🛂 feat: Required OpenID Role (#2279)

* feat: add possibility to filter by roles for OpenID provider --------- Co-authored-by: Sirius <siriusfrk@gmail.com>
2025-09-22 06:00:56 +02:00 · 2024-04-02 03:08:17 -04:00 · 2024-04-02 03:08:17 -04:00 · 1bafe80e78
commit 1bafe80e78
parent 49753a35e5
11 changed files with 599 additions and 441 deletions
--- a/.env.example
+++ b/.env.example
@ -316,6 +316,9 @@ OPENID_ISSUER=
 OPENID_SESSION_SECRET=
 OPENID_SCOPE="openid profile email"
 OPENID_CALLBACK_URL=/oauth/openid/callback
 OPENID_REQUIRED_ROLE=
 OPENID_REQUIRED_ROLE_TOKEN_KIND=
 OPENID_REQUIRED_ROLE_PARAMETER_PATH=
 OPENID_BUTTON_LABEL=
 OPENID_IMAGE_URL=
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@ -2,6 +2,7 @@ const fs = require('fs');
 const path = require('path');
 const axios = require('axios');
 const passport = require('passport');
 const jwtDecode = require('jsonwebtoken/decode');
 const { Issuer, Strategy: OpenIDStrategy } = require('openid-client');
 const { logger } = require('~/config');
 const User = require('~/models/User');
@ -44,7 +45,9 @@ async function setupOpenId() {
      client_secret: process.env.OPENID_CLIENT_SECRET,
      redirect_uris: [process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL],
    });
-
+    const requiredRole = process.env.OPENID_REQUIRED_ROLE;
    const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
    const requiredRoleTokenKind = process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND;
    const openidLogin = new OpenIDStrategy(
      {
        client,
@ -71,6 +74,36 @@ async function setupOpenId() {
            fullName = userinfo.username || userinfo.email;
          }
          if (requiredRole) {
            let decodedToken = '';
            if (requiredRoleTokenKind === 'access') {
              decodedToken = jwtDecode(tokenset.access_token);
            } else if (requiredRoleTokenKind === 'id') {
              decodedToken = jwtDecode(tokenset.id_token);
            }
            const pathParts = requiredRoleParameterPath.split('.');
            let found = true;
            let roles = pathParts.reduce((o, key) => {
              if (o === null || o === undefined || !(key in o)) {
                found = false;
                return [];
              }
              return o[key];
            }, decodedToken);
            if (!found) {
              console.error(
                `Key '${requiredRoleParameterPath}' not found in ${requiredRoleTokenKind} token!`,
              );
            }
            if (!roles.includes(requiredRole)) {
              return done(null, false, {
                message: `You must have the "${requiredRole}" role to log in.`,
              });
            }
          }
          if (!user) {
            user = new User({
              provider: 'openid',
--- a/docs/install/configuration/OAuth2-and-OIDC/aws.md
+++ b/docs/install/configuration/OAuth2-and-OIDC/aws.md
@ -0,0 +1,114 @@
 ---
 title: AWS Cognito
 description: Learn how to configure LibreChat to use AWS Cognito for user authentication.
 weight: -7
 ---
 # AWS Cognito
 ## Create a new User Pool in Cognito
 - Visit: **[https://console.aws.amazon.com/cognito/](https://console.aws.amazon.com/cognito/)**
 - Sign in as Root User
 - Click on `Create user pool`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/e9b412c3-2cf1-4f54-998c-d1d6c12581a5)
 ## Configure sign-in experience
 Your Cognito user pool sign-in options should include `User Name` and `Email`.
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/d2cf362d-469e-4993-8466-10282da114c2)
 ## Configure Security Requirements
 You can configure the password requirements now if you desire
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/e125e8f1-961b-4a38-a6b7-ed1faf29c4a3)
 ## Configure sign-up experience
 Choose the attributes required at signup. The minimum required is `name`. If you want to require users to use their full name at sign up use: `given_name` and `family_name` as required attributes.
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/558b8e2c-afbd-4dd1-87f3-c409463b5f7c)
 ## Configure message delivery
 Send email with Cognito can be used for free for up to 50 emails a day
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/fcb2323b-708e-488c-9420-7eb482974648)
 ## Integrate your app
 Select `Use Cognitio Hosted UI` and chose a domain name
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/111b3dd4-3b20-4e3e-80e1-7167d2ad0f62)
 Set the app type to `Confidential client`
 Make sure `Generate a client secret` is set.
