^hflSrSSKrSSKrSSKrSSKJrJrJr SSKJ r J r J r J r J r SSKJr SSKrSSKJr SSKJr SSKJrJrJrJrJrJr SS KJr SS KJr SS K J!r!J"r"J#r# SS K$J%r% SS K&J'r'J(r( SSK)J*r* \(aSSK+J,r, OSSKJ-r, \ "5r.\.R_SS/SS9S\ 4Sj5r0\.R_SS/SS9S\ 4Sj5r1S S\\,S\\S\24Sjjr3\.R_SS/S\ "\5/S9S\ 4Sj5r4g)!z Has all /sso/* routes /sso/key/generate - handles user signing in with SSO and redirects to /sso/callback /sso/callback - returns JWT Redirect Response that redirects to LiteLLM UI N) TYPE_CHECKINGListOptional) APIRouterDepends HTTPExceptionRequeststatus)RedirectResponse)verbose_proxy_logger)MAX_SPENDLOG_ROWS_TO_QUERY)LitellmUserRolesNewUserRequestProxyErrorTypesProxyExceptionSSOUserDefinedValuesUserAPIKeyAuth)_has_user_setup_sso)user_api_key_auth)admin_ui_disabled html_formshow_missing_vars_in_env)new_user)check_is_admin_only_accesshas_admin_ui_access) str_to_bool)OpenID)Anyz/sso/key/generate experimentalF)tagsinclude_in_schemarequestcf # SSKJn [R"SS5n[R"SS5n[R"SS5n[R"S5nUb[ US9nU(a [ 5$UcUcUb-US La([ S [RS [RS 9e[5nUbU$[R"S [UR55n[R"S5n URS5(aUS- nOUS- nUbSSKJn [R"SS5n U c([ S[RS[R"S 9eU "UU US9n [$R&"SUSU35 U  U R)5IShvN sSSS5 $UbSSKJn [R"SS5n[R"SS5nUc([ S[RS[R"S 9eU "UUUUS S9nU UR)5IShvN sSSS5 $UGbSSKJn SSKJn [R"SS5n[R"S S!5R7S"5n[R"S#S5n[R"S$S5n[R"S%S5nUc([ S&[RS[R"S 9eUc([ S'[RS#[R"S 9eUc([ S([RS$[R"S 9eUc([ S)[RS%[R"S 9e[$R8"S*US+US,U35 [$R8"S-US.US/35 U"UUUS09nU"S1US29nU"UUUS US39nU 0n[R"S4S5nU(aUUS5'O(S6U;a"[:R<"5R>US5'UR("S:0UD6IShvN sSSS5 $U bSS7K J!n U"[DS8S99$SS7K J!n U"[DS8S99$GN!,(df  g=fGNN!,(df  g=fNZ!,(df  g=f7f);z Create Proxy API Keys using Google Workspace SSO. Requires setting PROXY_BASE_URL in .env PROXY_BASE_URL should be the your deployed proxy endpoint, e.g. PROXY_BASE_URL="https://litellm-production-7002.up.railway.app/" Example: r) premium_userMICROSOFT_CLIENT_IDNGOOGLE_CLIENT_IDGENERIC_CLIENT_IDDISABLE_ADMIN_UI)valueTa}You must be a LiteLLM Enterprise user to use SSO. If you have a license please set `LITELLM_LICENSE` in your env. If you want to obtain a license meet with us here: https://calendly.com/d/4mp-gd3-k5k/litellm-1-1-onboarding-chat You are seeing this error message because You set one of `MICROSOFT_CLIENT_ID`, `GOOGLE_CLIENT_ID`, or `GENERIC_CLIENT_ID` in your env. Please unset thisr$messagetypeparamcodePROXY_BASE_URL UI_USERNAME/ sso/callback /sso/callback GoogleSSOGOOGLE_CLIENT_SECRET1GOOGLE_CLIENT_SECRET not set. Set it in .env file) client_id client_secret redirect_uriz5In /google-login/key/generate, GOOGLE_REDIRECT_URI: z GOOGLE_CLIENT_ID:  MicrosoftSSOMICROSOFT_CLIENT_SECRETMICROSOFT_TENANT4MICROSOFT_CLIENT_SECRET not set. Set it in .env filer8r9tenantr:allow_insecure_http)DiscoveryDocumentcreate_providerGENERIC_CLIENT_SECRET