gw dZddlZddlZddlZddlmZmZmZmZm Z m Z ddl m Z m Z mZmZmZddlmZddlZddlmZddlmZddlmZmZmZmZmZmZmZm Z m!Z!dd l"m#Z#dd l$m%Z%dd l&m'Z'dd l(m)Z)m*Z*m+Z+dd l,m-Z-ddl.m/Z/m0Z0ddl1m2Z2ddl3m4Z4ddl5m6Z6erddl7m8Z8nddlmZ8e Z9e9juddgddefdZ;de%fdZd Z?d!ed"ee=fd#Z@d$ZAe9jud%dgddefd&ZB d-d'e e8d(e edefd)ZCe9jud*dgde e'g+defd,ZDy).z Has all /sso/* routes /sso/key/generate - handles user signing in with SSO and redirects to /sso/callback /sso/callback - returns JWT Redirect Response that redirects to LiteLLM UI N) TYPE_CHECKINGAnyDictListOptionalcast) APIRouterDepends HTTPExceptionRequeststatus)RedirectResponse)verbose_proxy_logger)MAX_SPENDLOG_ROWS_TO_QUERY) LitellmUserRolesMemberNewUserRequestNewUserResponseProxyErrorTypesProxyExceptionSSOUserDefinedValuesTeamMemberAddRequestUserAPIKeyAuth)_has_user_setup_sso) JWTHandler)user_api_key_auth)admin_ui_disabled html_formshow_missing_vars_in_env)new_user)check_is_admin_only_accesshas_admin_ui_access)team_member_add) CustomOpenID) str_to_bool)OpenID)rz/sso/key/generate experimentalF)tagsinclude_in_schemarequestc: Kddlm}tjdd}tjdd}tjdd}tjd}|t |}|r t S|||/|d ur+t d tjd tj t}||Stjd t|j}tjd} |jdr|dz }n|dz }|ddlm} tjdd} | +t dtjdtj" | || |} t%j&d|d|| 5| j)d{cdddS|ddlm} tjdd}tjdd}|+t dtjdtj" | ||||d }|5|j)d{cdddS|ddlm}ddlm}tjdd}tjd d!j7d"}tjd#d}tjd$d}tjd%d}|+t d&tjdtj" |+t d'tjd#tj" |+t d(tjd$tj" |+t d)tjd%tj" t%j8d*|d+|d,|t%j8d-|d.|d/||||0}|d1|2}||||d |3}|5i}tjd4d}|r||d5<n%d6|vr!t;j<j>|d5<|j(d:i|d{cdddS| dd7l m!}|tDd89Sdd7l m!}|tDd89S7#1swYyxYw7N#1swYyxYw7U#1swYyxYww);z Create Proxy API Keys using Google Workspace SSO. Requires setting PROXY_BASE_URL in .env PROXY_BASE_URL should be the your deployed proxy endpoint, e.g. PROXY_BASE_URL="https://litellm-production-7002.up.railway.app/" Example: r) premium_userMICROSOFT_CLIENT_IDNGOOGLE_CLIENT_IDGENERIC_CLIENT_IDDISABLE_ADMIN_UI)valueTa}You must be a LiteLLM Enterprise user to use SSO. If you have a license please set `LITELLM_LICENSE` in your env. If you want to obtain a license meet with us here: https://calendly.com/d/4mp-gd3-k5k/litellm-1-1-onboarding-chat You are seeing this error message because You set one of `MICROSOFT_CLIENT_ID`, `GOOGLE_CLIENT_ID`, or `GENERIC_CLIENT_ID` in your env. Please unset thisr,messagetypeparamcodePROXY_BASE_URL UI_USERNAME/ sso/callback /sso/callback GoogleSSOGOOGLE_CLIENT_SECRET1GOOGLE_CLIENT_SECRET not set. Set it in .env file) client_id client_secret redirect_uriz5In /google-login/key/generate, GOOGLE_REDIRECT_URI: z GOOGLE_CLIENT_ID:  MicrosoftSSOMICROSOFT_CLIENT_SECRETMICROSOFT_TENANT4MICROSOFT_CLIENT_SECRET not set. Set it in .env filer@rAtenantrBallow_insecure_httpDiscoveryDocumentcreate_providerGENERIC_CLIENT_SECRET GENERIC_SCOPEopenid email profile GENERIC_AUTHORIZATION_ENDPOINTGENERIC_TOKEN_ENDPOINTGENERIC_USERINFO_ENDPOINT2GENERIC_CLIENT_SECRET not set. Set it in .env file;GENERIC_AUTHORIZATION_ENDPOINT not set. Set it in .env file3GENERIC_TOKEN_ENDPOINT not set. Set it in .env file6GENERIC_USERINFO_ENDPOINT not set. Set it in .env fileauthorization_endpoint:  