 Set the `Allowed callback URLs` to `https://YOUR_DOMAIN/oauth/openid/callback`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/1f92a532-7c4d-4632-a55d-9d00bf77fc4d)
 Under `Advanced app client settings` make sure `Profile` is included in the `OpenID Connect scopes` (in the bottom)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/5b035eae-4a8e-482c-abd5-29cee6502eeb)
 ## Review and create
 You can now make last minute changes, click on `Create user pool` when you're done reviewing the configuration
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/dc8b2374-9adb-4065-85dc-a087d625372d)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/67efb1e9-dfe3-4ebd-9ebb-92186c514b5c)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/9f819175-ace1-44b1-ba68-af21ac9f6735)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/3e7b8b17-4e12-49af-99cf-78981d6331df)
 ## Get your environment variables
 1. Open your User Pool
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/b658ff2a-d252-4f3d-90a7-9fbde42c01db)
 2. The `User Pool ID` and your AWS region will be used to construct the `OPENID_ISSUER` (see below)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/dc8ae403-cbff-4aae-9eee-42d7cf3485e7)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/d606f5c8-c60b-4d20-bdb2-d0d69e49ea1e)
 3.  Go to the `App Integrations` tab
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/58713bdc-24bc-47de-bdca-020dc321e997)
 4.  Open the app client
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/271bf7d2-3df2-43a7-87fc-e50294e49b2e)
 5. Toggle `Show Client Secret`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/a844fe65-313d-4754-81b4-380336e0e336)
 - Use the `Client ID` for `OPENID_CLIENT_ID`
 - Use the `Client secret` for `OPENID_CLIENT_SECRET`
 - Generate a random string for the `OPENID_SESSION_SECRET`
 > The `OPENID_SCOPE` and `OPENID_CALLBACK_URL` are pre-configured with the correct values
 6. Open the `.env` file at the root of your LibreChat folder and add the following variables with the values you copied:
 ```bash
 DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 OPENID_CLIENT_ID=Your client ID
 OPENID_CLIENT_SECRET=Your client secret
 OPENID_ISSUER=https://cognito-idp.[AWS REGION].amazonaws.com/[USER POOL ID]/.well-known/openid-configuration
 OPENID_SESSION_SECRET=Any random string
 OPENID_SCOPE=openid profile email
 OPENID_CALLBACK_URL=/oauth/openid/callback
 ```
 7. Save the .env file
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
--- a/docs/install/configuration/OAuth2-and-OIDC/azure.md
+++ b/docs/install/configuration/OAuth2-and-OIDC/azure.md
@ -0,0 +1,59 @@
 ---
 title: Azure Entra
 description: Learn how to configure LibreChat to use Azure Entra for user authentication.
 weight: -6
 ---
 # OpenID with Azure Entra
 1. Go to the [Azure Portal](https://portal.azure.com/) and sign in with your account.
 2. In the search box, type "Azure Entra" and click on it.
 3. On the left menu, click on App registrations and then on New registration.
 4. Give your app a name and select Web as the platform type.
 5. In the Redirect URI field, enter `http://localhost:3080/oauth/openid/callback` and click on Register.
 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/2b1aabce-850e-4165-bf76-3c1984f10b6c)
 6. You will see an Overview page with some information about your app. Copy the Application (client) ID and the 
 Directory (tenant) ID and save them somewhere.
 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/e67d5e97-e26d-48a5-aa6e-50de4450b1fd)
 7. On the left menu, click on Authentication and check the boxes for Access tokens and ID tokens under Implicit 
 grant and hybrid flows.
 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/88a16cbc-ff68-4b3a-ba7b-b380cc3d2366)
 8. On the left menu, click on Certificates & Secrets and then on New client secret. Give your secret a 
 name and an expiration date and click on Add. You will see a Value column with your secret. Copy it and 
 save it somewhere. Don't share it with anyone!
 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/31aa6cee-5402-4ce0-a950-1b7e147aafc8)
 9. If you want to restrict access by groups you should add the groups claim to the token. To do this, go to
 Token configuration and click on Add group claim. Select the groups you want to include in the token and click on Add.
 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/c9d353f5-2cb2-4f00-b4f0-493cfec8fe9a)
 10. Open the .env file in your project folder and add the following variables with the values you copied:
 ```bash
 DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 OPENID_CLIENT_ID=Your Application (client) ID
 OPENID_CLIENT_SECRET=Your client secret
 OPENID_ISSUER=https://login.microsoftonline.com/Your Directory (tenant ID)/v2.0/
 OPENID_SESSION_SECRET=Any random string
 OPENID_SCOPE=openid profile email #DO NOT CHANGE THIS
 OPENID_CALLBACK_URL=/oauth/openid/callback # this should be the same for everyone
 # If you want to restrict access by groups
 OPENID_REQUIRED_ROLE_TOKEN_KIND=id
 OPENID_REQUIRED_ROLE_PARAMETER_PATH="roles"
 OPENID_REQUIRED_ROLE="Your Group Name"
 ```
 11. Save the .env file
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
--- a/docs/install/configuration/OAuth2-and-OIDC/discord.md
+++ b/docs/install/configuration/OAuth2-and-OIDC/discord.md
@ -0,0 +1,49 @@
 ---
 title: Discord
 description: Learn how to configure LibreChat to use Discord for user authentication.
 weight: -11
 ---
 # Discord
 ## Create a new Discord Application
 - Go to **[Discord Developer Portal](https://discord.com/developers)**
 - Create a new Application and give it a name
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/7e7cdfa0-d1d6-4b6b-a8a9-905aaa40d135)
 ## Discord Application Configuration
 - In the OAuth2 general settings add a valid redirect URL:
    - Example for localhost: `http://localhost:3080/oauth/discord/callback`
    - Example for a domain: `https://example.com/oauth/discord/callback`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/6c56fb92-f4ab-43b9-981b-f98babeeb19d)
 - In `Default Authorization Link`, select `In-app Authorization` and set the scopes to `applications.commands`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ce94670-9422-48d2-97e9-ec40bd331573)
 - Save changes and reset the Client Secret
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/3af164fc-66ed-4e5e-9f5a-9bcab3df37b4)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ece3935-68e6-4f2e-8656-9721cba5388a)
 ## .env Configuration
 - Paste your `Client ID` and `Client Secret` in the `.env` file:
 ```bash
 DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 DISCORD_CLIENT_ID=your_client_id
 DISCORD_CLIENT_SECRET=your_client_secret
 DISCORD_CALLBACK_URL=/oauth/discord/callback
 ```
 - Save the `.env` file
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
--- a/docs/install/configuration/OAuth2-and-OIDC/facebook.md
+++ b/docs/install/configuration/OAuth2-and-OIDC/facebook.md
@ -0,0 +1,83 @@
 ---
 title: Facebook
 description: Learn how to configure LibreChat to use Facebook for user authentication.