GENERIC_SCOPEopenid email profile GENERIC_AUTHORIZATION_ENDPOINTGENERIC_TOKEN_ENDPOINTGENERIC_USERINFO_ENDPOINT2GENERIC_CLIENT_SECRET not set. Set it in .env file;GENERIC_AUTHORIZATION_ENDPOINT not set. Set it in .env file3GENERIC_TOKEN_ENDPOINT not set. Set it in .env file6GENERIC_USERINFO_ENDPOINT not set. Set it in .env fileauthorization_endpoint:  token_endpoint:  userinfo_endpoint: GENERIC_REDIRECT_URI:  GENERIC_CLIENT_ID:  authorization_endpointtoken_endpointuserinfo_endpointoidc)namediscovery_documentr8r9r:rBscopeGENERIC_CLIENT_STATEstateokta) HTMLResponse)content status_code)#litellm.proxy.proxy_serverr$osgetenvrrrr auth_errorr HTTP_403_FORBIDDENrstrbase_urlendswithfastapi_sso.sso.googler5HTTP_500_INTERNAL_SERVER_ERRORr infoget_login_redirectfastapi_sso.sso.microsoftr<fastapi_sso.sso.baserCfastapi_sso.sso.genericrEsplitdebuguuiduuid4hexfastapi.responsesrcr)r"r$microsoft_client_idgoogle_client_idgeneric_client_id_disable_ui_flag is_disabledmissing_env_vars redirect_url ui_usernamer5google_client_secret google_ssor<microsoft_client_secretmicrosoft_tenant microsoft_ssorCrEgeneric_client_secret generic_scopegeneric_authorization_endpointgeneric_token_endpointgeneric_userinfo_endpoint discovery SSOProvider generic_ssoredirect_paramsrarcs c/home/james-whalen/.local/lib/python3.13/site-packages/litellm/proxy/management_endpoints/ui_sso.py google_loginr1s8))$94@yy!3T: "5t<yy!34#!(89 $& & '  '  ( t # X$//$..  01#99-s73C3C/DEL))M*KS!!& ' #4!yy)?F  ' K$//,::   &.% !!D\NRfgwfx y #6688Z  (:"$)),Et"L99%7> " * N$///::   %)1#% $  &99;;]  &:; " *A4 H /3IJPPQTU )+ ,d* &"$+CT!J$&II.I4$P! ( L$//-::   * 1 U$//6::   " ) M$//.::   % , P$//1::   ""&'E&FFXYoXpqFG`Fa b  ""$\N2GHYGZZ\ ] &#A17 &6iP !'/% $   !OII4d;E+0(99JJL$$ (%77J/JJ[   3I3??2I3??S9Z.<]TK[sFR1Q9,Q6-Q90A8R1(R <R =R FR1A$R RR /R16Q99 RR1 R  RR1R  R.*R1r3c P^7^8^9^:^;^<^=# SSKJn SSKJnJnJnJnJnJn [R"SS5n[R"SS5n [R"SS5n Uc([S[RS [RS 9e[R"S [!UR"55n U R%S 5(aU S - n OU S- n Sn U bkSSKJn [R"SS5nUc([S[RS[RS 9eU "U U US9nUR+U5IShvN n GOUbSSKJn [R"SS5n[R"SS5nUc([S[RS[RS 9eUc([S[RS[RS 9eU"UUUU SS9nUR+U5IShvN n GOU GbSSKJnJm7 SSKJn [R"SS5n[R"SS5R;S5n[R"S S5n[R"S!S5n[R"S"S5n[R"S#S$5R=5S%:HnUc([S&[RS[RS 9eUc([S'[RS [RS 9eUc([S([RS![RS 9eUc([S)[RS"[RS 9e[>R@"S*US+US,U35 [>R@"S-U S.U S/35 [R"S0S15m<[R"S2S35m9[R"S4S55m:[R"S6S75n[R"S8S95m;[R"S:S;5m=[R"SR@"S>T<S?T:S@U35 U"UUUSA9nU7U8U9U:U;UR@"SF5 U R+USGU0SH9IShvN n [>R@"SIU 5 [CU S5S5n!U b [CU SJS5OSn"U!br[R"SK5b[U!R;SL5SMn#[R"SK5R;SN5n$U#U$;a[ESOSPSQRGU#U$50SR9eU b*U b'[CU SJS5n"[CU S5S5n![CU WS5n%U"c4U b1[CU S9SS5=(d SSn&[CU S;SS5=(d SSn'U&U'-n"U!bU"b[IU"5S:XaU!n"Sn(/n)[JRLn*[JRNn+STSU00SSVSW.n,Sn-Ub7[PRR"U5(aU"U 5IShvN