o ưi@spdZddlZddlZddlZddlZddlZddlZddlmZddl m Z m Z m Z m Z mZmZmZmZmZddlmZmZmZmZmZddlmZddlZddlmZddlmZdd l m!Z!dd l"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)dd l*m+Z+dd l,m-Z-m.Z.m/Z/dd l0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>m?Z?ddl@mAZAddlBmCZCddlDmEZEddlFmGZGmHZHddlImJZJddlKmLZLddlMmNZNddlOmPZPddlQmRZRmSZSddlTmUZUmVZVddlWmXZXmYZYmZZZddl[m\Z\m]Z]m^Z^m_Z_ddl`maZambZbddlcmdZdmeZemfZfmgZgmhZhmiZiddlcTddljmkZke r*ddllmmZmndd l m ZmeZnd!eeod"eeofd#d$Zpd%e eod&d'd"ee3fd(d)Zq dd*eeod+eeCd,eemerdfd&ed'd"df d-d.Zsenjtd/d0gd1d2   dd3ed4eeod5eeod6eeofd7d8Zu   dd9eCd+eeCd&ed'd:ed;d"eXf deod?eod"eeoe eoeoeoeoewffd@dAZxd"ed;fdBdCZyd"ed'fdDdEZzd3ed9eCd+eeCd>eod?eod"eeemerfeerff dFdGZ{dHdIZ|dJee7e2fdKe eofdLdMZ}dNdOZ~dPeeodQeeodRe\dSe!dTe]d"ee2f dUdVZ dd,eeXemerfdRe\dSe!dTe]dQeeodWee:dXeeod"eee2e7ffdYdZZd[eeod"ewfd\d]Zd,eed^emerfdQeeodPeeod"erfd_d`ZdJeee2e7fdWee:d"ee:fdadbZdceodPeodRee\fdddeZenjtdfd0gd1d2dd3edgeeofdhdiZ   dd3ed5eeod6eeod,eeemerffdjdkZenjtdld0gd1d2ddmeodneeofdodpZ ddqeeemerfdWee:d"e7fdrdsZenjtdtd0gd1eeEgdud3efdvdwZenjtdxd0geeEgdydzd{ZGd|d}d}ZGd~ddZGdddZenjtdd0gd1d2d3efddZenjtdd0gd1d2d3efddZdS)a^ Has all /sso/* routes /sso/key/generate - handles user signing in with SSO and redirects to /sso/callback /sso/callback - returns JWT Redirect Response that redirects to LiteLLM UI /sso/debug/login - handles user signing in with SSO and redirects to /sso/debug/callback /sso/debug/callback - returns the OpenID object returned by the SSO provider N)deepcopy) TYPE_CHECKINGAnyDictListLiteralOptionalTupleUnioncast) APIRouterDepends HTTPExceptionRequeststatus)RedirectResponse)verbose_proxy_logger)uuid) DualCache)LITELLM_UI_SESSION_DURATIONMAX_SPENDLOG_ROWS_TO_QUERY%MICROSOFT_USER_DISPLAY_NAME_ATTRIBUTEMICROSOFT_USER_EMAIL_ATTRIBUTE#MICROSOFT_USER_FIRST_NAME_ATTRIBUTEMICROSOFT_USER_ID_ATTRIBUTE"MICROSOFT_USER_LAST_NAME_ATTRIBUTE)get_nested_value)AsyncHTTPHandlerget_async_httpx_clienthttpxSpecialProvider) CommonProxyErrorsLiteLLM_UserTableLitellmUserRolesMemberNewTeamRequestNewUserRequestNewUserResponseProxyErrorTypesProxyExceptionSSOUserDefinedValuesTeamMemberAddRequestUserAPIKeyAuth)ExperimentalUIJWTTokenget_user_object)_has_user_setup_sso JWTHandler)user_api_key_auth)admin_ui_disabledshow_missing_vars_in_env)jwt_display_template) html_form)new_user)CustomMicrosoftSSO)check_is_admin_only_accesshas_admin_ui_access)new_teamteam_member_add) CustomOpenIDget_litellm_user_roleis_valid_litellm_user_role) PrismaClient ProxyLoggingget_custom_urlget_server_root_path)get_secret_bool str_to_bool)DefaultTeamSSOParams)MicrosoftGraphAPIUserGroupDirectoryObject"MicrosoftGraphAPIUserGroupResponseMicrosoftServicePrincipalTeam RoleMappings TeamMappings)*)ParsedOpenIDResult)OpenID)remailreturncCs"|durdSt|tr|S|S)a Normalize email address to lowercase for consistent storage and comparison. Email addresses should be treated as case-insensitive for SSO purposes, even though RFC 5321 technically allows case-sensitive local parts. This prevents issues where SSO providers return emails with different casing than what's stored in the database. Args: email: Email address to normalize, can be None Returns: Lowercased email address, or None if input is None N) isinstancestrlower)rNrS`/home/app/Keep/.python/lib/python3.10/site-packages/litellm/proxy/management_endpoints/ui_sso.pynormalize_emailjsrU user_groups role_mappingsrIc Cs|js|jStjtjtjtjg}t|trt |nt }|D]+}||jvrI|j|}t|trI| t |rIt d|d|j d||Sqt d|d|j|jS)a Determine the highest privilege role for a user based on their groups. Role hierarchy (highest to lowest): - proxy_admin - proxy_admin_viewer - internal_user - internal_user_viewer Args: user_groups: List of group names from the SSO token role_mappings: RoleMappings configuration object Returns: The highest privilege role found, or default_role if no matches, or None z User groups z matched role 'z' via groups: z6 did not match any role mappings, using default_role: )roles default_roler" PROXY_ADMINZPROXY_ADMIN_VIEW_ONLY INTERNAL_USERINTERNAL_USER_VIEW_ONLYrPlistset intersectionrdebugvalue)rVrWZrole_hierarchyZuser_groups_setroleZ role_groupsrSrSrTdetermine_role_from_groups~s.  rcaccess_token_strsso_jwt_handlerresultcCs|r|rddl}z |j|ddid}Wn|jjy&tdYdSw|rWt|tr@|dg}|s?