hHdZddlZddlZddlZddlmZddlmZmZm Z m Z m Z m Z m Z mZddlmZmZmZmZmZddlmZddlZddlmZddlmZdd lmZdd lmZm Z m!Z!dd l"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.dd l/m0Z0m1Z1dd l2m3Z3ddl4m5Z5ddl6m7Z7ddl8m9Z9m:Z:ddl;mZ>ddl?m@Z@mAZAddlBmCZCmDZDddlEmFZFddlGmHZHmIZImJZJmKZKddlLmMZMmNZNddlOerddlPmQZQnddlmZQeZReRjddgd dVded e eTd!e eTd"e eTfd#ZUeRjd$dgd dWded e eTd!e eTfd%ZV dXd&e5d'e e5fd(ZWded&e5d'e e5d)eTd*eTd+e e eQeXfe eXff d,ZYd-ZZd.e e)e$fd/e eTfd0Z[d1Z\d2e eTd3e eTd4eHd5ed6eId+e e$f d7Z] dXd8e eFeQeXfd4eHd5ed6eId3e eTd9e e,d:e eTd+e e e$e)ffd;Z^d.e e e$e)fd9e e,d+e e,fd<Z_d=eTd2eTd4e eHfd>Z`eRjd?dgddXded@e eTfdAZadXded!e eTfdBZbeRjdCdgddDeTfdEZc dXdFe e eQeXfd9e e,d+e)fdGZdeRjdHdgdee7gIdefdJZeGdKdLZfGdMdNZgGdOdPZheRjdQdgddefdRZieRjdSdgddefdTZjeRjddgddefdUZly)Ya^ Has all /sso/* routes /sso/key/generate - handles user signing in with SSO and redirects to /sso/callback /sso/callback - returns JWT Redirect Response that redirects to LiteLLM UI /sso/debug/login - handles user signing in with SSO and redirects to /sso/debug/callback /sso/debug/callback - returns the OpenID object returned by the SSO provider N)deepcopy) TYPE_CHECKINGAnyDictListOptionalTupleUnioncast) APIRouterDepends HTTPExceptionRequeststatus)RedirectResponse)verbose_proxy_logger) DualCache)MAX_SPENDLOG_ROWS_TO_QUERY)AsyncHTTPHandlerget_async_httpx_clienthttpxSpecialProvider) CommonProxyErrorsLiteLLM_UserTableLitellmUserRolesMemberNewTeamRequestNewUserRequestNewUserResponseProxyErrorTypesProxyExceptionSSOUserDefinedValuesTeamMemberAddRequestUserAPIKeyAuth)ExperimentalUIJWTTokenget_user_object)_has_user_setup_sso JWTHandler)user_api_key_auth)admin_ui_disabledshow_missing_vars_in_env)jwt_display_template)new_user)check_is_admin_only_accesshas_admin_ui_access)new_teamteam_member_add) CustomOpenID) PrismaClient ProxyLoggingget_custom_urlget_server_root_path)get_secret_bool str_to_bool)*)OpenID)r/sso/key/generate experimentalF)tagsinclude_in_schemarequestsourcekeyerrorcKddlm}tjdd}tjdd}tjdd}tjd}|t |} | r t Sd } ||||d urd } t } | | Sd } |d k(rd } d } | rd} tt|jd}d|d| d| d}ddl m }||dSw)aW Create Proxy API Keys using Google Workspace SSO. Requires setting PROXY_BASE_URL in .env PROXY_BASE_URL should be the your deployed proxy endpoint, e.g. PROXY_BASE_URL="https://litellm-production-7002.up.railway.app/" Example: Serves a unified login page with options for both normal username/password login and SSO. r premium_userMICROSOFT_CLIENT_IDNGOOGLE_CLIENT_IDGENERIC_CLIENT_IDDISABLE_ADMIN_UI)valueFT1u
⚠️ Invalid username or password. Please try again.
u

or

🔐 Login with SSO
loginrequest_base_urlroutea LiteLLM Login

Login

Access your LiteLLM Admin UI.

a
Default Credentials

By default, Username is admin and Password is your set LiteLLM Proxy MASTER_KEY.

Need to set UI credentials or SSO? Check the documentation.

