
||||
|
||||
|
||||
|
||||
3. Go to the `App Integrations` tab
|
||||
|
||||
|
||||
|
||||
4. Open the app client
|
||||
|
||||
|
||||
|
||||
5. Toggle `Show Client Secret`
|
||||
|
||||
|
||||
|
||||
- Use the `Client ID` for `OPENID_CLIENT_ID`
|
||||
|
||||
- Use the `Client secret` for `OPENID_CLIENT_SECRET`
|
||||
|
||||
- Generate a random string for the `OPENID_SESSION_SECRET`
|
||||
|
||||
> The `OPENID_SCOPE` and `OPENID_CALLBACK_URL` are pre-configured with the correct values
|
||||
|
||||
6. Open the `.env` file at the root of your LibreChat folder and add the following variables with the values you copied:
|
||||
|
||||
```bash
|
||||
DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
|
||||
OPENID_CLIENT_ID=Your client ID
|
||||
OPENID_CLIENT_SECRET=Your client secret
|
||||
OPENID_ISSUER=https://cognito-idp.[AWS REGION].amazonaws.com/[USER POOL ID]/.well-known/openid-configuration
|
||||
OPENID_SESSION_SECRET=Any random string
|
||||
OPENID_SCOPE=openid profile email
|
||||
OPENID_CALLBACK_URL=/oauth/openid/callback
|
||||
```
|
||||
7. Save the .env file
|
||||
|
||||
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
|
||||
|
||||
|
||||
---
|
||||
|
||||
### OpenID with Azure AD
|
||||
|
||||
1. Go to the [Azure Portal](https://portal.azure.com/) and sign in with your account.
|
||||
2. In the search box, type "Azure Active Directory" and click on it.
|
||||
3. On the left menu, click on App registrations and then on New registration.
|
||||
4. Give your app a name and select Web as the platform type.
|
||||
5. In the Redirect URI field, enter `http://localhost:3080/oauth/openid/callback` and click on Register.
|
||||
6. You will see an Overview page with some information about your app. Copy the Application (client) ID and the Directory (tenant) ID and save them somewhere.
|
||||
7. On the left menu, click on Authentication and check the boxes for Access tokens and ID tokens under Implicit grant and hybrid flows.
|
||||
8. On the left menu, click on Certificates & Secrets and then on New client secret. Give your secret a name and an expiration date and click on Add.
|
||||
9. You will see a Value column with your secret. Copy it and save it somewhere. Don't share it with anyone!
|
||||
10. Open the .env file in your project folder and add the following variables with the values you copied:
|
||||
|
||||
```bash
|
||||
DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
|
||||
|
||||
OPENID_CLIENT_ID=Your Application (client) ID
|
||||
OPENID_CLIENT_SECRET=Your client secret
|
||||
OPENID_ISSUER=https://login.microsoftonline.com/Your Directory (tenant ID)/v2.0/
|
||||
OPENID_SESSION_SECRET=Any random string
|
||||
OPENID_SCOPE=openid profile email #DO NOT CHANGE THIS
|
||||
OPENID_CALLBACK_URL=/oauth/openid/callback # this should be the same for everyone
|
||||
```
|
||||
11. Save the .env file
|
||||
|
||||
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
|
||||
|
||||
|
||||
---
|
||||
### OAuth2
|
||||
- [Discord](./OAuth2-and-OIDC/discord.md)
|
||||
- [GitHub](./OAuth2-and-OIDC/github.md)
|
||||
- [Google](./OAuth2-and-OIDC/google.md)
|
||||
- [Facebook](./OAuth2-and-OIDC/facebook.md)
|
||||
### OpenID Connect
|
||||
- [AWS Cognito](./OAuth2-and-OIDC/aws.md)
|
||||
- [Azure Entra/AD](./OAuth2-and-OIDC/azure.md)
|
||||
- [Keycloak](./OAuth2-and-OIDC/keycloak.md)
|
||||
Loading…
Add table
Add a link
Reference in a new issue