🔐 feat: Support Multiple Roles in OPENID_REQUIRED_ROLE (#9171)

* feat: support multiple roles in OPENID_REQUIRED_ROLE

- Allow comma-separated roles in OPENID_REQUIRED_ROLE environment variable
- User needs ANY of the specified roles to login (OR logic)
- Maintain backward compatibility with single role configuration
- Add comprehensive test coverage for multiple role scenarios

* Add tests

* Fix linter

* Add missing closing brace

* Add new line

* Simplify tests

* Refresh OpenID verify callback in tests

* Fix OpenID spec and resolve linting errors

* test: Add backward compatibility test for single required role in OpenID strategy

---------

Co-authored-by: Danny Avila <danny@librechat.ai>

api/strategies/openidStrategy.js

@@ -371,6 +371,10 @@ async function setupOpenId() {
           const fullName = getFullName(userinfo);
 
           if (requiredRole) {
+            const requiredRoles = requiredRole
+              .split(',')
+              .map((role) => role.trim())
+              .filter(Boolean);
             let decodedToken = '';
             if (requiredRoleTokenKind === 'access') {
               decodedToken = jwtDecode(tokenset.access_token);
@@ -393,9 +397,13 @@ async function setupOpenId() {
               );
             }
 
-            if (!roles.includes(requiredRole)) {
+            if (!requiredRoles.some((role) => roles.includes(role))) {
+              const rolesList =
+                requiredRoles.length === 1
+                  ? `"${requiredRoles[0]}"`
+                  : `one of: ${requiredRoles.map((r) => `"${r}"`).join(', ')}`;
               return done(null, false, {
-                message: `You must have the "${requiredRole}" role to log in.`,
+                message: `You must have ${rolesList} role to log in.`,
               });
             }
           }