a
 HTMLResponsecontent status_code) litellm.proxy.proxy_serverrEosgetenvr8r*r+r5strbase_urlfastapi.responsesrR)r?r@rArBrEmicrosoft_client_idgoogle_client_idgeneric_client_id_disable_ui_flag is_disabled sso_availablemissing_env_vars error_message sso_button form_actionunified_login_htmlrRs e/var/www/Befach/backend/env/lib/python3.12/site-packages/litellm/proxy/management_endpoints/ui_sso.pyserve_login_pageriNs58))$94@yy!3T: "5t<yy!34#!(89 $& &M'  '  ( 4  M01#M |  J >!#g6F6F2GwWKp`-   4  g]~/  2 DDsCC!z /sso/logincKddlm}m}tjdd}tjdd}tjdd}|||/|dur+t dt jd tj tj|d }tj|| } |! ddl m} | j|d{Stj%|||dur:t'j(d|tj+||||| d{St-ddS7e#t $r t#dwxYw7+w)zY Handles SSO login redirect - this is what the "Login with SSO" button points to r)rE"user_custom_ui_sso_sign_in_handlerrFNrGrHT}You must be a LiteLLM Enterprise user to use SSO. If you have a license please set `LITELLM_LICENSE` in your env. If you want to obtain a license meet with us here: https://calendly.com/d/4mp-gd3-k5k/litellm-1-1-onboarding-chat You are seeing this error message because You set one of `MICROSOFT_CLIENT_ID`, `GOOGLE_CLIENT_ID`, or `GENERIC_CLIENT_ID` in your env. Please unset thisrEmessagetypeparamcode sso/callbackr?sso_callback_route)r@rA)EnterpriseCustomSSOHandler)r?zYEnterprise features are not available. Custom UI SSO sign-in requires LiteLLM Enterprise.r]r^r_zRedirecting to SSO login for ) redirect_urlr]r^r_stater;/urlrV)rWrErkrXrYr r auth_errorrHTTP_403_FORBIDDENSSOAuthenticationHandlerget_redirect_url_for_sso_get_cli_state0litellm_enterprise.proxy.auth.custom_sso_handlerruhandle_custom_ui_sso_sign_in ImportError ValueErrorshould_use_sso_handlerrinfoget_sso_login_redirectr) r?r@rArErkr]r^r_rw cli_staterus rhsso_login_redirectrs ))$94@yy!3T: "5t< '  '  ( t # X$//$..  ,DD)EL 8FF  G I *5  4PPQ  !77 3-/ 8    !!$A,"PQ-DD% 3-/ E    $7SII7 k   s=B0E3D6D4D6AE"E#E4D66E  E jwt_handlersso_jwt_handlerc tjdd}tjdd}tjdd}tjdd}tjd d }tjd d }tjd |d|g} |0|j t t |} | j| |j t t |} | j| t|j||j||j||j||j||j|| S)NGENERIC_USER_ID_ATTRIBUTEpreferred_username#GENERIC_USER_DISPLAY_NAME_ATTRIBUTEsubGENERIC_USER_EMAIL_ATTRIBUTEemail!GENERIC_USER_FIRST_NAME_ATTRIBUTE first_name GENERIC_USER_LAST_NAME_ATTRIBUTE last_nameGENERIC_USER_PROVIDER_ATTRIBUTEproviderz! generic_user_id_attribute_name: z% generic_user_email_attribute_name: )id display_namerrrrteam_ids) rXrYrdebugget_team_ids_from_jwtr dictextendr2get) responserrgeneric_user_id_attribute_name(generic_user_display_name_attribute_name!generic_user_email_attribute_name&generic_user_first_name_attribute_name%generic_user_last_name_attribute_namegeneric_provider_attribute_name all_teamsrs rhgeneric_response_convertorrsl &(YY#%9&"02yy-u0,)+ &)%.0YY+\.*-/II*K-)')ii):'# +,J+KKqsTrU VI""88dH9MN"00dH1EFH X  <<6 7\\"JKll<=<< FG,,DE=> r_rwreturncdKddlm}ddlm}dt j dd}t j ddj d}t j dd} t j d d} t j d d} t j d d jd k(} |+tdtjdtj| +tdtjdtj| +tdtjd tj| +tdtjd tjtjd| d| d| tjd|d|d|| | | } fd}|d| |}||||d|}tjdt j d d}i}|D|j d!}|D].}|j}|s|j d"\}}|||<0 |j!|d#| i|$d{}tjd'||xsifS7"#t"$r"}tj$d%|d&||d}~wwxYww)(NrDiscoveryDocumentcreate_providerGENERIC_CLIENT_SECRET GENERIC_SCOPEopenid email profile GENERIC_AUTHORIZATION_ENDPOINTGENERIC_TOKEN_ENDPOINTGENERIC_USERINFO_ENDPOINTGENERIC_INCLUDE_CLIENT_IDfalsetrue2GENERIC_CLIENT_SECRET not set. Set it in .env filerm;GENERIC_AUTHORIZATION_ENDPOINT not set. Set it in .env file3GENERIC_TOKEN_ENDPOINT not set. Set it in .env file6GENERIC_USERINFO_ENDPOINT not set. Set it in .env fileauthorization_endpoint:  token_endpoint:  userinfo_endpoint: GENERIC_REDIRECT_URI:  GENERIC_CLIENT_ID:  authorization_endpointtoken_endpointuserinfo_endpointc$|t|S)N)rrr)r)rclientrreceived_responsers rhresponse_convertorz4get_generic_sso_response..response_convertorOs$)#+  