 weight: -8
 ---
 # Facebook - WIP
 > ⚠️ **Warning: Work in progress, not currently functional**
 > ❗ Note: Facebook Authentication will not work from `localhost`
 ## Create a Facebook Application
 - Go to the **[Facebook Developer Portal](https://developers.facebook.com/)**
 - Click on "My Apps" in the header menu
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/b75ccb8b-d56b-41b7-8b0d-a32c2e762962)
 - Create a new application
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/706f050d-5423-44cc-80f0-120913695d8f)
 - Select "Authenticate and request data from users with Facebook Login"
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ebbb571-afe8-429e-ab39-be6e83d12c01)
 - Choose "No, I'm not creating a game"
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/88b5160a-9c72-414a-bbcc-7717b81106f3)
 - Provide an `app name` and `App contact email` and click `Create app`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/e1282c9e-4e7d-4cbe-82c9-cc76967f83e1)
 ## Facebook Application Configuration
 - In the side menu, select "Use cases" and click "Customize" under "Authentication and account creation."
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/39f4bb70-d9dc-4d1c-8443-2666fe56499b)
 -  Add the `email permission`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/dfa20879-2cb8-4daf-883d-3790854afca0)
 - Now click `Go to settings`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/512213a2-bd8b-4fd3-96c7-0de6d3222ddd)
 - Ensure that `Client OAuth login`, `Web OAuth login` and `Enforce HTTPS` are **enabled**.
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/3a7d935b-97bf-493b-b909-39ecf9b3432b)
 - Add a `Valid OAuth Redirect URIs` and "Save changes"
    - Example for a domain: `https://example.com/oauth/facebook/callback`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/ef8e54ee-a766-4871-9719-d4eff7a770b6)
 - Click `Go back` and select `Basic` in the `App settings` tab
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/0d14f702-5183-422e-a12c-5d1b6031581b)
 - Click "Show" next to the App secret.
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/9a009e37-2bb6-4da6-b5c7-9139c3db6185)
 ## .env Configuration
 - Copy the `App ID` and `App Secret` and paste them into the `.env` file as follows:
 ```bash
 DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 FACEBOOK_CLIENT_ID=your_app_id
 FACEBOOK_CLIENT_SECRET=your_app_secret
 FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
 ```
 - Save the `.env` file.
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
--- a/docs/install/configuration/OAuth2-and-OIDC/github.md
+++ b/docs/install/configuration/OAuth2-and-OIDC/github.md
@ -0,0 +1,65 @@
 ---
 title: GitHub
 description: Learn how to configure LibreChat to use GitHub for user authentication.
 weight: -10
 ---
 # GitHub
 ## Create a GitHub Application
 - Go to your **[Github Developer settings](https://github.com/settings/apps)**
 - Create a new Github app
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/3a8b88e7-78f8-426e-bfc2-c5e3f8b21ccb)
 ## GitHub Application Configuration
 -  Give it a `GitHub App name` and set your `Homepage URL`
    - Example for localhost: `http://localhost:3080`
    - Example for a domain: `https://example.com`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/f10d497d-460b-410f-9504-08735662648b)
 - Add a valid `Callback URL`:
    - Example for localhost: `http://localhost:3080/oauth/github/callback`
    - Example for a domain: `https://example.com/oauth/github/callback`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/4e7e6dba-0afb-4ed8-94bf-4c61b0f29240)
 - Uncheck the box labeled `Active` in the `Webhook` section
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/aaeb3ecb-2e76-4ea5-8264-edfbdd53de1a)
 - Scroll down to `Account permissions` and set `Email addresses` to `Access: Read-only`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/3e561aa4-1f9e-4cb7-ace8-dbba8f0c0d55)
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/7b5f99af-7bde-43ee-9b43-6d3ce79ee00a)
 - Click on `Create GitHub App`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/4cc48550-eac3-4970-939b-81a23fa9c7cf)
 ## .env Configuration
 - Click `Generate a new client secret`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/484c7851-71dd-4167-a59e-9a56c4e08c36)
 - Copy the `Client ID` and `Client Secret` in the `.env` file
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/aaf78840-48a9-44e1-9625-4109ed91d965)
 ```bash
 DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 GITHUB_CLIENT_ID=your_client_id
 GITHUB_CLIENT_SECRET=your_client_secret
 GITHUB_CALLBACK_URL=/oauth/github/callback
 ```
 - Save the `.env` file
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
--- a/docs/install/configuration/OAuth2-and-OIDC/google.md
+++ b/docs/install/configuration/OAuth2-and-OIDC/google.md
@ -0,0 +1,97 @@
 ---
 title: Google
 description: Learn how to configure LibreChat to use Google for user authentication.