| |}||d<n|rHt |dgng}|sW| |}t |d|t|tra|dnt |dd}|durd} |dur|j r|j } t|| } g} t| trd d | D} nt| trd d | d D} n | durt| g} | rt| |} td | d| dn|jr|j} | durtdd} t|| }|durt|} td| d| d| durt|tr| |d<nt |d| td| ddSdSdSdSdS)a Process SSO JWT access token and extract team IDs and user role if available. This function decodes the JWT access token and extracts team IDs and user role, then sets them on the result object. Role extraction from the access token is needed because some SSO providers (e.g., Keycloak) do not include role claims in the UserInfo endpoint response. Args: access_token_str: The JWT access token string sso_jwt_handler: SSO-specific JWT handler for team ID extraction result: The SSO result object to update with team IDs and role role_mappings: Optional role mappings configuration for group-based role determination rNverify_signatureFoptionszYAccess token is not a valid JWT (possibly an opaque token), skipping JWT-based extractionteam_ids user_rolecSg|]}t|qSrSrQ.0grSrSrT z0process_sso_jwt_access_token..cSg|] }|r|qSrSstriprnrSrSrTrqs ,Determined role 'z' from access token groups '' using role_mappingsGENERIC_USER_ROLE_ATTRIBUTErbzExtracted role 'z' from access token field ''zSet user_role='z' from JWT access token)jwtdecode exceptions DecodeErrorrr`rPdictgetget_team_ids_from_jwtgetattrsetattrrX group_claimrr]rQsplitrcrYosgetenvr=)rdrerfrWr{Zaccess_token_payloadZresult_team_idsrjZ existing_rolerkruser_groups_rawrV generic_user_role_attribute_nameZuser_role_from_tokenrSrSrTprocess_sso_jwt_access_tokens                $*rz/sso/key/generateZ experimentalF)tagsinclude_in_schemarequestsourcekey existing_keycsddlm}m}m}tdd}tdd}tdd} td} | dur0t| d} | r0tS|dus<|dus<| durj|d urj|dur^|jj IdH} | r]| d kr]t d t j d tjd n t tjjt j d tjd t} | durs| Std}tj|d|d}tj|||d}|durzddlm}|j|dIdHWStytdwtj||| dd urtd|tj|||| |dIdHS|durddl m!}|t"ddSddl m!}|t"ddS) Create Proxy API Keys using Google Workspace SSO. Requires setting PROXY_BASE_URL in .env PROXY_BASE_URL should be the your deployed proxy endpoint, e.g. PROXY_BASE_URL="https://litellm-production-7002.up.railway.app/" Example: r) premium_user prisma_client"user_custom_ui_sso_sign_in_handlerMICROSOFT_CLIENT_IDNGOOGLE_CLIENT_IDGENERIC_CLIENT_IDZDISABLE_ADMIN_UI)raTaYou must be a LiteLLM Enterprise user to use SSO for more than 5 users. If you have a license please set `LITELLM_LICENSE` in your env. If you want to obtain a license meet with us here: https://calendly.com/d/cx9p-5yf-2nm/litellm-introductions You are seeing this error message because You set one of `MICROSOFT_CLIENT_ID`, `GOOGLE_CLIENT_ID`, or `GENERIC_CLIENT_ID` in your env. Please unset thisrmessagetypeparamcodeZ UI_USERNAME sso/callback)rsso_callback_router)rrr)EnterpriseCustomSSOHandler)rzYEnterprise features are not available. Custom UI SSO sign-in requires LiteLLM Enterprise.microsoft_client_idgoogle_client_idgeneric_client_idzRedirecting to SSO login for ) redirect_urlrrrstate HTMLResponsecontent status_code)#litellm.proxy.proxy_serverrrrrrrDr2dblitellm_usertablecountr(r' auth_errorrHTTP_403_FORBIDDENr db_not_connected_errorrar3SSOAuthenticationHandlerget_redirect_url_for_sso_get_cli_stateZ0litellm_enterprise.proxy.auth.custom_sso_handlerrZhandle_custom_ui_sso_sign_in ImportError ValueErrorshould_use_sso_handlerrinfoget_sso_login_redirectfastapi.responsesrr5)rrrrrrrrrrZ_disable_ui_flagZ is_disabledZ total_usersZmissing_env_varsZ ui_usernamerZ cli_staterrrSrSrT google_login s              r jwt_handler team_mappingsrJc Cstdd}tdd}tdd}tdd}td d } td d } td d} tdd} td|d|g} |durN|tt|}| ||durv|jdurvt tt||jgd}|ru| |td|jd|n |tt|}| |d}|dur|j