roidc)namediscovery_documentrT client_id client_secret redirect_uriallow_insecure_httpscopez&calling generic_sso.verify_and_processGENERIC_SSO_HEADERS,=include_client_id)paramsheadersz,Error verifying and processing generic SSO: z. Passed in headers: zgeneric result: %s)fastapi_sso.sso.baserfastapi_sso.sso.genericrrXrYsplitlowerr rr|rHTTP_500_INTERNAL_SERVER_ERRORrrstripverify_and_process Exception exception)r?rrr_rwrrgeneric_client_secret generic_scopegeneric_authorization_endpointgeneric_token_endpointgeneric_userinfo_endpointgeneric_include_client_id discoveryr SSOProvider generic_ssoadditional_generic_sso_headers#additional_generic_sso_headers_dict$additional_generic_sso_headers_splitheaderrArJresulters `` @rhget_generic_sso_responsers77(,II&=tDIIo/EFLLSQM%'YY/OQU%V"YY'?F " *Et L -w7==?6I$H ++)66   &-Q ++266   %I ++*66   !(L ++-66    "#A"BBTUkTlmBC\B] ^ .CDUCVVXY"=-3I  " $-K #+!  KGH%'YYt&"+-'%1/M/S/STW/X,:F\\^F#\\#. U;@3C8 ; "55 ')BC76  3V< D"1445IJPb  !33 44rr user_email prisma_clientuser_api_key_cacheproxy_logging_objc K t||||dd||d{}|S7#t$r%}tjd|d}Yd}~|Sd}~wwxYww)NF)rrrruser_id_upsertparent_otel_spanr sso_user_idzError getting user object: )r%rrr)rrrrrrrs rhget_existing_user_info_from_dbr sq )!'1 !/       ""%@#DE  s6A#!#A# AA A AAruser_defined_valuesalternate_user_idcK g}||j|t|ts1t|dd}|Wt|trG|j|n5|j dd}|!t|tr|j|t|ts t|ddn|j dd}d} |D]} t | ||||d{} | ntjd| dtj| "tj|| |||d{} tj|| d{| S7x7'7 #t$r"} tjd| Yd} ~ yd} ~ wwxYww) Nrr)rrrrrz user_info: z(; litellm.default_internal_user_params: )rrrr!r)rrr)append isinstancergetattrrZrr rrrdefault_internal_user_paramsr~upsert_sso_user#add_user_to_teams_from_sso_responserr) rrrrrr!r"potential_user_ids_idrrrs rhget_user_info_from_dbr,s8   (  % %&7 8&$'&$-C:c3#7"))#.**T4(C:c3#7"))#.fd+ FGT *GT*  JN )G<%+#5"3 I$* "")$LWMqMqLr s  6FF#%$7+ GI'JJK   ="  &&A! E     slFCEEE A E+E,E E EFEEE F E=8F=FFc|y||j|j|d<| |jtj|d<|S|j|d<|S)Nrr)rrrINTERNAL_USER_VIEW_ONLYrr!s rh1apply_user_info_values_to_sso_user_defined_valuesr0sr"!2!2!>)2):):I&I//7+;+S+SK( ,5+>+>K( rrcZKtjd}|||k(r|r|tjjk(r|S|rK|j j jd|idtjjid{tjj}|S7 w)z` - Check if user role in DB is admin - If not, update user role in DB to admin role PROXY_ADMIN_IDNrrwherer)rXrYrrrJdblitellm_usertableupdate)rrrproxy_admin_ids rh"check_and_update_if_proxy_admin_idr9&sYY/0N!n&? &6&B&B&H&HH  ""44;; '*!#3#?#?#E#EF<   %0066  sBB+B) !B+z /sso/callbackrxc Ktjd|ddlm}|rV|j |drB|j ddd}tjd|t ||d{Sdd lm}dd l m }dd l m }m }m}m} m} | %t#d t$j&j( d} |j+dd} | St-| t.rC|} | j1| | ||j+dij+dddt3j4dd} t3j4dd}t3j4dd}d}|+t7dt8j:dt<j>t@jC|d}tjd|d}|!tDjG|||d{}n@| !tHjK|| |d{}n|tM||||| d{\}}| t#dd t@jO||||| d{S77y7X7?7 w)!z Verify loginz"Starting SSO callback with state: r) LITELLM_CLI_SESSION_TOKEN_PREFIX:z#CLI SSO callback detected for key: )rANLiteLLM_JWTAuthr')general_settingsr master_keyrrrVdetailui_access_modesso_group_jwt_fieldteam_ids_jwt_fieldrrlitellm_jwtauthleewayrFrGrHzMaster Key not set for Proxy. Please set Master Key to use Admin UI. Set `LITELLM_MASTER_KEY` in .env or set general_settings:master_key in config.yaml. https://docs.litellm.ai/docs/proxy/virtual_keys. If set, use `--detailed_debug` to debug issue.rArmrrrsRedirecting to )r?r^rw)r?r]rwr?rr_rwrz$Result not returned by SSO provider.)rr?rr_rE)(rrlitellm.constantsr; startswithrcli_sso_callbacklitellm.proxy._typesr?litellm.proxy.auth.handle_jwtr(rWr@rrArrrrdb_not_connected_errorrJrr%rupdate_environmentrXrYr rr|rrr~rGoogleSSOHandlerget_google_callback_responseMicrosoftSSOHandlerget_microsoft_callback_responser!get_redirect_response_from_openid)r?rxr;key_idr?r(r@rrArrrrEr]r^r_rrwrs rh auth_callbackr\=s B5'JKC !!%E$Fa"HIS!$Q'!!$Gx"PQ%g6:::48$5$L$L$R$R  -1O%))*:DAN!j&F$,**'1+#3#7#78H"#M#Q#Q)4$  + ))$94@yy!3T: "5t<(,P ++66   ,DDNEL ~>? F#'DD-%E    (*JJ 3%K    &*B#/%+ + % !!