 weight: -9
 ---
 # Google
 ## Create a Google Application
 - Visit: **[Google Cloud Console](https://cloud.google.com)** and open the `Console`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/a7d290ea-6031-43b3-b367-36ce00e46f20)
 - Create a New Project and give it a name
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/ce71c9ca-7ddd-4021-9133-a872c64c20c4)
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/8abbd41e-8332-4851-898d-9cddb373c527)
 ## Google Application Configuration
 - Select the project you just created and go to `APIs and Services`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/c6265582-2cf6-430f-ae51-1edbdd9f2c48)
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/006e16ba-56b8-452d-b324-5f2d202637ab)
 - Select `Credentials` and click `CONFIGURE CONSENT SCREEN`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/e4285cbb-833f-4366-820d-addf04a2ad77)
 - Select `External` then click `CREATE`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/232d46c0-dd00-4637-b538-3ba3bdbdc0b2)
 - Fill in your App information
 > Note: You can get a logo from your LibreChat folder here: `docs\assets\favicon_package\android-chrome-192x192.png`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/e6c4c8ec-2f02-4af5-9458-c72394d0b7c5)
 - Configure your `App domain` and add your `Developer contact information` then click `SAVE AND CONTINUE`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/6c2aa557-9b9b-412d-bc2b-76a0dc11f394)
 - Configure the `Sopes`
    - Add `email`,`profile` and `openid`
    - Click `UPDATE` and `SAVE AND CONTINUE`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/46af2fb9-8cfd-41c5-a763-814b308e45c3)
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/4e832970-d392-4c67-bb38-908a5c51660a)
 - Click `SAVE AND CONTINUE`
 - Review your app and go back to dashboard
 - Go back to the `Credentials` tab, click on `+ CREATE CREDENTIALS` and select `OAuth client ID`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/beef1982-55a3-4837-8e8c-20bad8d846ba)
 - Select `Web application` and give it a name
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/badde864-f6b5-468f-a72f-bac93326ffa5)
 - Configure the `Authorized JavaScript origins`, you can add both your domain and localhost if you desire
    - Example for localhost: `http://localhost:3080`
    - Example for a domain: `https://example.com`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/f7e3763a-5f74-4850-8638-44f81693b9ac)
 - Add a valid `Authorized redirect URIs`
    - Example for localhost: `http://localhost:3080/oauth/google/callback`
    - Example for a domain: `https://example.com/oauth/google/callback`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/0db34b19-d780-4651-9c2f-d33e24a74d55)
 ## .env Configuration
 - Click `CREATE` and copy your `Client ID` and `Client secret`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/fa8572bf-f482-457a-a285-aec7d41af76b)
 - Add them to your `.env` file:
 ```bash
 DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 GOOGLE_CLIENT_ID=your_client_id
 GOOGLE_CLIENT_SECRET=your_client_secret
 GOOGLE_CALLBACK_URL=/oauth/github/callback
 ```
 - Save the `.env` file
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
--- a/docs/install/configuration/OAuth2-and-OIDC/keycloak.md
+++ b/docs/install/configuration/OAuth2-and-OIDC/keycloak.md
@ -0,0 +1,68 @@
 ---
 title: Keycloak
 description: Learn how to configure LibreChat to use Keycloak for user authentication.
 weight: -5
 ---
 # Keycloak
 1. **Access Keycloak Admin Console:**
 - Open the Keycloak Admin Console in your web browser. This is usually 
 found at a URL like `http://localhost:8080/auth/admin/`.
 2. **Create a Realm (if necessary):**
 - If you don't already have a realm for your application, create one. Click on 'Add Realm' and give it a name.
 3. **Create a Client:**
 - Within your realm, click on 'Clients' and then 'Create'.
 - Enter a client ID and select 'openid-connect' as the Client Protocol.
 - Set 'Client Authentication' to 'On'.
 - In 'Valid Redirect URIs', enter `http://localhost:3080/oauth/openid/callback` or the appropriate URI for 
 your application.
 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/d956de3d-e1f7-4327-818a-f146eb86a949)
 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/fbefbc05-b4ec-4122-8229-54a0a5876d76)
 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/f75c7b0f-030e-4182-bf87-ccf3aeae17d4)
 4. **Configure Client:**
 - After creating the client, you will be redirected to its settings page.
 - Note the 'Client ID' and 'Secret' from the 'Credentials' tab – you'll need these for your application.
 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/b1c1f0b6-641b-4cf7-a7f1-a9a32026d51b)
 5. **Add Roles (Optional):**
 If you want to restrict access to users with specific roles, you can define roles in Keycloak and assign them to users.
 - Go to the 'Roles' tab in your client or realm (depending on where you want to define the roles).
 - Create a new role that matches the value you have in `OPENID_REQUIRED_ROLE`.
 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/67ca635f-5082-4dcc-97ac-019029a81d7c)
 6. **Assign Roles to Users (Optional):**
 - Go to 'Users', select a user, and go to the 'Role Mappings' tab.
 - Assign the appropriate role (that matches `OPENID_REQUIRED_ROLE`) to the user.
 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/f2ea70ed-e16c-4ec8-b84f-79fbfca627be)
 7. **Get path of roles list inside token (Optional):**
 - Decode your jwtToken from OpenID provider and determine path for roles list inside access token. For example, if you are 
    using Keycloak, the path is `realm_access.roles`.