dvr|j }t ||}g}t |trdd|D}nt |trdd|dD}n |durt|g}|rt||}td|r|jndd|dn|j}td|d|j|durt || }|durt|}|dur|}td|jd | d!d}| r*i}| dD]}|}t ||||<qtt ||t ||tt ||t ||t || t || | ||d" S)#NZGENERIC_USER_ID_ATTRIBUTEZpreferred_usernameZ#GENERIC_USER_DISPLAY_NAME_ATTRIBUTEsubZGENERIC_USER_EMAIL_ATTRIBUTErNZ!GENERIC_USER_FIRST_NAME_ATTRIBUTE first_nameZ GENERIC_USER_LAST_NAME_ATTRIBUTE last_nameZGENERIC_USER_PROVIDER_ATTRIBUTEproviderryrbZGENERIC_USER_EXTRA_ATTRIBUTESz! generic_user_id_attribute_name: z% generic_user_email_attribute_name: )dataZkey_pathdefaultz:Loaded team_ids from DB team_mappings.team_ids_jwt_field='z': )genericZoktacSrlrSrmrnrSrSrTrqrrz.generic_response_convertor..cSrsrSrtrnrSrSrTrqsrvrwz' from groups 'rxzNo groups found in 'z', using default_role: Found valid LitellmUserRoles 'z' from SSO attribute 'rz) id display_namerNrrrrjrk extra_fields)rrrr`rr rextendteam_ids_jwt_fieldrrrRrrPr]rQrrcrarYr=rur<rU)responserrerWrZgeneric_user_id_attribute_nameZ(generic_user_display_name_attribute_nameZ!generic_user_email_attribute_nameZ&generic_user_first_name_attribute_nameZ%generic_user_last_name_attribute_nameZgeneric_provider_attribute_namerZgeneric_user_extra_attributesZ all_teamsrjZteam_ids_from_db_mappingrkrrrVZuser_role_from_ssorbr attr_namerSrSrTgeneric_response_convertors             rrrcCs tdd}tddd}tdd}tdd}tdd}td d d k}|dur9td tjdtjd |durGtdtjdtjd |durUtdtjdtjd |durctdtjdtjd t d|d|d|t d|d|d||||||fS)z5Setup and validate Generic SSO environment variables.GENERIC_CLIENT_SECRETN GENERIC_SCOPEopenid email profile GENERIC_AUTHORIZATION_ENDPOINTGENERIC_TOKEN_ENDPOINTGENERIC_USERINFO_ENDPOINTZGENERIC_INCLUDE_CLIENT_IDfalsetrue2GENERIC_CLIENT_SECRET not set. Set it in .env filer;GENERIC_AUTHORIZATION_ENDPOINT not set. Set it in .env file3GENERIC_TOKEN_ENDPOINT not set. Set it in .env file6GENERIC_USERINFO_ENDPOINT not set. Set it in .env fileauthorization_endpoint:  token_endpoint:  userinfo_endpoint: GENERIC_REDIRECT_URI:  GENERIC_CLIENT_ID:  ) rrrrRr(r'rrHTTP_500_INTERNAL_SERVER_ERRORrr`)rrgeneric_client_secret generic_scopegeneric_authorization_endpointgeneric_token_endpointgeneric_userinfo_endpointgeneric_include_client_idrSrSrT_setup_generic_sso_env_varss`    rc sd}zcddlm}|d}|jjjddidIdH}|rX|jr[t|j}|d}|r^dd lm }t |tr?|di|}nt ||rF|}|ra|j rdt d |j d W|SW|SW|SW|SW|SW|Sty}zt d |d WYd}~|Sd}~ww)z/Setup team mappings from SSO database settings.Nrget_prisma_client_or_throw7Prisma client is None, connect a database to your proxyr sso_configwherer)rJz/Loaded team_mappings with team_ids_jwt_field: 'rzz,Could not load team_mappings from database: z,. Continuing with config-based team mapping.rS)litellm.proxy.utilsrrlitellm_ssoconfig find_unique sso_settingsrr/litellm.types.proxy.management_endpoints.ui_ssorJrPrrr` Exception)rrr sso_db_recordsso_settings_dictZteam_mappings_datarJerSrSrT_setup_team_mappingsSsR            rc sd}zPddlm}|d}|jjjddidIdH}|rR|jrRt|j}|d}|rRdd lm }t |tr?|di|}nt ||rF|}|rRt d |j d Wntyn}zt d |d WYd}~nd}~wwtdd}tdd} tdd} |durt dddl} z.| |} t | trdd lm }d| | | d}|di|}t d|j d|WSW|Sty}zt d|d WYd}~|Sd}~ww|S)z/Setup role mappings from SSO database settings.NrrrrrrrW)rIz#Loaded role_mappings for provider 'rzz,Could not load role_mappings from database: z&. Continuing with existing role logic.ZGENERIC_ROLE_MAPPINGS_ROLESZ!GENERIC_ROLE_MAPPINGS_GROUP_CLAIMZ"GENERIC_ROLE_MAPPINGS_DEFAULT_ROLEzAFound role_mappings for generic provider in environment variablesr)rrrYrXz5Loaded role_mappings from environments for provider 'z'.z9Error decoding role mappings from environment variables: rS)rrrrrrrrrrIrPrr`rrrrast literal_eval TypeErrorwarning) rWrrrrZrole_mappings_datarIrZgeneric_role_mappingsZ!generic_role_mappings_group_claimZ#generic_role_mappoings_default_rolerZgeneric_user_role_mappings_datarSrSrT_setup_role_mappingsys              rc srddlm}ddlm}dt||\}}} } } } || | | d} tIdHtIdHfdd}|d| |d}||||d |d }td t d d}i}|durs| d }|D]}| }|rr| d\}}|||<q_z |j |tj|| dIdH|dIdH}|j}t||dWnty}z td|d||d}~wwtd||pifS)NrDiscoveryDocumentcreate_providerZauthorization_endpointZtoken_endpointZuserinfo_endpointcs|t|dS)N)rrrerWr)r)rclientrreceived_responserWrerrSrTresponse_convertorsz4get_generic_sso_response..response_convertoroidc)namediscovery_documentrT client_id client_secret redirect_uriallow_insecure_httpscopez&calling generic_sso.verify_and_processZGENERIC_SSO_HEADERSrv=)rr)paramsheaders)rWz,Error verifying and processing generic SSO: z. Passed in headers: zgeneric result: %s)fastapi_sso.sso.baserfastapi_sso.sso.genericrrrrrr`rrrruverify_and_processr!prepare_token_exchange_parameters access_tokenrr exception)rrrerrrrrrrrrr discoveryr SSOProvider generic_ssoZadditional_generic_sso_headersZ#additional_generic_sso_headers_dictZ$additional_generic_sso_headers_splitheaderrrarfrdrrSrrTget_generic_sso_responses             rc spzt|jdd}t||d}t|ttjddIdHWSty7}zt d|WYd}~dSd}~ww)z,Create a task for adding a member to a team.user)user_idrb)memberteam_idrkruser_api_key_dictN3[Non-Blocking] Error trying to add sso user to db: ) r#r!r*r;r+r"rZrrr`)r# user_infor"Zteam_member_add_requestrrSrSrTcreate_team_member_add_task!s" r)r( sso_teamsc sjdur jng}t|t|}t|}g}fdd|D}z tj|IdHWdStyH}ztd|WYd}~dSd}~ww)zq - Get missing teams (diff b/w user_info.team_ids and sso_teams) - Add missing user to missing teams Ncsg|]}t|qSrS)r))ror#r(rSrTrq?sz+add_missing_team_member..r')teamsr^r]asynciogatherrrr`)r(r* user_teamsZ missing_teamsZmissing_teams_listtasksrrSr+rTadd_missing_team_member3s  r1cCs:tj}|dur dS|dpi}|dpg}td|vS)NFpersonal_key_generationallowed_user_rolesZ proxy_admin)litellmkey_generation_settingsrbool)r5r2r3rSrSrT,get_disabled_non_admin_personal_key_creationLs  r7r! user_emailruser_api_key_cacheproxy_logging_objc sbzt||||dd||dIdH}W|Sty0}ztd|d}WYd}~|Sd}~ww)NF)r!r8rr9Zuser_id_upsertZparent_otel_spanr: sso_user_idzError getting user object: )r-rrr`)r!r8rr9r:r(rrSrSrTget_existing_user_info_from_dbWs&r<user_defined_valuesalternate_user_idc sPzg}|dur ||t|ts't|dd}|dur&t|tr&||n|dd}|dur;t|tr;||tt|tsGt|ddn|dd}d} |D]} t| ||||dIdH} | durfnqRt d| dt j t j || |||dIdH} t j|| dIdH| WSty} ztd| WYd} ~ dSd} ~ ww) NrrN)r!r8rr9r:z user_info: z(; litellm.default_internal_user_params: )rfr(r8r=r)rfr(r')appendrPrrrQrrUr<rr`r4default_internal_user_paramsrupsert_sso_user#add_user_to_teams_from_sso_responserr) rfrr9r:r8r=r>Zpotential_user_idsZ_idr(r!rrSrSrTget_user_info_from_dbpsh           rCsso_rolecCs.|durdSt|std|ddSdS)zLreturns true if SSO upsert should use the 'role' defined on the SSO responseNFz SSO role 'zo' is not a valid LiteLLM user role. Ignoring role from SSO response. See LitellmUserRoles enum for valid roles.T)r>rr`)rDrSrSrT"_should_use_role_from_sso_responses rEr<cCs^dt|i}t|dd}|dur-t|tr|jn|}t|r-||d<td|d||S)aI Build the update data dictionary for SSO user upsert. Args: result: The SSO response containing user information user_email: The user's email from SSO user_id: The user's ID for logging purposes Returns: dict: Update data containing user_email and optionally user_role if valid r8rkNzUpdating user z role from SSO: )rUrrPr"rarErr)rfr8r! update_datarDZ sso_role_strrSrSrT_build_sso_user_update_datas  rGcCs|durdS|dur|jdur|j|d<|d}|r|jnd}t|r1td|d|dn#|dus:|jdurFtjj|d<t dn|j|d<t d|j|duret |dre|j re|j |d<|S) Nr!rkzUsing SSO role: z (DB role was: )z?No SSO or DB role found, using default: INTERNAL_USER_VIEW_ONLYzUsing DB role: models) r!rrkrErrr"r\rar`hasattrrI)r(r=rDZdb_rolerSrSrT1apply_user_info_values_to_sso_user_defined_valuess*    rKrkcsdtd}|dur0||kr0|r|tjjkr|S|r,|jjjd|idtjjidIdHtjj}|S)z` - Check if user role in DB is admin - If not, update user role in DB to admin role ZPROXY_ADMIN_IDNr!rkrr)rrr"rZrarrupdate)rkr!rZproxy_admin_idrSrSrT"check_and_update_if_proxy_admin_id s   rNz /sso/callbackrcs2td|ddlm}ddlm}ddlm}ddlm }m }m }m }m } |dur5tdtjjd d} |d d} | dur]t| tr]|} | j|| ||d id dd dd tdd} tdd} tdd}d}|durtdtjdtjdtj|dd}td|d}| durtj || |dIdH}n"| durt!j"|| |dIdH}n|durt#||||| dIdH\}}|durtddd |r |$|dr |%dd}t&|dkr|dnd}t&|dkr|dnd}td|d |t'||||d!IdHStj(||||| d"IdHS)#z Verify loginz"Starting SSO callback with state: r) LITELLM_CLI_SESSION_TOKEN_PREFIXLiteLLM_JWTAuthr/)general_settingsr master_keyrr9Nrdetailui_access_modesso_group_jwt_fieldrrr9Zlitellm_jwtauthZleewayrrrzMaster Key not set for Proxy. Please set Master Key to use Admin UI. Set `LITELLM_MASTER_KEY` in .env or set general_settings:master_key in config.yaml. https://docs.litellm.ai/docs/proxy/virtual_keys. If set, use `--detailed_debug` to debug issue.rSrrrrRedirecting to )rrr)rrrrrrrrez$Result not returned by SSO provider.:z#CLI SSO callback detected for key: , existing_key: )rrrrf)rfrrrrW))rrlitellm.constantsrOlitellm.proxy._typesrQlitellm.proxy.auth.handle_jwtr0rrRrrSrr9rr rrarrPrupdate_environmentrrr(r'rrrrrGoogleSSOHandlerget_google_callback_responseMicrosoftSSOHandlerget_microsoft_callback_responser startswithrlencli_sso_callback!get_redirect_response_from_openid)rrrOrQr0rRrrSrr9rerWrrrrrrfZ state_partskey_idrrSrSrT auth_callback$s          rpc sztd|d|ddlm}m}m}|r|ds#tddd|d ur/td tj j d|d ur9td d dt t t tf|}tj|d }td |zt|||||dd |ddId H} | d urotd ddddlm} g} t| dr| jrt| jtr| jng} g} z*| r|jjjdd| iidId H} | D]}|}| |d|ddqWnty}zt d|WYd }~nd }~ww| j!| j"t| dr| j#ng|d| | d}| d|}|j$||ddtd| j!d | d!t%| dd"l&m'}dd#l(m)}|}||d$d%WSty<}zt d&|td d't*|dd }~ww)(zDCLI SSO callback - stores session info for JWT generation on pollingzCLI SSO callback for key: rbr)rr:r9sk-zAInvalid key parameter. Must be a valid key ID starting with 'sk-'rUNrTzz,Failed to retrieve user information from SSO CLI_SSO_SESSION_CACHE_KEY_PREFIXr,r#inr team_aliasr#rwz1Error fetching team details for CLI SSO session: rI)r!rkrIr8r, team_detailsr_Xrrattlz!Stored CLI SSO session for user: z , teams: z , num_teams: r)render_cli_sso_success_pagerrzError with CLI SSO callback: zFailed to process CLI SSO: )+rrrrr:r9rkrr rrar r rMrr"_get_user_email_and_id_from_resultr`rCrrcrurJr,rPr]rlitellm_teamtableZ find_many model_dumpr?rerrorr!rkrIZ set_cacherlrrZ5litellm.proxy.common_utils.html_forms.cli_sso_successr}rQ)rrrrfrr:r9Zresult_non_noneparsed_openid_resultr(rur,ryZ prisma_teamsZteam_rowZ team_dictr session_data cache_keyrr} html_contentrSrSrTrms        rmz/sso/cli/poll/{key_id}ror#c sddlm}ddlm}ddlm}|dstdddz|d |}|j|d }|r| d g}| d }|d } t d| d|d|dt ||durt |dkrt d| d|d} t |trq|rq|} n |rzdd|D} d| || ddWS|dur||vrtdd|d|dn t |dkr|dnd}t| |d| dgtjd } |j| |d!} |j|d t d"| d#|d| | |||d$WSd%d&iWSty} zt d'| td(d)t| dd} ~ ww)*a CLI polling endpoint - retrieves session from cache and generates JWT. Flow: 1. First poll (no team_id): Returns teams list without generating JWT 2. Second poll (with team_id): Generates JWT with selected team and deletes session Args: key_id: The session key ID team_id: Optional team ID to assign to the JWT. If provided, must be one of user's teams. rrt)r,)r9rqrrzInvalid key ID formatrUr_rr,ryr!zCLI poll: user=z , team_id=z , user_teams=z , num_teams=NrazReturning teams list for user z to select from: cSsg|]}|ddqS)NrxrS)rotrSrSrTrq<s z cli_poll_key..readyT)rr!r,ryZrequires_team_selectionizUser does not belong to team: z. Available teams: rkrIr!rkrI max_budget)r(r#zCLI JWT generated for user: z, team: )rrr!r#r,ryrpendingzError polling for CLI JWT: rTzError checking session status: )rcrulitellm.proxy.auth.auth_checksr,rr9rkrZ get_cacherrrrlrPr]r!r4max_ui_session_budgetZget_cli_jwt_auth_tokenZ delete_cacherrrQ)ror#rur,r9rrr/Zuser_team_detailsr!Zteam_details_responser( jwt_tokenrrSrSrT cli_poll_key s            r result_openidc s`td||durtdt|trtdi|}|dur%tdtjrM|d}t |rG|}| tj||d<td|dn| tj|dt j j krn|ddurbtj|d<|d durntj|d <|dduryt j|d<t|d t|d |d|d|d |d d d }|rt|drdt|di|_t|tt jddIdH}|S)ar Helper function to create a New User in LiteLLM DB after a successful SSO login Args: result_openid (OpenID): User information in OpenID format if the login was successful. user_defined_values (Optional[SSOUserDefinedValues], optional): LiteLLM SSOValues / fields that were read Returns: Tuple[str, str]: User ID and User Role z)Inserting SSO user into DB. User values: Nzresult_openid is Nonezuser_defined_values is NonerkzPreserved SSO-extracted role 'rzrbudget_durationr!r8F)r!r8rkrrr;Zauto_create_keyrZ auth_providerr$r%rS)rr`rrPrrMr4r@rrErMr"r[ramax_internal_user_budgetinternal_user_budget_durationr\r%rUrJrmetadatar6r+rZ)rr=rDZpreserved_roleZnew_user_requestrrSrSrTinsert_sso_userzsZ            rz/sso/get/ui_settings)rr dependenciesc sddlm}m}tdd}tdd}tdd}t}|dtk}|dd}d tj vr;tj d  d kr;d }||||||d|d S) Nr)rR proxy_statePROXY_BASE_URLPROXY_LOGOUT_URLLITELLM_UI_API_DOC_BASE_URLZspend_logs_row_countdefault_team_disabledFZPROXY_DEFAULT_TEAM_DISABLEDrT)rrrZDEFAULT_TEAM_DISABLEDZ SSO_ENABLEDZNUM_SPEND_LOGS_ROWSZDISABLE_EXPENSIVE_DB_QUERIES) rrRrrrr.Zget_proxy_state_variablerrenvironrR) rrRrZ_proxy_base_urlZ _logout_urlZ_api_doc_base_urlZ_is_sso_enabledZdisable_expensive_db_queriesrrSrSrTget_ui_settingss0     rz/sso/readiness)rrc stdd}tdd}tdd}d}|durd}n |dur#d}n|dur)d}|dur3dd d d Sg}|dkrItd d}|durH|d nc|dkrltd d}tdd}|durb|d |durk|dn@|dkrtdd}tdd} tdd} tdd} |dur|d| dur|d| dur|d| dur|dt|dkrdd||ddStddd|||dd|dd)z Health endpoint for checking SSO readiness. Checks if the configured SSO provider has all required environment variables set in memory. rNrrZgoogle microsoftrZhealthyFzNo SSO provider configured)rsso_configuredrGOOGLE_CLIENT_SECRETMICROSOFT_CLIENT_SECRETMICROSOFT_TENANTrrrrrTz SSO is properly configured)rrrriZ unhealthyz? SSO is configured but missing required environment variables: z, )rrrZmissing_environment_variablesrrU)rrr?rl capitalizerjoin) rrrZconfigured_providerZ missing_varsgoogle_client_secretmicrosoft_client_secretmicrosoft_tenantrrrrrSrSrT sso_readinesssx                 rc@seZdZdZe    ddeedeedeedefddZe d?dededeedefddZedeeeee fdeeeefdeedeedef ddZedeeeee fdeeeeffdd Zed!edeeeee fd"ee ded#fd$d%Ze d?d&ed'eefd(d)Ze d?d*eeefd+e d&ed'eede f d,d-Z!e d?d.eed/eedeedeefd0d1Z"e d?deeee fdeede#fd2d3Z$e   d>deee efded"ee deed4eedef d5d6Z%eded7ede fd8d9Z&ede eeffd:d;Z'dS)@rzA Handler for SSO Authentication across all SSO providers NrrrrrrOcs|durPddlm}tdd}|durtdtjdtjd||||d}t d|d |||j |d IdHWdS1sGwYtd(|durtd d}td d} |durntd tjd tjdt ||| |dd} | | j |d IdHWdS1swYtd(|durt\}}||d<d|d <t d ||fS) a Get redirect parameters for Generic SSO with proper state priority handling. Optionally generates PKCE parameters if GENERIC_CLIENT_USE_PKCE is enabled. Priority order: 1. CLI state (if provided) 2. GENERIC_CLIENT_STATE environment variable 3. Generated UUID (required by Okta and most OAuth providers) Args: state: Optional state parameter (e.g., CLI state) generic_authorization_endpoint: Authorization endpoint URL Returns: Tuple[dict, Optional[str]]: - Redirect parameters for SSO login (may include PKCE params) - code_verifier (if PKCE is enabled, None otherwise) NrZGENERIC_CLIENT_STATEZGENERIC_CLIENT_USE_PKCErrrZS256rz|nt||d<t d |durX|j |dIdH|S|j |dIdH|S) z Prepare token exchange parameters for Generic SSO. Args: request: Request object generic_include_client_id: Generic OAuth Client ID Returns: dict: Token exchange parameters Zinclude_client_idrrrrNrrzCPKCE code_verifier retrieved and will be included in token exchange) rrrrrr9Zasync_get_cacherPrQrr`Zasync_delete_cache) rrZ token_paramsrrrr9rrrSrSrTrR s.   z:SSOAuthenticationHandler.prepare_token_exchange_parameterscCsNttddd}t|d }t|dd}||fS)a Generate PKCE (Proof Key for Code Exchange) parameters for OAuth 2.0. Returns: Tuple[str, str]: (code_verifier, code_challenge) - code_verifier: Random 43-128 character string (we use 43 for efficiency) - code_challenge: Base64-URL-encoded SHA256 hash of the code_verifier Reference: https://datatracker.ietf.org/doc/html/rfc7636 zutf-8r) base64urlsafe_b64encodesecretsZ token_bytesr|rstriphashlibsha256rdigest)rZcode_challenge_bytesrrSrSrTr