~9  *KK++% L [;f  %  s[A2I$4I5E-I$"I#"I$II$ I !3I$I"I$I$I$ I$"I$c "Ktjd|ddlm}ddlm}|r|j ds tdd|%td tjj |d d tjiidd d | d {tjd|ddl m}ddlm}|}||dS79#t"$r6}tj$d|td dt'|d }~wwxYww)z:CLI SSO callback - generates the key with pre-specified IDzCLI SSO callback for key: r)generate_key_helper_fnrsk-zAInvalid key parameter. Must be a valid key ID starting with 'sk-'rCNrBrA24hrz litellm-cli) request_typedurationkey_max_budgetaliasesconfigspendr table_nametokenzGenerated CLI key: rQ)render_cli_sso_success_pagerSrTzError generating CLI key: zFailed to generate key: )rr;litellm.proxy.management_endpoints.key_management_endpointsr^rWrrPrrrTrJrmax_ui_session_budgetr\rR5litellm.proxy.common_utils.html_forms.cli_sso_successrkrrBrZ)r?rAr^rrRrk html_contentrs rhrQrQs( :3%@A9 cnnU+V  $5$L$L$R$R  Y$"88!   !!$7u"=> 3 34 LcBB- 0 Y""%?s#CD6NsSTvh4WXXYs<A,D/"C C 8C D C D 1DD  Dz/sso/cli/poll/{key_id}r[cKddlm}|jds tdd|%tdtj j  dd lm}||}|jjjd |i d{}|rtjd |d |dSddiS7'#t$r6}tjd|tddt!|d}~wwxYww)z1CLI polling endpoint - checks if key exists in DBrr_r`razInvalid key ID formatrCNrB) hash_tokenrjr4zCLI key found: ready)rrArpendingzError polling for CLI key: zError checking key status: )rWrrPrrrTrJlitellm.proxy.utilsrqr5litellm_verificationtoken find_uniquerrrrBrZ)r[rrq hashed_tokenkey_objrs rh cli_poll_keyrzs9   U #4KLL$5$L$L$R$R   2!&) %((BBNNL)O    % %x&@ A%f5 5i( (   ""%@#DE&A#a&$J   sHA C49B2B0 "B2+C4,B2/C40B22 C1;1C,,C11C4 result_openidc Ktjd|| tdt|tr t di|}| tdt jr|jt j|jdtjjk(rH|jdt j|d<|jdt j|d<|dtj|d<t!|d|d |d|d|d|dd }|rd |j"i|_t'|t)tj* d{}|S7w)ar Helper function to create a New User in LiteLLM DB after a successful SSO login Args: result_openid (OpenID): User information in OpenID format if the login was successful. user_defined_values (Optional[SSOUserDefinedValues], optional): LiteLLM SSOValues / fields that were read Returns: Tuple[str, str]: User ID and User Role z)Inserting SSO user into DB. User values: Nzresult_openid is Nonezuser_defined_values is Noner max_budgetbudget_durationrrF)rrrr}r~rauto_create_key auth_providerrr)rrrr%rr:rr'r7rr INTERNAL_USERrJmax_internal_user_budgetinternal_user_budget_durationr.rrmetadatar-r#r)r{r!new_user_requestrs rhinsert_sso_userrs 34G3HI011-&// "677++""7#G#GH{+/?/M/M/S/SS  " "< 0 8070P0P  -  " "#4 5 =55 1 2;'/+;+S+SK(%#I.&|4%k2&|4+,=>' 2%4m6L6L$M! (3C3O3OPH O sE*E5,E3-E5z/sso/get/ui_settings)r=r> dependenciesczKddlm}m}tjdd}tjdd}t }|j dtkD}|jdd}dtjvr&tjdjd k(rd }|||||j d|d Sw) Nr)r@ proxy_statePROXY_BASE_URLPROXY_LOGOUT_URLspend_logs_row_countdefault_team_disabledFPROXY_DEFAULT_TEAM_DISABLEDrT)rrDEFAULT_TEAM_DISABLED SSO_ENABLEDNUM_SPEND_LOGS_ROWSDISABLE_EXPENSIVE_DB_QUERIES) rWr@rrXrYr&get_proxy_state_variablerrenvironr)r?r@r_proxy_base_url _logout_url_is_sso_enableddisable_expensive_db_queriesrs rhget_ui_settingsr3sIii 0$7O)).5K)+O,,-CD $ %!-001H%P$ 2 ::3 4 : : < F$( !*'!6&*CC " )E  sB9B;cjeZdZdZe d$dedeedeedeedeedeef d Ze d%deedeedeede fd Z ed e d edefd Z edee eeefdee eefdeedeedef dZedee eeefdee eeffdZededee eeefdeededfdZe d&dedeefdZe d&de eefdededeedef dZedeed eedeefd!Ze d%de eeefd e deedeed"eedef d#Zy)'r~zA Handler for SSO Authentication across all SSO providers Nrwr^r]r_rxrcK|ddlm}tjdd}|+t dt j dtj||||}tjd|d ||5|j| d{cdddS|dd l m }tjd d} tjd d} | +t dt j d tj||| | |d} | 5| j| d{cdddS|ddlm} ddlm} tjdd}tjddj%d}tjdd}tjdd}tjdd}|+t dt j dtj|+t dt j dtj|+t dt j dtj|+t dt j dtjtj&d|d|d |tj&d!