 - Put this path in `OPENID_REQUIRED_ROLE_PARAMETER_PATH` variable in `.env` file.
 - By parameter `OPENID_REQUIRED_ROLE_TOKEN_KIND` you can specify which token kind you want to use. 
 Possible values are `access` and `id`.
 8**Update Your Project's Configuration:**
 - Open the `.env` file in your project folder and add the following variables:
  ```
  OPENID_ISSUER=http://localhost:8080/auth/realms/[YourRealmName]
  OPENID_CLIENT_ID=[YourClientID]
  OPENID_CLIENT_SECRET=[YourClientSecret]
  OPENID_CALLBACK_URL=http://localhost:3080/oauth/openid/callback
  OPENID_SCOPE="openid profile email"
  OPENID_REQUIRED_ROLE=[YourRequiredRole]
  OPENID_REQUIRED_ROLE_TOKEN_KIND=(access|id)
  OPENID_REQUIRED_ROLE_PARAMETER_PATH="realm_access.roles"
  ```
--- a/docs/install/configuration/dotenv.md
+++ b/docs/install/configuration/dotenv.md
@ -16,7 +16,7 @@ Alternatively, you can create a new file named `docker-compose.override.yml` in
 For more info see: 
 - Our quick guide: 
-    - **[Docker Override](../configuration/docker_override.md)**
+    - **[Docker Override](./docker_override.md)**
 - The official docker documentation: 
    - **[docker docs - understanding-multiple-compose-files](https://docs.docker.com/compose/multiple-compose-files/extends/#understanding-multiple-compose-files)**
@ -274,7 +274,7 @@ DALLE2_API_KEY=your-azure-api-key-for-dall-e-2
 ### BingAI
 Bing, also used for Sydney, jailbreak, and Bing Image Creator, see: [Bing Access token](./ai_setup.md#bingai) and [Bing Jailbreak](../../features/bing_jailbreak.md)
- Follow these instructions to get your bing access token (it's best to use the full cookie string for that purpose): **[Bing Access Token](../configuration/ai_setup.md#bingai)**  
+- Follow these instructions to get your bing access token (it's best to use the full cookie string for that purpose): **[Bing Access Token](./ai_setup.md#bingai)**  
 - Leave `BINGAI_TOKEN=` blank to disable this endpoint
 - Set `BINGAI_TOKEN=` to "user_provided" to allow users to provide their own API key from the WebUI
@ -719,7 +719,7 @@ CHECK_BALANCE=false
 ```
 ### Registration and Login
-see: **[User/Auth System](../configuration/user_auth_system.md)**
+see: **[User/Auth System](./user_auth_system.md)**
 ![image](https://github.com/danny-avila/LibreChat/assets/81851188/52a37d1d-7392-4a9a-a79f-90ed2da7f841)
@ -757,9 +757,9 @@ JWT_REFRESH_SECRET=eaa5191f2914e30b9387fd84e254e4ba6fc51b4654968a9b0803b456a54b8
 ### Social Logins
-#### [Discord Authentication](../configuration/user_auth_system.md#discord)
+#### [Discord Authentication](./OAuth2-and-OIDC/discord.md)
-for more information: **[Discord](../configuration/user_auth_system.md#discord)**
+for more information: **[Discord](./OAuth2-and-OIDC/discord.md)**
 ```bash
 # Discord
@ -768,9 +768,9 @@ DISCORD_CLIENT_SECRET=your_client_secret
 DISCORD_CALLBACK_URL=/oauth/discord/callback
 ```
-#### [Facebook Authentication](../configuration/user_auth_system.md#facebook)
+#### [Facebook Authentication](./OAuth2-and-OIDC/facebook.md)
-for more information: **[Facebook Authentication](../configuration/user_auth_system.md#facebook)**
+for more information: **[Facebook Authentication](./OAuth2-and-OIDC/facebook.md)**
 ```bash
 # Facebook
@ -779,9 +779,9 @@ FACEBOOK_CLIENT_SECRET=
 FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
 ```
-#### [GitHub Authentication](../configuration/user_auth_system.md#github)
+#### [GitHub Authentication](./OAuth2-and-OIDC/github.md)
-for more information: **[GitHub Authentication](../configuration/user_auth_system.md#github)**
+for more information: **[GitHub Authentication](./OAuth2-and-OIDC/github.md)**
 ```bash
 # GitHub
@ -790,9 +790,9 @@ GITHUB_CLIENT_SECRET=your_client_secret
 GITHUB_CALLBACK_URL=/oauth/github/callback
 ```
-#### [Google Authentication](../configuration/user_auth_system.md#google)
+#### [Google Authentication](./OAuth2-and-OIDC/google.md)
-for more information: **[Google Authentication](../configuration/user_auth_system.md#google)**
+for more information: **[Google Authentication](./OAuth2-and-OIDC/google.md)**
 ```bash
 # Google
@ -801,9 +801,9 @@ GOOGLE_CLIENT_SECRET=
 GOOGLE_CALLBACK_URL=/oauth/google/callback
 ```
-#### [OpenID Authentication](../configuration/user_auth_system.md#openid-with-aws-cognito)
+#### [OpenID Authentication](./OAuth2-and-OIDC/aws.md)
-for more information: **[Azure OpenID Authentication](../configuration/user_auth_system.md#openid-with-azure-ad)** or **[AWS Cognito OpenID Authentication](../configuration/user_auth_system.md#openid-with-aws-cognito)**
+for more information: **[Azure OpenID Authentication](./OAuth2-and-OIDC/azure.md)** or **[AWS Cognito OpenID Authentication](./OAuth2-and-OIDC/aws.md)**
 ```bash
 # OpenID
@ -813,13 +813,15 @@ OPENID_ISSUER=
 OPENID_SESSION_SECRET=
 OPENID_SCOPE="openid profile email"
 OPENID_CALLBACK_URL=/oauth/openid/callback
 OPENID_BUTTON_LABEL=
 OPENID_IMAGE_URL=
 OPENID_REQUIRED_ROLE_TOKEN_KIND=
 OPENID_REQUIRED_ROLE=
 OPENID_REQUIRED_ROLE_PARAMETER_PATH=
 ```
 ### Email Password Reset
-Email is used for password reset. See: **[Email Password Reset](../configuration/user_auth_system.md#email-and-password-reset)**
+Email is used for password reset. See: **[Email Password Reset](./user_auth_system.md#email-and-password-reset)**
 - Note that all either service or host, username and password and the From address must be set for email to work.