token_endpoint:  userinfo_endpoint: GENERIC_REDIRECT_URI:  GENERIC_CLIENT_ID:  authorization_endpointtoken_endpointuserinfo_endpointoidc)namediscovery_documentr@rArBrJscopeGENERIC_CLIENT_STATEstateokta) HTMLResponse)content status_code)#litellm.proxy.proxy_serverr,osgetenvr%rrr auth_errorr HTTP_403_FORBIDDENrstrbase_urlendswithfastapi_sso.sso.googler=HTTP_500_INTERNAL_SERVER_ERRORrinfoget_login_redirectfastapi_sso.sso.microsoftrDfastapi_sso.sso.baserLfastapi_sso.sso.genericrNsplitdebuguuiduuid4hexfastapi.responsesrlr)r*r,microsoft_client_idgoogle_client_idgeneric_client_id_disable_ui_flag is_disabledmissing_env_vars redirect_url ui_usernamer=google_client_secret google_ssorDmicrosoft_client_secretmicrosoft_tenant microsoft_ssorLrNgeneric_client_secret generic_scopegeneric_authorization_endpointgeneric_token_endpointgeneric_userinfo_endpoint discovery SSOProvider generic_ssoredirect_paramsrjrls ^/var/www/openai/venv/lib/python3.12/site-packages/litellm/proxy/management_endpoints/ui_sso.py google_loginr7s8))$94@yy!3T: "5t<yy!34#!(89 $& & '  '  ( t # X$//$..  01#99-s73C3C/DEL))M*KS!& ' #4!yy)?F  ' K$//,::   &.% !!D\NRfgwfx y #6688Z  (:"$)),Et"L99%7> " * N$///::   %)1#% $  &99;;]  &:; " *A4 H /3IJPPQTU )+ ,d* &"$+CT!J$&II.I4$P! ( L$//-::   * 1 U$//6::   " ) M$//.::   % , P$//1::   ""&'E&FFXYoXpqFG`Fa b  ""$\N2GHYGZZ\ ] &#A17 &6iP !'/% $   !OII4d;E+0(99JJL$$ (877J/JJ[   3I3??2I3??S9Z.<]TK[sFR Q2Q/Q2"A:RR0Q>1R4F(RAR7R 8R;4R/Q22Q;7R>RR R RRR jwt_handlercRtjdd}tjdd}tjdd}tjdd}tjd d }tjd d }tjd |d|t |j ||j ||j ||j ||j ||j ||j tt|S)NGENERIC_USER_ID_ATTRIBUTEpreferred_username#GENERIC_USER_DISPLAY_NAME_ATTRIBUTEsubGENERIC_USER_EMAIL_ATTRIBUTEemail!GENERIC_USER_FIRST_NAME_ATTRIBUTE first_name GENERIC_USER_LAST_NAME_ATTRIBUTE last_nameGENERIC_USER_PROVIDER_ATTRIBUTEproviderz! generic_user_id_attribute_name: z% generic_user_email_attribute_name: )id display_namerrrrteam_ids) rrrsrrr$getget_team_ids_from_jwtrdict)responsergeneric_user_id_attribute_name(generic_user_display_name_attribute_name!generic_user_email_attribute_name&generic_user_first_name_attribute_name%generic_user_last_name_attribute_namegeneric_provider_attribute_names rgeneric_response_convertorrs'%'YY#%9&"02yy-u0,)+ &)%.0YY+\.*-/II*K-)')ii):'# +,J+KKqsTrU V  <<6 7\\"JKll<=<< FG,,DE=>224h3GH rrreturnc0Kddlm}ddlm}t j dd}t j ddj d}t j dd}t j d d} t j d d} t j d d jd k(} |+tdtjdtj|+tdtjdtj| +tdtjd tj| +tdtjd tjtjd|d| d| tjd|d|d||| | } fd} |d| | }||||d|}tjd|j|d | i!d{}tjd"||S7w)#NrrKrMrOrPrQrRrSrTrUGENERIC_INCLUDE_CLIENT_IDfalsetruerVr2rWrXrYrZr[r\r]r^r_r`ct|S)N)rr)r)rclientrs rresponse_convertorz4get_generic_sso_response..response_convertorFs)#  rrd)rerfrTrgz&calling generic_sso.verify_and_processinclude_client_id)paramszgeneric result: %s)r~rLrrNrrrsrlowerrrrtr rzrrverify_and_process)r*rrrrLrNrrrrrgeneric_include_client_idrrrrresults ` rget_generic_sso_responser sK77II&=tDIIo/EFLLSQM%'YY/OQU%V"YY'?F " *Et L -w7==?6I$H ++)66   &-Q ++266   %I ++*66   !(L ++-66    "#A"BBTUkTlmBC\B] ^ .CDUCVVXY"=-3I  " $-K #+!  