|d"|d#| |||$}| d%|&}||||d|'}|5i}tjd(d}|r||d)<n%d*|vr!t)j*j,|d)<|jd,i|d{cdddSt/d+7#1swYt/d+xYw79#1swYt/d+xYw7J#1swYt/d+xYww)-aS Step 1. Call Get Login Redirect for the SSO provider. Send the redirect response to `redirect_url` Args: redirect_url (str): The URL to redirect the user to after login google_client_id (Optional[str], optional): The Google Client ID. Defaults to None. microsoft_client_id (Optional[str], optional): The Microsoft Client ID. Defaults to None. generic_client_id (Optional[str], optional): The Generic Client ID. Defaults to None. Returns: RedirectResponse: The redirect response from the SSO provider Nr GoogleSSOGOOGLE_CLIENT_SECRET1GOOGLE_CLIENT_SECRET not set. Set it in .env filerm)rrrz5In /google-login/key/generate, GOOGLE_REDIRECT_URI: z GOOGLE_CLIENT_ID: )rx MicrosoftSSOMICROSOFT_CLIENT_SECRETMICROSOFT_TENANT4MICROSOFT_CLIENT_SECRET not set. Set it in .env fileTrrtenantrrrrrrrrrrrrrrrrrrrrrrr)rrrGENERIC_CLIENT_STATErxoktazfUnknown SSO provider. Please setup SSO with client IDs https://docs.litellm.ai/docs/proxy/admin_ui_ssor)fastapi_sso.sso.googlerrXrYr rr|rrrrget_login_redirectfastapi_sso.sso.microsoftrrrrrrruuiduuid4hexr)rwr^r]r_rxrgoogle_client_secret google_ssormicrosoft_client_secretmicrosoft_tenant microsoft_ssorrrrrrrrrrredirect_paramss rhrz/SSOAuthenticationHandler.get_sso_login_redirectYs*  ' 8#%99-CT#J #+$O(330>>  #*2)J ! % %HVjk{j|}  H':::GG H H! , >&(ii0I4&P #!yy);TB &.$R(333>>  )-5')$( M K*==E=JJ K K  * > ?$&II.Et$L !IIo7MNTTM.0YY0$. *&(YY/G%N "(* 2Mt(T %$,$P(331>>  .5$Y(33:>>  &-$Q(332>>  )0$T(335>>  ! & &*+I*JJ\]s\tuJKdJef  ! & &(6KL]K^^`a *'E5";I *v)TK%+3)$(# K O #% "8$?/4OG,== (($G,<[;;NoNN O O t  EH HF t  YK KZ t  O O t  sA4N 6M M MA:N  M M!M$F(N  AM4'M2(M4+N MMN MM/!N 2M44N9N c|||yy)NTFr)r^r]r_s rhrz/SSOAuthenticationHandler.should_use_sso_handlers  (". ,rr?rtcddlm}|t|j}|j dr||z }|S|d|zz }|S)z. Get the redirect URL for SSO r)r5)rO/)rur5rZr[endswith)r?rtr5rws rhrz1SSOAuthenticationHandler.get_redirect_url_for_ssosU 7%s7;K;K7LM   % . .L C"44 4Lrrrrr!rcRK |A|j}|jjjd|id|id{|St j dt ||d{}|S727#t$r$}t jd||cYd}~Sd}~wwxYww)z Connects the SSO Users to the User Table in LiteLLM DB - If user on LiteLLM DB, update the user_email with the SSO user_email - If user not on LiteLLM DB, insert the user into LiteLLM DB Nrrr3z.user not in DB, inserting user into LiteLLM DB)r{r!z*Error upserting SSO user into LiteLLM DB: ) rr5r6 update_manyrrrrrB)rrrr!rrrs rhr(z(SSOAuthenticationHandler.upsert_sso_users $#++#&&88DD$g.lJ5OE %))D#2"((;#     & &)STUSV'W X  sdB'Ar@rTcftttttf|j d}|yt |tryt|dg}|j ddk(rI|j d}||vr4td|d|d|tjdtj y) a when ui_access_mode.type == "restricted_sso_group": - result.team_ids should contain the restricted_sso_group - if not, raise a ProxyException - if so, return True - if result.team_ids is None, return False - if result.team_ids is an empty list, return False - if result.team_ids is a list, return True if the restricted_sso_group is in the list, otherwise return False rETrrorestricted_sso_groupz)User is not in the restricted SSO group: z. User groups: z. Received SSO response: rm) r rr rrZrr%r&r rr|rr})r@rrrErrs rh#verify_user_in_restricted_sso_groupzD%D#D% E!D%#D%% E.E E EErrc0t|tr"t|}||d<||d<tdi|}|Sttj t rEttj }|j}|j|tdi|}|S)ac Casts and deepcopies the litellm.default_team_params to a NewTeamRequest object - Ensures we create a new DefaultTeamSSOParams object - Handle the case where litellm.default_team_params is a dict or a DefaultTeamSSOParams object - Adds the litellm_team_id and litellm_team_name to the DefaultTeamSSOParams object rrr) r%rrrrrDefaultTeamSSOParams model_dumpr7)rrrr _team_request_default_team_params_new_team_requests rhrzGSSOAuthenticationHandler._cast_and_deepcopy_litellm_default_team_paramss )4 0$%89M'6M) $*;M, '):M:L  335I J#+G,G,G#H , 7 7 9   $ $%9 :)>,=>Lrr@rAc2ddlm}m}||k(r |r|d|SdS)z Checks the request 'source' if a cli state token was passed in This is used to authenticate through the CLI login flow r)r;LITELLM_CLI_SOURCE_IDENTIFIERr<N)rOr;r)r@rAr;rs rhrz'SSOAuthenticationHandler._get_cli_states4 66300# 7  rrEc Kddl}ddlm}m}m}m} m} m} m} ddl m } m }ddl m }|d}tjd|t!