diff --git a/pages/docs/configuration/authentication/OAuth2-OIDC/azure.mdx b/pages/docs/configuration/authentication/OAuth2-OIDC/azure.mdx index f8bd138..4dba833 100644 --- a/pages/docs/configuration/authentication/OAuth2-OIDC/azure.mdx +++ b/pages/docs/configuration/authentication/OAuth2-OIDC/azure.mdx @@ -54,7 +54,7 @@ OPENID_REQUIRED_ROLE_TOKEN_KIND=id # If you want to restrict access by groups OPENID_REQUIRED_ROLE_PARAMETER_PATH="roles" -OPENID_REQUIRED_ROLE="Your Group Name" +OPENID_REQUIRED_ROLE="Your Group Name" # Single role or comma-separated roles (e.g., Group1,Group2,Admin) # Optional: redirects the user to the end session endpoint after logging out OPENID_USE_END_SESSION_ENDPOINT=true diff --git a/pages/docs/configuration/authentication/OAuth2-OIDC/keycloak.mdx b/pages/docs/configuration/authentication/OAuth2-OIDC/keycloak.mdx index 7d24268..af1aab9 100644 --- a/pages/docs/configuration/authentication/OAuth2-OIDC/keycloak.mdx +++ b/pages/docs/configuration/authentication/OAuth2-OIDC/keycloak.mdx @@ -36,13 +36,13 @@ your application. 5. **Add Roles (Optional):** If you want to restrict access to users with specific roles, you can define roles in Keycloak and assign them to users. - Go to the 'Roles' tab in your client or realm (depending on where you want to define the roles). -- Create a new role that matches the value you have in `OPENID_REQUIRED_ROLE`. +- Create roles that match the value(s) you have in `OPENID_REQUIRED_ROLE`. ![image](https://github.com/danny-avila/LibreChat/assets/6623884/67ca635f-5082-4dcc-97ac-019029a81d7c) 6. **Assign Roles to Users (Optional):** - Go to 'Users', select a user, and go to the 'Role Mappings' tab. -- Assign the appropriate role (that matches `OPENID_REQUIRED_ROLE`) to the user. +- Assign at least one of the roles specified in `OPENID_REQUIRED_ROLE` to the user. ![image](https://github.com/danny-avila/LibreChat/assets/6623884/f2ea70ed-e16c-4ec8-b84f-79fbfca627be) @@ -62,7 +62,7 @@ If you want to restrict access to users with specific roles, you can define role OPENID_SESSION_SECRET=[JustGenerateARandomSessionSecret] OPENID_CALLBACK_URL=/oauth/openid/callback OPENID_SCOPE="openid profile email" - OPENID_REQUIRED_ROLE=[YourRequiredRole] + OPENID_REQUIRED_ROLE=[YourRequiredRole] # Single role or comma-separated roles (e.g., role1,role2,admin) OPENID_REQUIRED_ROLE_TOKEN_KIND=(access|id) # that means, `access` or `id` OPENID_REQUIRED_ROLE_PARAMETER_PATH="realm_access.roles" diff --git a/pages/docs/configuration/dotenv.mdx b/pages/docs/configuration/dotenv.mdx index 49d173b..33487db 100644 --- a/pages/docs/configuration/dotenv.mdx +++ b/pages/docs/configuration/dotenv.mdx @@ -1108,7 +1108,7 @@ For more information: ['OPENID_SCOPE', 'string', 'The OpenID scope.', 'OPENID_SCOPE="openid profile email"'], ['OPENID_CALLBACK_URL', 'string', 'The callback URL for OpenID authentication.','OPENID_CALLBACK_URL=/oauth/openid/callback'], ['OPENID_AUDIENCE', 'string', 'The audience parameter for authorization requests. Required for Auth0 when using OPENID_REUSE_TOKENS=true to receive JWT access tokens instead of opaque tokens.','OPENID_AUDIENCE=https://api.librechat.com'], - ['OPENID_REQUIRED_ROLE', 'string', 'The required role for validation.','OPENID_REQUIRED_ROLE='], + ['OPENID_REQUIRED_ROLE', 'string', 'The required role(s) for validation. Supports a single role or multiple comma-separated roles. When multiple roles are specified, the user needs ANY of the specified roles (OR logic).','OPENID_REQUIRED_ROLE=admin or OPENID_REQUIRED_ROLE=role1,role2,admin'], ['OPENID_REQUIRED_ROLE_TOKEN_KIND', 'string', 'The token kind for required role validation.','OPENID_REQUIRED_ROLE_TOKEN_KIND='], ['OPENID_REQUIRED_ROLE_PARAMETER_PATH', 'string', 'The parameter path for required role validation.','OPENID_REQUIRED_ROLE_PARAMETER_PATH='], ['OPENID_BUTTON_LABEL', 'string', 'The label for the OpenID login button.','OPENID_BUTTON_LABEL='],