KGH11,.GH2F3V< M sG4H7H8Hc *K t|jd}t||}t|t t j tddd d {S7#t$r"}tjd |Yd }~y d }~wwxYww) z,Create a task for adding a member to a team.user)user_idrole)memberteam_id) user_rolehttpr;)r4path)rh)datauser_api_key_dict http_requestN3[Non-Blocking] Error trying to add sso user to db: ) rrrr#rr PROXY_ADMINr Exceptionrr)r user_inforteam_member_add_requestes rcreate_team_member_add_taskr`s  1 1?"6# %(,7G7S7ST 'PQ     ""A! E   sABAA%A#A%"B#A%% B.B B BBr sso_teamscTK|jyt|t|jz }t|}g}|Dcgc]}t||}} t j |d{ycc}w7 #t $r"}tjd|Yd}~yd}~wwxYww)zq - Get missing teams (diff b/w user_info.team_ids and sso_teams) - Add missing user to missing teams Nr) teamssetlistrasynciogatherrrr)rr missing_teamsmissing_teams_listtasksrrs radd_missing_team_memberrss  NS%99Mm, E* )G $GY7)    nne$$$   %  ""A! E   sNAB(A3B(A:-A8.A:2B(8A:: B%B B( B%%B(ctj}|y|jdxsi}|jdxsg}td|vS)NFpersonal_key_generationallowed_user_roles proxy_admin)litellmkey_generation_settingsrbool)rrrs r,get_disabled_non_admin_personal_key_creationrsZ%==&##$=>D"1445IJPb  !33 44rr;c Kddlm}ddlm}m}m}m}m}m}m }tjdd} tjdd} tjdd} |+tdtjd tj tjd t#|j$} | j'd r| d z } n| dz } d} | nddlm}tjdd}|+tdtjdtj || | |}|j-|d{} n| ddlm}tjdd}tjdd}|+tdtjdtj |+tdtjdtj || ||| d}|j-|d{} n| t3||| | d{} t5| dd}| t5| ddnd}|ptjd[|j7dd}tjdj7d }||vrt9d!d"d#j;||i$| ?| =tjd%d&}t5| dd}t5| dd}t5| |d}|)| 't5| d'd(xsd(}t5| d)d(xsd(}||z}||t=|dk(r|}d}g}t>j@}t>jB} d*t>jDiidd+d,}!d}"|1tGjH|r|| d{}"ntKd-|tM||||d| .}"|}#d} |X|jO|d/0d{}tQjRd1|d2t>jT|0|jVjXj[d3|i4d{}||tMt5|d5||t5|d3|t5|d6dt5|d7|t5|d8| 9}"t5|d6d}|jVjXj]d3|id:|i;d{n3t_| |"<d{}|j`xstbjd}t5| d=g}$tg||$>d{|" tid@tQjjdA|"|!jm|"dB|!dC<|dWi|!dDdBid{}&|&dE}'|&d:}||#k(sJdF}(|xstbjdjn}tjdGd0tjpdG|k(rtbjrjn}tQjRdH|dI|tu|})|)r"tw|}*|*st9d!dJdK|dL|i$ty}+ddl=},|,j}||'||dM||jdNdO|+dP|dQR}-|t|t"r|(dS|zz }(t|(dTU}.|.jdE|-dV|.S7O77777~777#th$r#}%tQjRd?|%Yd}%~%d}%~%wwxYw7w)Xz Verify loginr)generate_key_helper_fn)general_settingsr master_keyr, prisma_clientui_access_modeuser_custom_ssor-Nr.r/zMaster Key not set for Proxy. Please set Master Key to use Admin UI. Set `LITELLM_MASTER_KEY` in .env or set general_settings:master_key in config.yaml. https://docs.litellm.ai/docs/proxy/virtual_keys. If set, use `--detailed_debug` to debug issue.rr2r7r9r:r;r<r>r?)r@rBrArCrErFrGz-MICROSOFT_TENANT not set. Set it in .env fileTrH)r*rrrrrALLOWED_EMAIL_DOMAINS@,ir3zZThe email domain={}, is not an allowed email domain={}. Contact your admin to change this.)rodetailGENERIC_USER_ROLE_ATTRIBUTErrr24hrzlitellm-dashboard)durationkey_max_budgetaliasesconfigspendrz,user_custom_sso must be a coroutine function)modelsr user_email max_budgetrbudget_durationr)r table_namez user_info: z(; litellm.default_internal_user_params: r)whererrrr)rrrrrrr)r r) result_openiduser_defined_valuesr)rrrzUnable to map user identity to known values. 