sz-SSOAuthenticationHandler.generate_pkce_params)NNNN)NNNNNN)(r __module__ __qualname____doc__ staticmethodrQrrrrrr rrr6rrrr r<rMr&r!r)r?rArBrrrrrEr$rrrLr~rnrrrSrSrSrTr@sF  T 5    )  % =    G  > 0rc@sleZdZdZdZedZ dZdZe d)de de d e d e d e e eeff d d Zedeedee deed e fddZedee d ee fddZe d*dee d ee fddZede deded eee ee ffddZeded ee fdd Zeded efd!d"Ze d*d#e dedee d eee eeffd$d%Zed&eefd'd(ZdS)+rizS Handles Microsoft SSO callback response and returns a CustomOpenID object https://graph.microsoft.com/v1.0z /me/memberOfrZgraph_api_user_groupsFrrrreturn_raw_sso_responserOcs.tdd}tdd}|durtdtjdtjd|dur)tdtjdtjdt||||dd}|j|d d IdHp=i}t j |j d IdH}t j |j d } td | d} | rv| D]} t| } | duru| } td| jdnq]td||r||t j<| |d<|piSt j||| d} | S)z Get the Microsoft SSO callback response Args: return_raw_sso_response: If True, return the raw SSO response rNrrrz-MICROSOFT_TENANT not set. Set it in .env fileTrFrZconvert_response)r)id_tokenz#Extracted app roles from id_token: rz' in app_rolesz(Combined team_ids (groups + app roles): app_roles)rrjrk)rrr(r'rrrr7rriget_user_groups_from_graph_apirget_app_roles_from_id_tokenrrr`r=raGRAPH_API_RESPONSE_KEYopenid_from_response)rrrrrrrZoriginal_msft_resultZ user_team_idsrrkZrole_strrbrfrSrSrTrj s|    z3MicrosoftSSOHandler.get_microsoft_callback_responserrjrkc Csp|pi}td|tt|tp|d|td|t|t|t ||d}td||S)Nz!Microsoft SSO Callback Response: mailr)rNrrrrrrjrkzMicrosoft SSO OpenID Response: ) rr`r<rUrrrrrr)rrjrkZopenid_responserSrSrTr  s  z(MicrosoftSSOHandler.openid_from_responserc Cs|s tdgSz8ddl}|j|ddid}|dgp"|dg}|r:t|tr:td t|d ||WStd gWSty]}zt d |gWYd}~Sd}~ww) a Extract app roles from the Microsoft Entra ID (Azure AD) id_token JWT. App roles are assigned in the Azure AD Enterprise Application and appear in the 'app_roles' claim of the id_token. Args: id_token (Optional[str]): The JWT id_token from Microsoft SSO Returns: List[str]: List of app role names assigned to the user z,No id_token provided for app role extractionrNrgFrhrrXzFound z app role(s) in id_token: z;No app roles found in id_token or roles claim is not a listz*Error extracting app roles from id_token: ) rr`r{r|rrPr]rlrr)rr{Z decoded_tokenrXrrSrSrTr  s* z/MicrosoftSSOHandler.get_app_roles_from_id_tokenNrc sbzttjd}tdd}gg}|r8tj|||dIdH\}tdt dkr8tj |dIdHg}tj }dd |i}d}|durn|tj krntj |||d IdH\}}|||d 7}|durn|tj ksO|dur|tj krtd tj d rt dkrfdd|D}|WSty} ztd| gWYd} ~ Sd} ~ ww)a Returns a list of `team_ids` the user belongs to from the Microsoft Graph API Args: access_token (Optional[str]): Microsoft Graph API access token Returns: List[str]: List of group IDs the user belongs to )Z llm_providerZMICROSOFT_SERVICE_PRINCIPAL_IDN)service_principal_id async_clientrzService principal group IDs: r)service_principal_teamsrBearer )rrrrazReached maximum page limit of z". Some groups may not be included.csg|]}|vr|qSrSrS)roZgroup_idZservice_principal_group_idsrSrTrq s zFMicrosoftSSOHandler.get_user_groups_from_graph_api..z4Error getting user groups from Microsoft Graph API: )rrZ SSO_HANDLERrrri$get_group_ids_from_service_principalrr`rl4create_litellm_teams_from_service_principal_team_idsgraph_api_user_groups_endpointMAX_GRAPH_API_PAGESfetch_and_parse_groupsrrrr) rrr rZ all_group_idsZ next_linkZ auth_headersZ page_count group_idsrrSrrTrI sn           z2MicrosoftSSOHandler.get_user_groups_from_graph_apirrrcsJ|j||dIdH}|}tj|dIdH}tj|d}||dfS)z8Helper function to fetch and parse group data from a URLrN)rodata_nextLink)rjsonri_cast_graph_api_response_dict&_get_group_ids_from_graph_api_response)rrrr response_jsonZresponse_typedrrSrSrTr s z*MicrosoftSSOHandler.fetch_and_parse_groupscCs:g}|dgp gD]}|d}|dur||q |S)Nrar)rr?)rr_objectZ _group_idrSrSrTr s  z:MicrosoftSSOHandler._get_group_ids_from_graph_api_responsec spg}|dgD]!