|dd}| t!|ddnd}|pt#j$d [|j'd d }t#j$d j'd }||vrt)d ddj+||i|?|=t#j$dd}t!|dd}t!|dd}t!||d}|)|'t!|ddxsd}t!|ddxsd}||z}||t-|dk(r|}d}g}t.j0}t.j2}dt.j4iiddd}d}| 1t7j8| r| |d{}nt;d|t=||||d|}t>jA|||tC||| | |||d{}tE||}| tGdtjd||jI|d |d!<|d>i|d"d id{}|d#} |d$}|d%xstJjLjN}|r&tQ|tRrtU|||&d{}tjVd'|d(|tY|xsi}!|!r"t[|}"|"st)d d)d*|d+|it]}#| tS|j^d,-}$tad.rVd}%|,|d$'tc|d$|d%xs|gt.j4/}%|%t)d d)d0itejf|%} |titR|| ||d1| |jkd2d3|#tm4 }&|jotitp|&|xsdd56}'tjd7|d8|'|tQ|tRr|$d9z }$tjd:|$ts|$d;<}(|(jud#|'=|(S77V77w)?Nr)r@r^rArErruser_custom_sso)r5get_prisma_client_or_throw)ReturnedUITokenObjectz7Prisma client is None, connect a database to your proxyzSSO callback result: rrALLOWED_EMAIL_DOMAINS@r=rrNrnzZThe email domain={}, is not an allowed email domain={}. Contact your admin to change this.rCGENERIC_USER_ROLE_ATTRIBUTErrrKrrbzlitellm-dashboard)rdrerfrgrhrz,user_custom_sso must be a coroutine function)modelsrrr}rr~)r@rr)rrrrrr!r"r/zUnable to map user identity to known values. 'user_defined_values' is None. File an issue - https://github.com/BerriAI/litellm/issuesz)user_defined_values for creating ui key: rArcrirjrr)rrrz user_role: z; ui_access_mode: rBz,User not allowed to access proxy. User role=z , proxy mode=zui/rNEXPERIMENTAL_UI_LOGIN)rrrr}z6User Information is required for experimental UI loginssolitellm_key_header_name Authorization) rrArr login_methodrEauth_header_name(disabled_non_admin_personal_key_creationserver_root_pathHS256) algorithmz user_id: z ; jwt_token: z?login=successrLryrz)rArJr);jwtrWr@r^rArErrrrur5rlitellm.types.proxy.ui_ssorrrr&rXrYrrformatlenrrrrmr iscoroutinefunctionrr!r~rr,r0rr7rr.rJr%rZr9rr.r/rr[r7rr$(get_experimental_ui_login_jwt_auth_tokenr rr6encoderr set_cookie))rr?rr_rErr@r^rArErrrr5rrrrr email_domainallowed_domains generic_user_role_attribute_namer _first_name _last_nameruser_id_modelsrrdefault_ui_key_valuesr!rrAis_admin_only_access has_accessrlitellm_dashboard_ui _user_inforeturned_ui_token_object jwt_tokenredirect_responses) rhrZz:SSOAuthenticationHandler.get_redirect_response_from_openidss     SD2 E !!$9&"BC$+FGT$B +1+=GFD$ '4   !bii0G&H&T%++C03L ii(?@FFsKO?2# #!#$G$G(/$  (V-?/1yy-v0 ,fdD1G $7J(H$OI ?v1!&,;ArK b9?RJ!J.G  !w#g,!:K G !#*#C#C (/(M(M% %;;* 1 ?C  &**?;,;F,C&C# !OPP  "6%%3 = #  !DD-/ E 0'1/! 3%  P5H   &X  !!78K7L M  $$%8905n-/ #    w9% , >77==  z'3/@#WMI "")$6~6F G  :.:NBO ,Y7J# ##OPY{Zghvgw!x 9 : 1 . !1!12%  2 36:J#/' 2>./ :1+>K)&<<  !# #!Y)QQC$9g&!%-11)?6^13 $  JJ / 0  " !!IgYmI;"OP  :gs#; $4 4 !!O4H3I"JK,1ESVW$$ $B  K'D( 2 sLF4Q&6Q7AQ&QAQ&#Q $AQ&6Q#7F$Q&Q& Q&#Q&)NNNNNNNN) r __module__ __qualname____doc__ staticmethodrZrrrrrrrr r2r:rrrr!r3r(r)rLiteralrrrrrrrZrrrhr~r~Ts8+/-1+/# L L "3-L &c]L $C= L } L " # L L \*.-1+/ "3- %c] $C=      |VT9:;E/3D"DEFSM&&:;  $ BP|VT9:;PE/3D"DEFPP$##|VT9:;#$D>#  ##J,0;P;P#C=;P;Pz ,0 "#7#=>$$C=   2 x} 8C= Xc]  "-1+/)- W!fdL01W!W!$D>W!$C= W! ! W!  W!W!rr~ceZdZdZdZedZ dZdZe dde de de d e d e e eeff d Zed eed ee d e fdZe ddee d ee fdZede deded eee ee ffdZed ed ee fdZed ed efdZe dde dedee d eee eeffdZedeefdZy)rXzS Handles Microsoft SSO callback response and returns a CustomOpenID object https://graph.microsoft.com/v1.0z /me/memberOfrSgraph_api_user_groupsr?r]rwreturn_raw_sso_responserc:Kddlm}tjdd}tjdd}|+t dt j dtj|+t dt j dtj|||||d }|j|d d{xsi}tj|j d{} |r| |tj<|xsiStj|| } | S7d7:w)z Get the Microsoft SSO callback response Args: return_raw_sso_response: If True, return the raw SSO response rrrNrrrmz-MICROSOFT_TENANT not set. Set it in .env fileTrFr?convert_response) access_token)rr)rrrXrYr rr|rrrrXget_user_groups_from_graph_apirGRAPH_API_RESPONSE_KEYopenid_from_response) r?r]rwr rrrroriginal_msft_result user_team_idsrs rhrYz3MicrosoftSSOHandler.get_microsoft_callback_responsesJ ;"$)),Et"L99%7> " * N$///::    # G$//(::   %)1#% $   22!