n-O[USX5eU"b[WU)U"U!U*SU+SY9n-U"n.Sn%UGb URYU"SZS[9IShvN n([>R@"S\U(S][JRZ35 U(c-UR\R^RaS^U!0S_9IShvN n(U(bU"b[W[CU(S`U)5U"[CU(S^U!5[CU(SaS5[CU(SbU*5[CU(ScU+5Sd9n-[CU(SaS5n%UR\R^RcS^U!0SeU"0Sf9IShvN O[eU U-Sg9IShvN n%U-c [gSh5e[>Rh"SiU-35 U,RkU-5 SjU,Sk'U"S0U,DSlSj0D6IShvN n/U/Smn0U/Sen"U"U.:XdeSnn1U%=(d [lRnRpn%[R"SoS5b1[RrSoU":Xa[lRtRpn%[>R@"SpU%SqU35 [wU5n2U2(a$[yU%5n3U3(d[ESOSrSsU%StU30SR9eSSK=n4U4R}U"U0U!U%SuUURSvSw5Sx.USySz9n5U"b[U"[ 5(aU1S{U"-- n1[U1S|S}9n6U6RSmU5SS~9 U6$GNGNGNNGNGNGN<GNGN![fa GNf=fGNj7f)z Verify loginr)generate_key_helper_fn)general_settings master_keyr$ prisma_clientui_access_modeuser_custom_ssor%Nr&r'zMaster Key not set for Proxy. Please set Master Key to use Admin UI. Set `LITELLM_MASTER_KEY` in .env or set general_settings:master_key in config.yaml. https://docs.litellm.ai/docs/proxy/virtual_keys. If set, use `--detailed_debug` to debug issue.rr*r/r1r2r3r4r6r7)r8r:r9r;r=r>r?z-MICROSOFT_TENANT not set. Set it in .env fileTr@)rCrrDrFrGrHrIrJrKrLGENERIC_INCLUDE_CLIENT_IDfalsetruerMrNrOrPrQrRrSrTrUrVGENERIC_USER_ID_ATTRIBUTEpreferred_username#GENERIC_USER_DISPLAY_NAME_ATTRIBUTEsubGENERIC_USER_EMAIL_ATTRIBUTEemailGENERIC_USER_ROLE_ATTRIBUTErole!GENERIC_USER_FIRST_NAME_ATTRIBUTE first_name GENERIC_USER_LAST_NAME_ATTRIBUTE last_nameGENERIC_USER_PROVIDER_ATTRIBUTEproviderz! generic_user_id_attribute_name: z% generic_user_email_attribute_name: z$ generic_user_role_attribute_name: rWc >T"URT5URT5URT5URT5URT5URT5S9$)N)id display_namerrrr)get) responseclientrgeneric_provider_attribute_name(generic_user_display_name_attribute_name!generic_user_email_attribute_name&generic_user_first_name_attribute_namegeneric_user_id_attribute_name%generic_user_last_name_attribute_names rresponse_convertor)auth_callback..response_convertors^<< >?%\\*RSll#DE#<<(NO",,'LM!&EF  r[)r\r]rr^z&calling generic_sso.verify_and_processinclude_client_id)paramszgeneric result: %srALLOWED_EMAIL_DOMAINS@,ir+zZThe email domain={}, is not an allowed email domain={}. Contact your admin to change this.)rfdetail24hrg{Gz?zlitellm-dashboard)durationkey_max_budgetaliasesconfigspendteam_idz,user_custom_sso must be a coroutine function)modelsuser_id user_email max_budget user_rolebudget_durationuser)r table_namez user_info: z(; litellm.default_internal_user_params: r)whererrrr)rrrrrrr)rdata) result_openiduser_defined_valueszUnable to map user identity to known values. 