}|t|d|d|d|d|d|ddq t|d |d |d S) Nraz @odata.typerdeletedDateTime description displayNameroleTemplateId)Z odata_typerrr r!r"z@odata.contextz@odata.nextLink)Z odata_contextrra)rr?rFrG)rZdirectory_objectsrrSrSrTr s$ z1MicrosoftSSOHandler._cast_graph_api_response_dictr c sd}d|d}||}d|dd}|j||dIdH}|}td |g} g} |d gD] } | d d krU| | d | t| d| d dq5| | fS)z Gets the groups belonging to the Service Principal Application Service Principal Id is an `Enterprise Application` in Azure AD Users use Enterprise Applications to manage Groups and Users on Microsoft Entra ID rz/servicePrincipals/z/appRoleAssignedTorzapplication/json)rz Content-TyperNz6Response from service principal app role assigned to: raZ principalTypeGroup principalIdprincipalDisplayName)r%r$)rrrr`r?rH) r rrrZendpointrrrrrrrrSrSrTr s2 z8MicrosoftSSOHandler.get_group_ids_from_service_principalrcs`td||D]"}|d}|d}|s#td|dq tj||dIdHq dS)z Creates Litellm Teams from the Service Principal Group IDs When a user sets a `SERVICE_PRINCIPAL_ID` in the env, litellm will fetch groups under that service principal and create Litellm Teams from them z5Creating Litellm Teams from Service Principal Teams: r$r%zSkipping team creation for z because it has no principalId)rrN)rr`rrr)rZservice_principal_teamrrrSrSrTr s&   zHMicrosoftSSOHandler.create_litellm_teams_from_service_principal_team_idsFr) rrrrZgraph_api_base_urlrrr rrrQr6r r<rMrrjrrr"r r rrr rrGrrrHrrrSrSrSrTri s   U + P     ,ric@s>eZdZdZe d dededededee e ff dd Z d S) rgzP Handles Google SSO callback response and returns a CustomOpenID object FrrrrrOcsxddlm}tdd}|durtdtjdtjd||||d}|r0|j |dd IdHp/iS| |IdH}|p;iS) z Get the Google SSO callback response Args: return_raw_sso_response: If True, return the raw SSO response rrrNrr)r rrFr) rrrrr(r'rrrr)rrrrrrrrfrSrSrTrh s0  z-GoogleSSOHandler.get_google_callback_responseNr&) rrrrrrrQr6r rMrrhrSrSrSrTrg s rgz/sso/debug/logincsddlm}tdd}tdd}tdd}|dus%|dus%|dur3|dur3tdtjd tjd t j |d d }t j |||d durPt j ||||dIdHSdS)rr)rrNrrTaxYou must be a LiteLLM Enterprise user to use SSO. If you have a license please set `LITELLM_LICENSE` in your env. If you want to obtain a license meet with us here: https://calendly.com/d/cx9p-5yf-2nm/litellm-introductions You are seeing this error message because You set one of `MICROSOFT_CLIENT_ID`, `GOOGLE_CLIENT_ID`, or `GENERIC_CLIENT_ID` in your env. Please unset thisrrsso/debug/callbackr[r)rrrr) rrrrr(r'rrrrrrr)rrrrrrrSrSrTdebug_sso_loginD sB     r(/sso/debug/callbackc sDddl}ddlm}ddlm}ddlm}ddlm}m }m }m }d} | dd} | durKt | trK|} | j|||| di ddd dd td d} td d} td d} tdt|j}|drp|d7}n|d7}d}| durtj|| |ddIdH}n#| durtj|| |ddIdH}n| durt||| || dIdH\}}|dur|dddSt|dr|j}nt|}i}|D]F\}}|dur |ds t |tttt fs|dur|||<qzt|||<Wqt!y }zdt|||<WYd}~qd}~wwqt"#dd|j$|ddd }||d!S)"z@ Returns the OpenID object returned by the SSO provider rNrrPr/)rRrrr9rWrXrYrZrrrrrr'r)T)rrrr)rrrrr]zT

SSO Authentication Failed

No data was returned from the SSO provider.

rrr__dict___z!Complex value (not displayable): zconst userData = SSO_DATA;zconst userData = r`)indent;)r)%rrrrdrQrer0rrRrrr9rrPrrfrrrQrrrgrhrirjrrJr*rrkintfloatr6rr4replacedumps)rrrrQr0rRrrr9rerWrrrrrfr+Z result_dictZfiltered_resultrrarrrSrSrTdebug_sso_callbackv s             r2rr)rr-rrrrrcopyrtypingrrrrrrr r r Zfastapir r rrrrrr4Zlitellm._loggingrZ litellm._uuidrZlitellm.cachingrrcrrrrrrrZ0litellm.litellm_core_utils.dot_notation_indexingrZ&litellm.llms.custom_httpx.http_handlerrrrrdr r!r"r#r$r%r&r'r(r)r*r+rr,r-Zlitellm.proxy.auth.auth_utilsr.rer0Z$litellm.proxy.auth.user_api_key_authr1Z)litellm.proxy.common_utils.admin_ui_utilsr2r3Z:litellm.proxy.common_utils.html_forms.jwt_display_templater4Z.litellm.proxy.common_utils.html_forms.ui_loginr5Z:litellm.proxy.management_endpoints.internal_user_endpointsr6Z&litellm.proxy.management_endpoints.ssor7Z3litellm.proxy.management_endpoints.sso_helper_utilsr8r9Z1litellm.proxy.management_endpoints.team_endpointsr:r;Z(litellm.proxy.management_endpoints.typesr<r=r>rr?r@rArBZlitellm.secret_managers.mainrCrDrrErFrGrHrIrJrrLrrMZrouterrQrUrcrrrrrr6rrrrr)r1r7r<rCrErGrKrNrprmrrrrrrirgr(r2rSrSrSrTs  ,    $ 8           :  l x  <&J ^       D $ ' k ~o N Pfv01