--- a/docs/install/configuration/user_auth_system.md
+++ b/docs/install/configuration/user_auth_system.md
@ -166,431 +166,16 @@ EMAIL_FROM_NAME="My LibreChat Server"
 ---
-## Social Authentication - Setup and Configuration
+## Social Authentication
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/cacc2ee0-acf9-4d05-883a-ca9952de1165)
-### Discord
+### OAuth2
-
+  - [Discord](./OAuth2-and-OIDC/discord.md)
-#### Create a new Discord Application
+  - [GitHub](./OAuth2-and-OIDC/github.md)
-
+  - [Google](./OAuth2-and-OIDC/google.md)
- Go to **[Discord Developer Portal](https://discord.com/developers)**
+  - [Facebook](./OAuth2-and-OIDC/facebook.md)
-
+### OpenID Connect
- Create a new Application and give it a name
+  - [AWS Cognito](./OAuth2-and-OIDC/aws.md)
-
+  - [Azure Entra/AD](./OAuth2-and-OIDC/azure.md)
-![image](https://github.com/danny-avila/LibreChat/assets/32828263/7e7cdfa0-d1d6-4b6b-a8a9-905aaa40d135)
+  - [Keycloak](./OAuth2-and-OIDC/keycloak.md)
 #### Discord Application Configuration
 - In the OAuth2 general settings add a valid redirect URL:
    - Example for localhost: `http://localhost:3080/oauth/discord/callback` 
    - Example for a domain: `https://example.com/oauth/discord/callback`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/6c56fb92-f4ab-43b9-981b-f98babeeb19d)
 - In `Default Authorization Link`, select `In-app Authorization` and set the scopes to `applications.commands`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ce94670-9422-48d2-97e9-ec40bd331573)
 - Save changes and reset the Client Secret
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/3af164fc-66ed-4e5e-9f5a-9bcab3df37b4)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ece3935-68e6-4f2e-8656-9721cba5388a)
 #### .env Configuration
 - Paste your `Client ID` and `Client Secret` in the `.env` file:
 ```bash
 DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 DISCORD_CLIENT_ID=your_client_id
 DISCORD_CLIENT_SECRET=your_client_secret
 DISCORD_CALLBACK_URL=/oauth/discord/callback
 ```
 - Save the `.env` file
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
 ---
 ### Facebook - WIP
 > ⚠️ **Warning: Work in progress, not currently functional**
 > ❗ Note: Facebook Authentication will not work from `localhost`
 #### Create a Facebook Application
 - Go to the **[Facebook Developer Portal](https://developers.facebook.com/)**
 - Click on "My Apps" in the header menu
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/b75ccb8b-d56b-41b7-8b0d-a32c2e762962)
 - Create a new application
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/706f050d-5423-44cc-80f0-120913695d8f)
 - Select "Authenticate and request data from users with Facebook Login"
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/2ebbb571-afe8-429e-ab39-be6e83d12c01)
 - Choose "No, I'm not creating a game" 
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/88b5160a-9c72-414a-bbcc-7717b81106f3)
 - Provide an `app name` and `App contact email` and click `Create app`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/e1282c9e-4e7d-4cbe-82c9-cc76967f83e1)
 #### Facebook Application Configuration
 - In the side menu, select "Use cases" and click "Customize" under "Authentication and account creation."
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/39f4bb70-d9dc-4d1c-8443-2666fe56499b)
 -  Add the `email permission`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/dfa20879-2cb8-4daf-883d-3790854afca0)
 - Now click `Go to settings`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/512213a2-bd8b-4fd3-96c7-0de6d3222ddd)
 - Ensure that `Client OAuth login`, `Web OAuth login` and `Enforce HTTPS` are **enabled**.
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/3a7d935b-97bf-493b-b909-39ecf9b3432b)
 - Add a `Valid OAuth Redirect URIs` and "Save changes"
    - Example for a domain: `https://example.com/oauth/facebook/callback`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/ef8e54ee-a766-4871-9719-d4eff7a770b6)
 - Click `Go back` and select `Basic` in the `App settings` tab
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/0d14f702-5183-422e-a12c-5d1b6031581b)
 - Click "Show" next to the App secret.
