phoenix/litellm-mirror
0
0
Fork 1
mirror of https://github.com/BerriAI/litellm.git synced 2025-04-25 10:44:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update token_auth.md for additional custom validate context

Browse source
This commit is contained in:
Tyler Wagner 2025-03-11 12:59:01 -07:00 committed by GitHub
parent 79eb4d714f
commit f5bb60951d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 17 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

26
docs/my-website/docs/proxy/token_auth.md
View file

@ -53,7 +53,7 @@ Create a client scope called `litellm_proxy_admin` in your OpenID provider (e.g.
Grant your user, `litellm_proxy_admin` scope when generating a JWT. Grant your user, `litellm_proxy_admin` scope when generating a JWT.
```bash ```bash
curl --location ' 'https://demo.duendesoftware.com/connect/token'' \ curl --location 'https://demo.duendesoftware.com/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={CLIENT_ID}' \ --data-urlencode 'client_id={CLIENT_ID}' \
--data-urlencode 'client_secret={CLIENT_SECRET}' \ --data-urlencode 'client_secret={CLIENT_SECRET}' \
@ -68,7 +68,7 @@ curl --location ' 'https://demo.duendesoftware.com/connect/token'' \
Create a JWT for your project on your OpenID provider (e.g. Keycloak). Create a JWT for your project on your OpenID provider (e.g. Keycloak).
```bash ```bash
curl --location ' 'https://demo.duendesoftware.com/connect/token'' \ curl --location 'https://demo.duendesoftware.com/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={CLIENT_ID}' \ # 👈 project id --data-urlencode 'client_id={CLIENT_ID}' \ # 👈 project id
--data-urlencode 'client_secret={CLIENT_SECRET}' \ --data-urlencode 'client_secret={CLIENT_SECRET}' \
@ -209,16 +209,22 @@ OIDC Auth for API: [**See Walkthrough**](https://www.loom.com/share/00fe2deab59a
## Advanced - Custom Validate ## Advanced - Custom Validate
Validate a JWT Token using custom logic, if you need an extra way to verify if tokens are valid for LiteLLM Proxy. This section allows you to add custom logic to intercept and perform validation of the JWT token.
This can occur when there is additional logic that is needed to execute against each token not currently supported by LiteLLM. For example, additional restrictions are needed on tokens when IDPs are self-service and multi-tenancy or when the JWT has other fields to check against.
> _Note_: You can expect the JWT will have ran the typical decrypting of the public key, token decoding, and expiration time checks before executing the custom validation function.
### 1. Setup custom validate function ### 1. Setup custom validate function
```python ```python
from typing import Literal from typing import Any, Literal
def my_custom_validate(token: str) -> Literal[True]: def my_custom_validate(token: dict[str, Any]) -> Literal[True]:
""" """
Only allow tokens with tenant-id == "my-unique-tenant", and claims == ["proxy-admin"] token is the decoded JWT key-value pairs.
Ex: Only allow tokens that have a "tenant_id" included in the "allowed_tenants" and claims in the "allows_claims".
""" """
allowed_tenants = ["my-unique-tenant"] allowed_tenants = ["my-unique-tenant"]
allowed_claims = ["proxy-admin"] allowed_claims = ["proxy-admin"]
@ -247,7 +253,7 @@ general_settings:
**Expected JWT** **Expected JWT**
``` ```json
{ {
"sub": "my-unique-user", "sub": "my-unique-user",
"tenant_id": "INVALID_TENANT", "tenant_id": "INVALID_TENANT",
@ -257,14 +263,14 @@ general_settings:
**Expected Response** **Expected Response**
``` `401` with a body
```json
{ {
"error": "Invalid JWT token" "error": "Invalid JWT token"
} }
``` ```
## Advanced - Allowed Routes ## Advanced - Allowed Routes
Configure which routes a JWT can access via the config. Configure which routes a JWT can access via the config.