&3   2PP&33Q  # !!4!K!K L(-2 -$99)":  -  s$B0D2D3+DD9DDrrc R|xsi}tjd|t|jdxs|jd|jdd|jd|jd|jd| }tjd ||S) Nz!Microsoft SSO Callback Response: userPrincipalNamemail displayName microsoftr givenNamesurname)rrrrrrrzMicrosoft SSO OpenID Response: )rrr2r)rropenid_responses rhrz(MicrosoftSSOHandler.openid_from_responses>r""%Fxj#QR&,,23Kx||F7K!m4 ||D!||K0ll9-  ""%D_DU#VWrNrc~K ttj}tjdd}g}g}|rgt j |||d{\}}tjd|t|dkDrt j|d{g}t j}dd |i}d}|b|t jkrOt j||| d{\} }|j| |d z }||t jkrO|:|t jk\r'tjd t jd |r!t|dkDr|D cgc]} | |vr|  }} |S7,77cc} w#t $r$} tj"d| gcYd} ~ Sd} ~ wwxYww)a Returns a list of `team_ids` the user belongs to from the Microsoft Graph API Args: access_token (Optional[str]): Microsoft Graph API access token Returns: List[str]: List of group IDs the user belongs to ) llm_providerMICROSOFT_SERVICE_PRINCIPAL_IDN)service_principal_id async_clientrzService principal group IDs: r)service_principal_teamsrBearer )r{rr!r=zReached maximum page limit of z". Some groups may not be included.z4Error getting user groups from Microsoft Graph API: )rr SSO_HANDLERrXrYrX$get_group_ids_from_service_principalrrr4create_litellm_teams_from_service_principal_team_idsgraph_api_user_groups_endpointMAX_GRAPH_API_PAGESfetch_and_parse_groupsrwarningrrB) rr!r service_principal_group_idsr" all_group_ids next_link auth_headers page_count group_idsgroup_idrs rhrz2MicrosoftSSOHandler.get_user_groups_from_graph_apis B 11==L $&99-Mt#T ?A 'UW ##.RR)=!-!-S/+ %**34O3PQ23a7-bb0Gc M#BB ,w|n-EFLJ%!4!H!HH-@-W-W!>! ! ! _ ( !  & &FqcJ I  sF=AF FAF FAF ,F-2F AF 0 F=F F=F F F F F:F5/F:0F=5F::F=r{rr!cK|j||d{}|j}tj|d{}tj |}||jdfS7[7/w)z8Helper function to fetch and parse group data from a URLrN)rodata_nextLink)rjsonrX_cast_graph_api_response_dict&_get_group_ids_from_graph_api_response)r{rr!r response_jsonresponse_typedr0s rhr)z*MicrosoftSSOHandler.fetch_and_parse_groupsYs &))#w)??  2PP" Q  (NN#O .,,-=>>>@ s!A9A5-A9A7.A97A9cg}|jdgxsgD]'}|jd}||j|)|S)NrJr)rr$)rr0_object _group_ids rhr7z:MicrosoftSSOHandler._get_group_ids_from_graph_api_responsehsP ||GR06B6G D)I$  +7rc Kg}|jdgD]|}|jt|jd|jd|jd|jd|jd|jd~t|jd |jd | Sw) NrJz @odata.typerdeletedDateTime descriptionrroleTemplateId) odata_typerr>r?rr@z@odata.contextz@odata.nextLink) odata_contextr4rJ)rr$)MicrosoftGraphAPIUserGroupDirectoryObject"MicrosoftGraphAPIUserGroupResponse)rdirectory_objectsr;s rhr6z1MicrosoftSSOHandler._cast_graph_api_response_dictssNP||GR0G  $ $9&{{=9{{4($+KK0A$B ' M : ' M :#*;;/?#@  12",,'78#<<(9:#  sCCr c Kd}d|d}||z}d|dd}|j||d{}|j}tjd |g} g} |jd gD]q} | jd d k(s| j | jd | j t | jd| jd s| | fS7w)z Gets the groups belonging to the Service Principal Application Service Principal Id is an `Enterprise Application` in Azure AD Users use Enterprise Applications to manage Groups and Users on Microsoft Entra ID r z/servicePrincipals/z/appRoleAssignedTor#zapplication/json)rz Content-Typer3Nz6Response from service principal app role assigned to: rJ principalTypeGroup principalIdprincipalDisplayName)rJrI)rr5rrr$MicrosoftServicePrincipalTeam) r r!rr[endpointr{rrr8r0r"r;s rhr%z8MicrosoftSSOHandler.get_group_ids_from_service_principals 6()=(>>PQ! '|n5.  &))#w)??  ""D]O T  " GI$(("5G{{?+w6  ]!;<'..1-4[[9O-P$+KK $> 6111)@s,C+C)AC+ A!C+r"cKtjd||D]_}|jd}|jd}|stjd|dAtj ||d{ay7w)z Creates Litellm Teams from the Service Principal Group IDs When a user sets a `SERVICE_PRINCIPAL_ID` in the env, litellm will fetch groups under that service principal and create Litellm Teams from them z5Creating Litellm Teams from Service Principal Teams: rIrJzSkipping team creation for z because it has no principalId)rrN)rrrr~r)r"service_principal_teamrrs rhr&zHMicrosoftSSOHandler.create_litellm_teams_from_service_principal_team_idss ""CD[C\ ] '> "-C-G-G -VO/E/I/I&0 #$**12C1DDbc*MM /"3N  '> sA6B8B9BFr)rrrrgraph_api_base_urlr'r(rrrrZrr r2r:rrYrrrrrr r)rDr7r6rKr%r&rrrhrXrXs<(:';<%H"5 ). << <<"& < |VT) * <<|4.,0I "&*NsmN cNN` ?  ? ?/? ? tCy(3-' ( ? ?4 c  +  *'+*2!*2&*2sm*2 tCy$<== > *2*2X!%&C!DrrXcDeZdZdZe d dededededee e ff dZ y) rVzP Handles Google SSO callback response and returns a CustomOpenID object r?r^rwr rc:Kddlm}tjdd}|+t dt j dtj||||}|r|j|d d{xsiS|j|d{}|xsiS7'7 w) z Get the Google SSO callback response Args: return_raw_sso_response: If True, return the raw SSO response rrrNrrm)rrrFr ) rrrXrYr rr|rrr)r?r^rwr rrrrs rhrWz-GoogleSSOHandler.get_google_callback_responses 5!yy)?F  ' K$//,::   &%.  # 33#%*4  "44W==|>s$A-B/B0B B BBNrO) rrrrrrrZrr r:rrWrrrhrVrVsW ). ''''"& ' vt|  ''rrVz/sso/debug/logincKddlm}tjdd}tjdd}tjdd}|||/|dur+t dt j d tj tj|d }tj||| dur!tj||||d{Sy7w)z Create Proxy API Keys using Google Workspace SSO. Requires setting PROXY_BASE_URL in .env PROXY_BASE_URL should be the your deployed proxy endpoint, e.g. PROXY_BASE_URL="https://litellm-production-7002.up.railway.app/" Example: rrDrFNrGrHTrlrErmsso/debug/callbackrsrv)rwr]r^r_) rWrErXrYr rr|rr}r~rrr)r?rEr]r^r_rws rhdebug_sso_loginrUs8))$94@yy!3T: "5t< '  '  ( t # X$//$..  ,DD/EL !77 3-/ 8   .DD% 3-/ E     sC C CC/sso/debug/callbackc Kddl}ddlm}ddlm}ddlm}ddlm}m }m }m }d} |jdd} | St| trC|} | j||||jdijdd d t!j"d d} t!j"d d} t!j"d d} t!j"dt%|j&}|j)dr|dz }n|dz }d}| "t*j-|| |dd{}nA| "t.j1|| |dd{}n| t3||| || d{\}}| |ddSt5|dr |j6}n t|}i}|j9D]Q\}}| |j;drt|t$t<t>t@fs||||<C t%|||<StEjFdd|jI|dd }||!S777#tB$r}dt%|||<Yd}~d}~wwxYww)"z@ Returns the OpenID object returned by the SSO provider rNrQr>r')r@rrrrErFrGrIrFrGrHrrrTrVT)r?r^rwr )r?r]rwr rMzT

SSO Authentication Failed

No data was returned from the SSO provider.

rarT__dict___z!Complex value (not displayable): zconst userData = SSO_DATA;zconst userData = )indent;)rU)%r5r\rRrRr?rSr(rWr@rrrrr%rrUrXrYrZr[rrVrWrXrYrhasattrrXitemsrPintfloatrrr,replacedumps)r?r5rRr?r(r@rrrrrEr]r^r_rwrrY result_dictfiltered_resultrArJrros rhdebug_sso_callbackre5s .48-1O%))*:DAN!j&F$,**'1+#3#7#78H"#M#Q#Q)4$  + ))$94@yy!3T: "5t<99-s73C3C/DELS!,, -- F#'DD-%$( E    (*JJ 3%$( K    &2#/%+   ~j  vz"oo 6l O!'') U  S^^C%8%#sE4!89U]',$X+.u:OC(*(//$ DJJqJAB!DL  --o   >!X-NsSTvh+WOC(XsmD3I45I6#I4I I44I 5AI4I4(I4I 7I4 I4 I4 I1I,'I4,I11I4cLK |jd{}|jd}|jd}|r|s tddSddlm}||d{S7M7#t $r/}t jd |tddcYd}~Sd}~wwxYww) zE Process username/password login from the unified login page Nusernamepasswordz/sso/key/generate?error=1ryrzr)rMzError processing login: )formrrrWrMrrrB)r? form_datargrhrMrs rh process_loginrks R!,,.( ==,==,x#(CQTU U 57^##)$ R""%=aS#AB$?SQQRsbB$A)A%6A)B$A) A'!A)$B$%A)'A)) B!2$BB!B$B!!B$r)NNr)mrr rXrcopyrtypingrrrrrr r r fastapir r rrrr\rrlitellm._loggingrlitellm.cachingrrOr&litellm.llms.custom_httpx.http_handlerrrrrRrrrrrrrrr r!r"r#litellm.proxy.auth.auth_checksr$r%litellm.proxy.auth.auth_utilsr&rSr($litellm.proxy.auth.user_api_key_authr))litellm.proxy.common_utils.admin_ui_utilsr*r+:litellm.proxy.common_utils.html_forms.jwt_display_templater,:litellm.proxy.management_endpoints.internal_user_endpointsr-3litellm.proxy.management_endpoints.sso_helper_utilsr.r/1litellm.proxy.management_endpoints.team_endpointsr0r1(litellm.proxy.management_endpoints.typesr2rur3r4r5r6litellm.secret_managers.mainr7r8/litellm.types.proxy.management_endpoints.ui_ssorr:routerrrZrirrrrrrrr r,r0r9r\rQrzrrr~rXrVrUrepostrkrrrhrs  OOOFF.1%8    S=4BPXA F=+$  ~&6%P! E E SME #E C= EQED L/5IIMKJ KJ&smKJ9A#KJJKJb-1--j)-`m+ m+m+m+  m+m+ 5  ./m+` $ _&778 EI#Y 25 c]  "  $   @(,C ,, -CC"C$ C  C ""67 C }Ce%678CL/@AB!"67"#" 19,1G.O>"2eL^^#^M^B0YG0Y(3-0Yf $N+;uU  s  V  J;?:E&$,/0:!"67::z  +,-   7  6P !P !fiiX --` n%5O. 7. P. b !(8ERc.gc.Sc.L '75QRRRRr