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/9a009e37-2bb6-4da6-b5c7-9139c3db6185)
 #### .env Configuration
 - Copy the `App ID` and `App Secret` and paste them into the `.env` file as follows:
 ```bash
 DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 FACEBOOK_CLIENT_ID=your_app_id
 FACEBOOK_CLIENT_SECRET=your_app_secret
 FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
 ```
 - Save the `.env` file.
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
 ---
 ### GitHub
 #### Create a GitHub Application
 - Go to your **[Github Developer settings](https://github.com/settings/apps)**
 - Create a new Github app
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/3a8b88e7-78f8-426e-bfc2-c5e3f8b21ccb)
 #### GitHub Application Configuration
 -  Give it a `GitHub App name` and set your `Homepage URL`
    - Example for localhost: `http://localhost:3080` 
    - Example for a domain: `https://example.com`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/f10d497d-460b-410f-9504-08735662648b)
 - Add a valid `Callback URL`:
    - Example for localhost: `http://localhost:3080/oauth/github/callback` 
    - Example for a domain: `https://example.com/oauth/github/callback`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/4e7e6dba-0afb-4ed8-94bf-4c61b0f29240)
 - Uncheck the box labeled `Active` in the `Webhook` section
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/aaeb3ecb-2e76-4ea5-8264-edfbdd53de1a)
 - Scroll down to `Account permissions` and set `Email addresses` to `Access: Read-only`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/3e561aa4-1f9e-4cb7-ace8-dbba8f0c0d55)
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/7b5f99af-7bde-43ee-9b43-6d3ce79ee00a)
 - Click on `Create GitHub App`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/4cc48550-eac3-4970-939b-81a23fa9c7cf)
 #### .env Configuration
 - Click `Generate a new client secret`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/484c7851-71dd-4167-a59e-9a56c4e08c36)
 - Copy the `Client ID` and `Client Secret` in the `.env` file 
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/aaf78840-48a9-44e1-9625-4109ed91d965)
 ```bash
 DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 GITHUB_CLIENT_ID=your_client_id
 GITHUB_CLIENT_SECRET=your_client_secret
 GITHUB_CALLBACK_URL=/oauth/github/callback
 ```
 - Save the `.env` file
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
 ---
 ### Google
 #### Create a Google Application
 - Visit: **[Google Cloud Console](https://cloud.google.com)** and open the `Console`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/a7d290ea-6031-43b3-b367-36ce00e46f20)
 - Create a New Project and give it a name
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/ce71c9ca-7ddd-4021-9133-a872c64c20c4)
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/8abbd41e-8332-4851-898d-9cddb373c527)
 #### Google Application Configuration
 - Select the project you just created and go to `APIs and Services`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/c6265582-2cf6-430f-ae51-1edbdd9f2c48)
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/006e16ba-56b8-452d-b324-5f2d202637ab)
 - Select `Credentials` and click `CONFIGURE CONSENT SCREEN` 
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/e4285cbb-833f-4366-820d-addf04a2ad77)
 - Select `External` then click `CREATE`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/232d46c0-dd00-4637-b538-3ba3bdbdc0b2)
 - Fill in your App information
 > Note: You can get a logo from your LibreChat folder here: `docs\assets\favicon_package\android-chrome-192x192.png`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/e6c4c8ec-2f02-4af5-9458-c72394d0b7c5)
 - Configure your `App domain` and add your `Developer contact information` then click `SAVE AND CONTINUE`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/6c2aa557-9b9b-412d-bc2b-76a0dc11f394)
 - Configure the `Sopes`
  - Add `email`,`profile` and `openid`
  - Click `UPDATE` and `SAVE AND CONTINUE`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/46af2fb9-8cfd-41c5-a763-814b308e45c3)
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/4e832970-d392-4c67-bb38-908a5c51660a)
 - Click `SAVE AND CONTINUE` 
 - Review your app and go back to dashboard 
 - Go back to the `Credentials` tab, click on `+ CREATE CREDENTIALS` and select `OAuth client ID`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/beef1982-55a3-4837-8e8c-20bad8d846ba)
 - Select `Web application` and give it a name
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/badde864-f6b5-468f-a72f-bac93326ffa5)
 - Configure the `Authorized JavaScript origins`, you can add both your domain and localhost if you desire 
    - Example for localhost: `http://localhost:3080` 
    - Example for a domain: `https://example.com`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/f7e3763a-5f74-4850-8638-44f81693b9ac)
 - Add a valid `Authorized redirect URIs`
    - Example for localhost: `http://localhost:3080/oauth/google/callback` 
    - Example for a domain: `https://example.com/oauth/google/callback`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/0db34b19-d780-4651-9c2f-d33e24a74d55)
 #### .env Configuration
 - Click `CREATE` and copy your `Client ID` and `Client secret`
 ![image](https://github.com/danny-avila/LibreChat/assets/138638445/fa8572bf-f482-457a-a285-aec7d41af76b)
 - Add them to your `.env` file:
 ```bash
 DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 GOOGLE_CLIENT_ID=your_client_id
 GOOGLE_CLIENT_SECRET=your_client_secret
 GOOGLE_CALLBACK_URL=/oauth/github/callback
 ```
 - Save the `.env` file
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
 ---
 ### OpenID with AWS Cognito
 #### Create a new User Pool in Cognito
 - Visit: **[https://console.aws.amazon.com/cognito/](https://console.aws.amazon.com/cognito/)**
 - Sign in as Root User
 - Click on `Create user pool`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/e9b412c3-2cf1-4f54-998c-d1d6c12581a5)
 #### Configure sign-in experience
 Your Cognito user pool sign-in options should include `User Name` and `Email`.
