mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-03-16 20:56:35 +01:00
aee1ced817
When Azure AD users belong to 200+ groups, group claims are moved out of the ID token (overage). The existing resolveGroupsFromOverage() called Microsoft Graph directly with the app-audience access token, which Graph rejected (401/403). Changes: - Add exchangeTokenForOverage() dedicated OBO exchange with User.Read scope - Update resolveGroupsFromOverage() to exchange token before Graph call - Add overage handling to OPENID_ADMIN_ROLE block (was silently failing) - Share resolved overage groups between required role and admin role checks - Always resolve via Graph when overage detected (even with partial groups) - Remove debug-only bypass that forced Graph resolution - Add tests for OBO exchange, caching, and admin role overage scenarios Co-authored-by: Airam Hernández Hernández <airam.hernandez@intelequia.com> |
||
|---|---|---|
| .. | ||
| appleStrategy.js | ||
| appleStrategy.test.js | ||
| discordStrategy.js | ||
| facebookStrategy.js | ||
| githubStrategy.js | ||
| googleStrategy.js | ||
| index.js | ||
| jwtStrategy.js | ||
| ldapStrategy.js | ||
| ldapStrategy.spec.js | ||
| localStrategy.js | ||
| openIdJwtStrategy.js | ||
| openIdJwtStrategy.spec.js | ||
| openidStrategy.js | ||
| openidStrategy.spec.js | ||
| process.js | ||
| process.test.js | ||
| samlStrategy.js | ||
| samlStrategy.spec.js | ||
| socialLogin.js | ||
| socialLogin.test.js | ||
| validators.js | ||
| validators.spec.js | ||