'user_defined_values' is None. File an issue - https://github.com/BerriAI/litellm/issuesz)user_defined_values for creating ui key: key request_typertokenz/ui/PROXY_ADMIN_IDz user_role: z; ui_access_mode: errorz,User not allowed to access proxy. User role=z , proxy mode=ssolitellm_key_header_name Authorization)rrrr login_methodr$auth_header_nameHS256) algorithmz?userID=i/)urlrf)rr)securerg)C;litellm.proxy.management_endpoints.key_management_endpointsrrhrrr$rrrrirjrrrkr rqrmrnrorpr5verify_and_processrtr<rurCrrvrErwlowerr rxgetattrrformatlenlitellmmax_internal_user_budgetinternal_user_budget_durationasyncioiscoroutinefunction ValueErrorrget_datadefault_internal_user_paramsdblitellm_usertable find_first update_manyinsert_sso_user ExceptionrrupdaterINTERNAL_USER_VIEW_ONLYr)environ PROXY_ADMINrrjwtencoder isinstancer set_cookie)>r"rrrr$rrrr}r~rrresultr5rrr<rrrrCrErrrrrgeneric_include_client_id generic_user_role_attribute_namerrrrrr email_domainallowed_domainsr _first_name _last_name user_infouser_id_modelsrrdefault_ui_key_valuesr_user_id_from_ssorrlitellm_dashboard_uiis_admin_only_access has_accessr jwt_tokenredirect_responserrrrrrrs> @@@@@@@r auth_callbackrs^ ))$94@yy!3T: "5t<P ++66   99-s73C3C/DELS!!& ' F#4!yy)?F  ' K$//,::   &%. "44W==  (:"$)),Et"L99%7> " * N$///::    # G$//(::   %)1#% $  %77@@  &B; " *A4 H /3IJPPQTU )+ ,d* &"$+CT!J$&II.I4$P! II17 ; A A Cv M " ! ( L$//-::   * 1 U$//6::   " ) M$//.::   % , P$//1::   ""&'E&FFXYoXpqFG`Fa b  ""$\N2GHYGZZ\ ] *, ')=* &4699 154 0-/II *G- ),.99 )6, (24 /2 .13 . 1 -+-)) -z+ ' ""/0N/OOuwXvYY~_~` a &#A17   &(1 "'/% $   ""#KL"55 02KL6   ""#7@!( >J2BC6nE(3 KI;Vcdrcst  $"!( 0 4 4)?!  Iz'377 W 44(-AsS  WId K q >6AV n#@"Y *     sD;d&c:B1d&6c=7J;d&2d3Fd&5d6%d&d3d4Ad d Bdd dd& d(d)d-A d&9d#:Ed&=d&d&d&d d dd d d&d  d&rrreturnc# [R"SU35 Uc [S5e[R(aUR [R5 UR S5[RR:XaJUR S5c[RUS'UR S5c[RUS'USc[RUS'[USUSUSUSUSS 9nU(aS UR0Ul[!U[#5S 9IShvN US=(d [R$N 7f) a! Helper function to create a New User in LiteLLM DB after a successful SSO login Args: result_openid (OpenID): User information in OpenID format if the login was successful. user_defined_values (Optional[SSOUserDefinedValues], optional): LiteLLM SSOValues / fields that were read z)Inserting SSO user into DB. User values: Nzuser_defined_values is Nonerrrrr)rrrrr auth_provider)ruser_api_key_dict)r rxrrrrrr INTERNAL_USERr)rrrrrmetadatarr)rrnew_user_requests rrrLsX 34G3HI"677++""7#G#GH{+/?/M/M/S/SS  " "< 0 8070P0P  -  " "#4 5 =55 1 2;'/+;+S+SK(%#I.&|4%k2&|4+,=> %4m6L6L$M! (NC)N)5__doc__rrirytypingrrrfastapirrrr r r|r rlitellm._loggingr litellm.constantsr litellm.proxy._typesrrrrrrlitellm.proxy.auth.auth_utilsr$litellm.proxy.auth.user_api_key_authr)litellm.proxy.common_utils.admin_ui_utilsrrr:litellm.proxy.management_endpoints.internal_user_endpointsr3litellm.proxy.management_endpoints.sso_helper_utilsrrlitellm.secret_managers.mainrrurrrouterrrrrmrr)rgrrr7sF 00FF.18>B P5+$  ~&6%Pk@k@Qk@\O>"2eLhhMhZ ;?.XF#.X!"67.X .Xb  +,-   7  r