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/d2cf362d-469e-4993-8466-10282da114c2)
 #### Configure Security Requirements
 You can configure the password requirements now if you desire
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/e125e8f1-961b-4a38-a6b7-ed1faf29c4a3)
 #### Configure sign-up experience
 Choose the attributes required at signup. The minimum required is `name`. If you want to require users to use their full name at sign up use: `given_name` and `family_name` as required attributes.
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/558b8e2c-afbd-4dd1-87f3-c409463b5f7c)
 #### Configure message delivery
 Send email with Cognito can be used for free for up to 50 emails a day
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/fcb2323b-708e-488c-9420-7eb482974648)
 #### Integrate your app
 Select `Use Cognitio Hosted UI` and chose a domain name
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/111b3dd4-3b20-4e3e-80e1-7167d2ad0f62)
 Set the app type to `Confidential client`
 Make sure `Generate a client secret` is set.
 Set the `Allowed callback URLs` to `https://YOUR_DOMAIN/oauth/openid/callback`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/1f92a532-7c4d-4632-a55d-9d00bf77fc4d)
 Under `Advanced app client settings` make sure `Profile` is included in the `OpenID Connect scopes` (in the bottom)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/5b035eae-4a8e-482c-abd5-29cee6502eeb)
 #### Review and create
 You can now make last minute changes, click on `Create user pool` when you're done reviewing the configuration
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/dc8b2374-9adb-4065-85dc-a087d625372d)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/67efb1e9-dfe3-4ebd-9ebb-92186c514b5c)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/9f819175-ace1-44b1-ba68-af21ac9f6735)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/3e7b8b17-4e12-49af-99cf-78981d6331df)
 #### Get your environment variables
 1. Open your User Pool
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/b658ff2a-d252-4f3d-90a7-9fbde42c01db)
 2. The `User Pool ID` and your AWS region will be used to construct the `OPENID_ISSUER` (see below)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/dc8ae403-cbff-4aae-9eee-42d7cf3485e7)
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/d606f5c8-c60b-4d20-bdb2-d0d69e49ea1e)
 3.  Go to the `App Integrations` tab
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/58713bdc-24bc-47de-bdca-020dc321e997)
 4.  Open the app client
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/271bf7d2-3df2-43a7-87fc-e50294e49b2e)
 5. Toggle `Show Client Secret`
 ![image](https://github.com/danny-avila/LibreChat/assets/32828263/a844fe65-313d-4754-81b4-380336e0e336)
 - Use the `Client ID` for `OPENID_CLIENT_ID`
 - Use the `Client secret` for `OPENID_CLIENT_SECRET`
 - Generate a random string for the `OPENID_SESSION_SECRET` 
 > The `OPENID_SCOPE` and `OPENID_CALLBACK_URL` are pre-configured with the correct values
 6. Open the `.env` file at the root of your LibreChat folder and add the following variables with the values you copied:
 ```bash
 DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 OPENID_CLIENT_ID=Your client ID
 OPENID_CLIENT_SECRET=Your client secret
 OPENID_ISSUER=https://cognito-idp.[AWS REGION].amazonaws.com/[USER POOL ID]/.well-known/openid-configuration
 OPENID_SESSION_SECRET=Any random string
 OPENID_SCOPE=openid profile email
 OPENID_CALLBACK_URL=/oauth/openid/callback
 ```
 7. Save the .env file
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
 ---
 ### OpenID with Azure AD
 1. Go to the [Azure Portal](https://portal.azure.com/) and sign in with your account.
 2. In the search box, type "Azure Active Directory" and click on it.
 3. On the left menu, click on App registrations and then on New registration.
 4. Give your app a name and select Web as the platform type.
 5. In the Redirect URI field, enter `http://localhost:3080/oauth/openid/callback` and click on Register.
 6. You will see an Overview page with some information about your app. Copy the Application (client) ID and the Directory (tenant) ID and save them somewhere.
 7. On the left menu, click on Authentication and check the boxes for Access tokens and ID tokens under Implicit grant and hybrid flows.
 8. On the left menu, click on Certificates & Secrets and then on New client secret. Give your secret a name and an expiration date and click on Add.
 9. You will see a Value column with your secret. Copy it and save it somewhere. Don't share it with anyone!
 10. Open the .env file in your project folder and add the following variables with the values you copied:
 ```bash
 DOMAIN_CLIENT=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 DOMAIN_SERVER=https://your-domain.com #use http://localhost:3080 if not using a custom domain
 OPENID_CLIENT_ID=Your Application (client) ID
 OPENID_CLIENT_SECRET=Your client secret
 OPENID_ISSUER=https://login.microsoftonline.com/Your Directory (tenant ID)/v2.0/
 OPENID_SESSION_SECRET=Any random string
 OPENID_SCOPE=openid profile email #DO NOT CHANGE THIS
 OPENID_CALLBACK_URL=/oauth/openid/callback # this should be the same for everyone
 ```
 11. Save the .env file
 > Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
 ---