Enhancement: Multitenant OpenID Login with Home Zone Discovery

Open leondape opened this issue 1 year ago • 1 comments

Extend OpenID login to handle multiple OpenID tenants

The login process is currently limited to only one OpenID source specified in .env This is a limitation if you want to integrate multiple OpenID Providers, which is common for larger organisations. I suggest implementing a more detailed setup in librechat.yaml which replaces the settings in .env.

Setup for a singular Tenant as it is now

OpenID:
  tenants:
    - domains: "" # will direct the auth flow to the issuer for ANY domain
      openid:
        clientId: "client-id-for-example"
        clientSecret: "client-secret-for-example"
        issuer: "https://example.com/oidc"
        callbackUrl: "/oauth/openid/callback"

Setup for multiple tenants

OpenID:
  tenants:
    - domains: "first.com,example.com" # will direct the auth flow to issuer1 only for these domains
      openid:
        clientId: "client-id-for-example"
        clientSecret: "client-secret-for-example"
        issuer: "https://example.com/oidc"
        callbackUrl: "/oauth/openid/callback"
    - domains: "another.com,one.com," will direct the auth flow to issuer2 only for these domains
      openid:
        clientId: "client-id-for-example2"
        clientSecret: "client-secret-for-example2"
        issuer: "https://example.com/oidc2"
        callbackUrl: "/oauth/openid/callback"

More details

When domains are set, a mandatory email field should be visible above the Button. The Action flow would then be:

User Inputs email
User clicks button
User gets routed to correct OpenID provider based on domain. Routing to the correct IDP (Home Zone Discovery) is set over the yaml file domain entries.

If no domains are set, multitenant is disabled and the functionality is just the same is it is currently.