feat: Add OIDC group sync for Keycloak and generic OpenID providers #10015
+1,171
−6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements JWT token-based group synchronization to enable the granular permissions system with any OIDC provider (Keycloak, Auth0, Okta, etc.) Features: - Extract groups/roles from configurable JWT claim paths - Automatically sync group memberships on login - Create groups and add users atomically - Remove users from groups when roles are revoked - Support for any OIDC provider via flexible claim path configuration Changes: - Add JWT claim extraction utilities with sanitization - Implement syncUserOidcGroupsFromToken in PermissionService - Fix idOnTheSource to use 'sub' as fallback for non-Microsoft providers - Integrate OIDC group sync into OAuth login flow - Add 'oidc' as valid group source in schema - Add comprehensive unit tests (119 test cases) - Add detailed documentation in .env.example Configuration: OPENID_SYNC_GROUPS_FROM_TOKEN=true OPENID_GROUPS_CLAIM_PATH=realm_access.roles OPENID_GROUPS_TOKEN_KIND=access OPENID_GROUP_SOURCE=oidc TODO: Future improvements noted in code comments: - Bulk query optimization for large group counts - Transaction wrapping for full atomicity - Group name transformation/mapping - Role filtering capabilities - Orphaned group cleanup Tested with Keycloak - successfully syncs groups on login Related to danny-avila#10006
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
ESLint found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
Allow filtering out system/default roles from group synchronization: - Add shouldExcludeGroup() function with exact match and regex support - Support comma-separated exclusion patterns via OPENID_GROUPS_EXCLUDE_PATTERN - Case-insensitive exact matching for role names - Regex patterns with 'regex:' prefix (e.g., regex:^default-.*) - Update extractGroupsFromToken to accept and apply exclusion filter - Add comprehensive documentation in .env.example Use cases: - Exclude Keycloak default roles (default-roles-*, manage-account, etc.) - Exclude Auth0 system scopes (offline_access, openid, profile, email) - Exclude authentication-only roles that shouldn't become groups - Filter out UMA authorization roles (uma_authorization) Examples: OPENID_GROUPS_EXCLUDE_PATTERN=default-roles-mediawan,manage-account,offline_access OPENID_GROUPS_EXCLUDE_PATTERN=regex:^default-.*,regex:^manage-.*,offline_access Tested with Keycloak 26.x - successfully filters out system roles
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request: OIDC Group Synchronization for Keycloak and Generic OpenID Providers
Summary
Implements JWT token-based group synchronization to enable the granular permissions system with any OIDC provider (Keycloak, Auth0, Okta, etc.)
This PR addresses the need for non-Microsoft OIDC providers to utilize LibreChat's granular permissions system introduced in v0.7.9. Currently, group discovery only works with Microsoft Entra ID via Graph API. This implementation allows any OIDC provider to sync groups/roles from JWT tokens.
Related to #10006
Features:
Changes:
api/utils/extractJwtClaims.js)syncUserOidcGroupsFromTokenin PermissionServiceidOnTheSourceto usesubas fallback for non-Microsoft providers (Keycloak compatibility)'oidc'as valid group source in schemaapi/utils/extractJwtClaims.spec.js- JWT claim extraction testsapi/server/services/PermissionService.oidc.spec.js- Service sync logic tests.env.exampleConfiguration Example:
Future Improvements (noted in code comments):
Change Type
Testing
Test Configuration:
OPENID_REUSE_TOKENS=trueOPENID_SYNC_GROUPS_FROM_TOKEN=trueOPENID_GROUPS_CLAIM_PATH=realm_access.rolesOPENID_GROUPS_TOKEN_KIND=accessOPENID_GROUP_SOURCE=keycloakTest Process:
leonine,default-roles-mediawan,access_leoninedb.groups.find({ source: 'keycloak' }) # Result: 3 groups created with user in memberIdsTest Results:
✅ Realm roles tested and working:
subclaim (Keycloak) instead ofoid(Microsoft-specific)📝 Keycloak groups (via group mapper) not yet tested but should work:
Unit Test Coverage:
Checklist
Documentation PR
Documentation has been submitted to the docs repository:
📝 LibreChat-AI/librechat.ai#426
Additional Context
This implementation follows the same pattern as the existing Entra ID group sync but reads from JWT claims instead of making Graph API calls, making it more efficient and compatible with any OIDC provider.
Benefits:
Tested with: Keycloak 26.x (realm roles confirmed working)
Compatible with: Any OIDC provider that includes groups/roles in JWT tokens
AI-slop-Disclaimer:
To my best knowledge I've reviewed and guided the development of this feature. However I seek maintainer's guidance as this code is heavily developed by cursor.