docs: clarify OPENID_REQUIRED_ROLE usage in dotenv, Azure, and Keycloak configurations to support single or multiple roles

2026-03-27 10:48:32 +07:00 · 2025-10-01 14:02:15 -04:00
parent 3d2a0a7a4e
commit 886c1878bd
3 changed files with 5 additions and 5 deletions
--- a/pages/docs/configuration/authentication/OAuth2-OIDC/azure.mdx
+++ b/pages/docs/configuration/authentication/OAuth2-OIDC/azure.mdx
@@ -54,7 +54,7 @@ OPENID_REQUIRED_ROLE_TOKEN_KIND=id

 # If you want to restrict access by groups
 OPENID_REQUIRED_ROLE_PARAMETER_PATH="roles"
-OPENID_REQUIRED_ROLE="Your Group Name"
+OPENID_REQUIRED_ROLE="Your Group Name" # Single role or comma-separated roles (e.g., Group1,Group2,Admin)

 # Optional: redirects the user to the end session endpoint after logging out
 OPENID_USE_END_SESSION_ENDPOINT=true 
--- a/pages/docs/configuration/authentication/OAuth2-OIDC/keycloak.mdx
+++ b/pages/docs/configuration/authentication/OAuth2-OIDC/keycloak.mdx
@@ -36,13 +36,13 @@ your application.
 5. **Add Roles (Optional):**
 If you want to restrict access to users with specific roles, you can define roles in Keycloak and assign them to users.
 - Go to the 'Roles' tab in your client or realm (depending on where you want to define the roles).
- Create a new role that matches the value you have in `OPENID_REQUIRED_ROLE`.
+- Create roles that match the value(s) you have in `OPENID_REQUIRED_ROLE`.

 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/67ca635f-5082-4dcc-97ac-019029a81d7c)

 6. **Assign Roles to Users (Optional):**
 - Go to 'Users', select a user, and go to the 'Role Mappings' tab.
- Assign the appropriate role (that matches `OPENID_REQUIRED_ROLE`) to the user.
+- Assign at least one of the roles specified in `OPENID_REQUIRED_ROLE` to the user.

 ![image](https://github.com/danny-avila/LibreChat/assets/6623884/f2ea70ed-e16c-4ec8-b84f-79fbfca627be)

@@ -62,7 +62,7 @@ If you want to restrict access to users with specific roles, you can define role
  OPENID_SESSION_SECRET=[JustGenerateARandomSessionSecret]
  OPENID_CALLBACK_URL=/oauth/openid/callback
  OPENID_SCOPE="openid profile email"
-  OPENID_REQUIRED_ROLE=[YourRequiredRole]
+  OPENID_REQUIRED_ROLE=[YourRequiredRole] # Single role or comma-separated roles (e.g., role1,role2,admin)
  OPENID_REQUIRED_ROLE_TOKEN_KIND=(access|id) # that means, `access` or `id`
  OPENID_REQUIRED_ROLE_PARAMETER_PATH="realm_access.roles"

--- a/pages/docs/configuration/dotenv.mdx
+++ b/pages/docs/configuration/dotenv.mdx
@@ -1108,7 +1108,7 @@ For more information:
    ['OPENID_SCOPE', 'string', 'The OpenID scope.', 'OPENID_SCOPE="openid profile email"'],
    ['OPENID_CALLBACK_URL', 'string', 'The callback URL for OpenID authentication.','OPENID_CALLBACK_URL=/oauth/openid/callback'],
    ['OPENID_AUDIENCE', 'string', 'The audience parameter for authorization requests. Required for Auth0 when using OPENID_REUSE_TOKENS=true to receive JWT access tokens instead of opaque tokens.','OPENID_AUDIENCE=https://api.librechat.com'],
-    ['OPENID_REQUIRED_ROLE', 'string', 'The required role for validation.','OPENID_REQUIRED_ROLE='],
+    ['OPENID_REQUIRED_ROLE', 'string', 'The required role(s) for validation. Supports a single role or multiple comma-separated roles. When multiple roles are specified, the user needs ANY of the specified roles (OR logic).','OPENID_REQUIRED_ROLE=admin or OPENID_REQUIRED_ROLE=role1,role2,admin'],
    ['OPENID_REQUIRED_ROLE_TOKEN_KIND', 'string', 'The token kind for required role validation.','OPENID_REQUIRED_ROLE_TOKEN_KIND='],
    ['OPENID_REQUIRED_ROLE_PARAMETER_PATH', 'string', 'The parameter path for required role validation.','OPENID_REQUIRED_ROLE_PARAMETER_PATH='],
    ['OPENID_BUTTON_LABEL', 'string', 'The label for the OpenID login button.','OPENID_BUTTON_LABEL='],