'user_defined_values' is None. File an issue - https://github.com/BerriAI/litellm/issuesz)user_defined_values for creating ui key: key request_typertokenz/ui/PROXY_ADMIN_IDz user_role: z; ui_access_mode: errorz,User not allowed to access proxy. User role=z , proxy mode=ssolitellm_key_header_name Authorization)rr rr login_methodr,auth_header_name(disabled_non_admin_personal_key_creationHS256) algorithmz?userID=i/)urlro)r r1securerp)C;litellm.proxy.management_endpoints.key_management_endpointsrrqrrrr,rrrrrrsrrrtr rzrvrwrxryr=rr}rDrgetattrrr formatlenrmax_internal_user_budgetinternal_user_budget_durationmax_ui_session_budgetriscoroutinefunction ValueErrorrget_datarrdefault_internal_user_paramsdblitellm_usertable find_first update_manyinsert_sso_userrrINTERNAL_USER_VIEW_ONLYrrr{updater1environrr!r"rjwtencoder isinstancer set_cookie)/r*rrrrr,rrrrrrrrr=rrrDrrrrr email_domainallowed_domains generic_user_role_attribute_namer _first_name _last_nameruser_id_modelsrr default_ui_key_valuesr _user_id_from_ssorrrr litellm_dashboard_uiis_admin_only_access has_accessrr. jwt_tokenredirect_responses/ r auth_callbackr?s))$94@yy!3T: "5t<P ++66   99-s73C3C/DELS!& ' F#4!yy)?F  ' K$//,::   &%. "44W==  (:"$)),Et"L99%7> " * N$///::    # G$//(::   %)1#% $  %77@@  &/#/%   !( >J2BC6nE(3 KI;Vcdrcst  56- $"!( 0 4 4)?!9a  I z'37 W 44(-AsS  WId K C>6A v#@"Y *  T  ""A! E   sD9[;Z Z?'['Z%ZAZ%ZB Z%'Z(Z%=Z>?Z%=Z">Z%A [ [ D>[ [[[Z%Z%Z%Z%"Z%% [.[ [ [[r r ctKtjd|| tdtjr|j tj|j dtjjk(rH|j dtj|d<|j dtj|d<|dtj|d<t|d|d|d|d|d }|rd |ji|_t!|t# d{}|S7w) ar Helper function to create a New User in LiteLLM DB after a successful SSO login Args: result_openid (OpenID): User information in OpenID format if the login was successful. user_defined_values (Optional[SSOUserDefinedValues], optional): LiteLLM SSOValues / fields that were read Returns: Tuple[str, str]: User ID and User Role z)Inserting SSO user into DB. User values: Nzuser_defined_values is Nonerrrrr)rrrrr auth_provider)rr)rrr#rr%r,rr INTERNAL_USERr1rr r+rrmetadatar r)r r new_user_requestrs rr*r*sF 34G3HI"677++""7#G#GH{+/?/M/M/S/SS  " "< 0 8070P0P  -  " "#4 5 =55 1 2;'/+;+S+SK(%#I.&|4%k2&|4+,=> %4m6L6L$M!#3~GWXXH OYsD-D8/D60D8z/sso/get/ui_settings)r(r) dependenciesczKddlm}m}tjdd}tjdd}t }|j dtkD}|jdd}dtjvr&tjdjd k(rd }|||||j d|d Sw) Nr)r proxy_stater7PROXY_LOGOUT_URLspend_logs_row_countdefault_team_disabledFPROXY_DEFAULT_TEAM_DISABLEDrT)r7rHDEFAULT_TEAM_DISABLED SSO_ENABLEDNUM_SPEND_LOGS_ROWSDISABLE_EXPENSIVE_DB_QUERIES) rqrrGrrrsrget_proxy_state_variablerrr-r)r*rrG_proxy_base_url _logout_url_is_sso_enableddisable_expensive_db_queriesrJs rget_ui_settingsrUsIii 0$7O)).5K)+O,,-CD $ %!-001H%P$ 2 ::3 4 : : < F$( !*'!6&*CC " )E  sB9B;)N)E__doc__rrrrtypingrrrrrrfastapir r r r r rrrlitellm._loggingrlitellm.constantsrlitellm.proxy._typesrrrrrrrrrlitellm.proxy.auth.auth_utilsrlitellm.proxy.auth.handle_jwtr$litellm.proxy.auth.user_api_key_authr)litellm.proxy.common_utils.admin_ui_utilsrrr:litellm.proxy.management_endpoints.internal_user_endpointsr 3litellm.proxy.management_endpoints.sso_helper_utilsr!r"1litellm.proxy.management_endpoints.team_endpointsr#(litellm.proxy.management_endpoints.typesr$litellm.secret_managers.mainr%r~r&routerrrrrvrrrrr?r*rUrprrrfs AAFF.18   >4B PNA4+$  ~&6%Pk@k@Qk@\"j"JR RRR R f Rj & _ c .5O>"2eLRRMRn;?1F#1!"6711h  +,-   7  r