-
-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get required OpenID Role #1488
Get required OpenID Role #1488
Conversation
Hi @siriusfreak hope you're well! do you still plan on contributing this? |
Improve process and change libs
f59ff96
to
17af179
Compare
0a8b056
to
22a5e33
Compare
22a5e33
to
fabe485
Compare
@danny-avila pls check it |
Dear @siriusfreak , for who is looking for a groups claims integration, do you think you can add that support too? It is very common to use also security groups in addition of application roles IdPs. What do you think about? |
I am relay on KeyCloack. Could you show me your identity provider? Basically, we need only check if there are required items in the list inside JWT token. So it could be more generalized like a way to check the token. |
Sure it is Entra (former Azure AD). |
I added more flexibility to the configuration. Now, it is possible to determine the exact source for the token inside ID provider response. I tested it with Entra and Keycloak. @childotg You can use emitting groups as roles to retrieve roles in Example configs. Keycloack:
Entra:
|
docker-compose.yml
Outdated
@@ -30,6 +30,8 @@ services: | |||
image: mongo | |||
restart: always | |||
user: "${UID}:${GID}" | |||
ports: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These ports cannot be exposed by default. if this is needed, it has to be done with the override compose file: https://docs.librechat.ai/install/configuration/docker_override.html
docker-compose.yml
Outdated
@@ -38,6 +40,8 @@ services: | |||
image: getmeili/meilisearch:v1.5 | |||
restart: always | |||
user: "${UID}:${GID}" | |||
ports: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
thanks for the documentation. it would also be nice to have a guide on how to setup roles via azure as you showed in one the comments here but more comprehensive. |
…reChat into add-required-openid-role
|
api/strategies/openidStrategy.js
Outdated
@@ -57,7 +60,13 @@ async function setupOpenId() { | |||
let user = await User.findOne({ openidId: userinfo.sub }); | |||
|
|||
if (!user) { | |||
user = await User.findOne({ email: userinfo.email }); | |||
if (!userinfo.email) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the recent update. This caught my attention, there is some nesting here that is confusing. In general I'm against nesting but it would make more sense to have this condition as a separate block above the user not being found at all
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked deeper and remove this print, because it most for more logs, not for important logic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry for the delay! thank you will test this today!
Merging this PR's commits along with some edits, mostly documentation, in #2279 |
Summary
This change allows to perform role-based authorization for OpenID providers.
The new parameter
OPENID_REQUIRED_ROLE
specifies the allowed role name.Change Type
New feature (non-breaking change which adds functionality)
Testing
Tested by the personal installation of Keycloak. The configuration process is described in the OpenID with Keycloak and Role Restriction section.
Test Configuration:
Checklist