Okta/SSO

[vladfr1]

Great tool, the team is having a lot of fun with it!! We got everything working with Azure AD.

Any thoughts on a more generic SSO implementation that could support any auth platform? i.e. Okta (our particular use case)?

[danny-avila]

Implementing Auth0 would be pretty involved but not impossible. The original intent with not using Auth0 was to not exclude users in regions where Auth0 is not supported.

[danny-avila]

Revisiting this, FWIW, Okta is working as an OpenID option, i can write a guide soon

[vladfr1]

That would be awesome. I am happy to to be a tester.

[danny-avila]

A very quick guide while it's still fresh:

I started with a fresh trial account, and added one user besides myself.

You can setup the app with Okta CLI but you can also do this through Okta's dashboard. I used the CLI.

For the CLI, you need an API key. You can create one via Security > API > Tokens

While we're here, we also need to make sure our Authorization Server has an Access Policy. Unless you are well familiar with this, this is what I did with the default server:

1. Goto Authorization Servers tab, click "default" hyperlink
   

2. Goto Access Policies and create a lenient policy, or however you see fit.
   

Back to the CLI

Start terminal from project directory. Assuming you already have an account, run okta login. Then, run okta apps create.

• Select the default app name (LibreChat), or change it as you see fit.
• Type of Application: Choose Web and press Enter.
• For Framework of Application: Select Other.
• Then, the Redirect URI should be http://localhost:3080/oauth/openid/callback
• use http://localhost:3080/login for the Logout Redirect URI.

It should save an .okta.env file once complete:

Okta application configuration has been written to: /home/danny/LibreChat/.okta.env

export OKTA_OAUTH2_ISSUER="https://trial-ID.okta.com/oauth2/default"
export OKTA_OAUTH2_CLIENT_ID="someID"
export OKTA_OAUTH2_CLIENT_SECRET="someSECRET"

Now, in our LibreChat .env file, we use these values like this:

# OKTA TEST
OPENID_CLIENT_ID=someID
OPENID_CLIENT_SECRET=someSECRET
OPENID_ISSUER=https://trial-ID.okta.com/oauth2/default
OPENID_SESSION_SECRET=secret # you can change this to whatever you'd like, should be some "secret" value
OPENID_SCOPE="openid profile email"
OPENID_CALLBACK_URL=/oauth/openid/callback

In our LibreChat .env file, Double check these values correspond to your deployment URL:

DOMAIN_CLIENT=http://localhost:3080
DOMAIN_SERVER=http://localhost:3080

By default the Okta CLI creates an app that assigns to all users. You may need to review all the bells & whistles Okta offers for this and adjust to your needs.

That's it! You should be able to login with Okta now.