WIP: Multi-Tenant OpenID Authentication Support

[rubentalstra]

🎯 Summary

Closes: #4544

This PR introduces support for multi-tenant OpenID authentication. Instead of relying on a single OpenID configuration, the system can now handle multiple tenants, each with its own client ID, client secret, and issuer. The PR also includes UI updates to accommodate multi-tenant login, backend logic refactoring, and YAML configuration updates.

🔍 Changes Overview

🔧 Configuration Updates

• .env.example
  • Replaced OPENID_CLIENT_ID, OPENID_CLIENT_SECRET, and OPENID_ISSUER with OPENID_ENABLED.
  • Added OPENID_MULTI_TENANT support.
• librechat.example.yaml
  • Introduced openid.tenants array for defining multiple OpenID providers.

⚙️ Backend Enhancements

• api/server/routes/config.js
  • Updated OpenID config checks to support OPENID_ENABLED instead of requiring all individual OpenID env variables.
  • Introduced openidMultiTenantEnabled flag.
• api/server/routes/oauth.js
  • Replaced static OpenID authentication with a dynamic strategy selection using chooseOpenIdStrategy.
• api/server/utils/openidHelper.js (New file!)
  • Implements logic to map email domains to the correct OpenID strategy dynamically.
• api/strategies/openidStrategy.js
  • Implements logic for dynamically registering multiple OpenID strategies from YAML configuration.

🖥️ UI & Frontend Updates

• client/src/components/Auth/MultiTenantOpenID.tsx (New file!)
  • Introduces an OpenID login form where users input their email, allowing domain-based strategy selection.
• client/src/components/Auth/SocialLoginRender.tsx
  • Renders Multi-Tenant OpenID UI when openidMultiTenantEnabled is true.
• packages/data-provider/src/config.ts
  • Updated TStartupConfig schema to include openidMultiTenantEnabled.

Single-tenant

Multi-tenant

✅ TODO

• Code refactoring and cleanup.
• Additional testing for multiple tenants.
• Documentation updates.

🧪 Testing

Test Configuration:

• Enabled OPENID_MULTI_TENANT=true.
• Added multiple OpenID tenants in librechat.example.yaml.
• Tested login with different email domains.

📋 Checklist

• My code adheres to this project's style guidelines
• I have performed a self-review of my own code
• I have commented in any complex areas of my code
• I have made pertinent documentation changes
• My changes do not introduce new warnings
• I have written tests demonstrating that my changes are effective or that my feature works
• Local unit tests pass with my changes
• A pull request for updating the documentation has been submitted.

[rubentalstra]

I’m not really sure myself. This might be useful, but I think it’s out of scope for this project.

@danny-avila ^ what do you think?