Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Multitenant OpenID Login with Home Zone Discovery #4544

Open
1 task done
leondape opened this issue Oct 24, 2024 · 0 comments
Open
1 task done

Enhancement: Multitenant OpenID Login with Home Zone Discovery #4544

leondape opened this issue Oct 24, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@leondape
Copy link

leondape commented Oct 24, 2024
edited
Loading

Extend OpenID login to handle multiple OpenID tenants

The login process is currently limited to only one OpenID source specified in .env
This is a limitation if you want to integrate multiple OpenID Providers, which is common for larger organisations.
I suggest implementing a more detailed setup in librechat.yaml which replaces the settings in .env.

Setup for a singular Tenant as it is now

OpenID:
  tenants:
    - domains: "" # will direct the auth flow to the issuer for ANY domain
      openid:
        clientId: "client-id-for-example"
        clientSecret: "client-secret-for-example"
        issuer: "https://example.com/oidc"
        callbackUrl: "/oauth/openid/callback"

Setup for multiple tenants

OpenID:
  tenants:
    - domains: "first.com,example.com" # will direct the auth flow to issuer1 only for these domains
      openid:
        clientId: "client-id-for-example"
        clientSecret: "client-secret-for-example"
        issuer: "https://example.com/oidc"
        callbackUrl: "/oauth/openid/callback"
    - domains: "another.com,one.com," will direct the auth flow to issuer2 only for these domains
      openid:
        clientId: "client-id-for-example2"
        clientSecret: "client-secret-for-example2"
        issuer: "https://example.com/oidc2"
        callbackUrl: "/oauth/openid/callback"

More details

When domains are set, a mandatory email field should be visible above the Button. The Action flow would then be:

  1. User Inputs email
  2. User clicks button
  3. User gets routed to correct OpenID provider based on domain. Routing to the correct IDP (Home Zone Discovery) is set over the yaml file domain entries.

If no domains are set, multitenant is disabled and the functionality is just the same is it is currently.

Which components are impacted by your request?

I'm not sure but probably:

  • api/server/routes/config.js
  • SocialLoginRender.tsx
  • SocialButton.tsx
  • Login.tsx
  • AuthLayout.tsx

Pictures

No domains set (Current)

Bildschirmfoto 2024-10-25 um 07 46 26

With domains set (Future)

multitenant-mock

Code of Conduct

  • I agree to follow this project's Code of Conduct
@leondape leondape added the enhancement New feature or request label Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@leondape