chore(litellm): validate base URL, hide SSO button when invalid/has key, persist OAuth metadata, add expiry notice

Author: colesmcintosh

packages/types/src/provider-settings.ts

@@ -252,6 +252,10 @@ const litellmSchema = baseProviderSettingsSchema.extend({
 	litellmApiKey: z.string().optional(),
 	litellmModelId: z.string().optional(),
 	litellmUsePromptCache: z.boolean().optional(),
+	// OAuth metadata (optional)
+	litellmTokenType: z.string().optional(),
+	litellmTokenExpiresAt: z.string().optional(),
+	litellmTokenScope: z.string().optional(),
 })
 
 const cerebrasSchema = apiModelIdProviderModelSchema.extend({

src/core/webview/ClineProvider.ts

@@ -1255,7 +1255,9 @@ export class ClineProvider
 		await this.upsertProviderProfile(currentApiConfigName, newConfiguration)
 	}
 
-	// LiteLLM
+	// LiteLLM OAuth2 SSO integration
+	// Flow: User clicks SSO button -> LiteLLM OAuth page -> redirect back with access_token
+	// Token is stored as API key for the LiteLLM provider. Based on LiteLLM PR #13227.
 	async handleLiteLLMCallback(oauthResponse: {
 		accessToken: string
 		tokenType: string
@@ -1277,14 +1279,34 @@ export class ClineProvider
 			apiProvider: "litellm",
 			litellmApiKey: accessToken,
 			litellmModelId: apiConfiguration?.litellmModelId || litellmDefaultModelId,
+			litellmTokenType: tokenType,
+			litellmTokenExpiresAt: expiresAt,
+			litellmTokenScope: scope,
 		}
 		await this.upsertProviderProfile(currentApiConfigName, newConfiguration)
 
 		// Notify webview of the configuration update
 		await this.postStateToWebview()
 
-		// Show success message to user
-		vscode.window.showInformationMessage("Successfully authenticated with LiteLLM via SSO!")
+		// Show success message to user including token expiry information
+		vscode.window.showInformationMessage(
+			`Successfully authenticated with LiteLLM via SSO! Token expires in ${expiresIn} seconds.`,
+		)
+
+		// Schedule a pre-expiry warning if expiry is reasonable
+		try {
+			const msUntilExpiry = expiresIn * 1000
+			const warnMs = Math.max(0, msUntilExpiry - 5 * 60 * 1000) // 5 minutes before
+			if (warnMs > 0 && warnMs < 7 * 24 * 60 * 60 * 1000) {
+				setTimeout(() => {
+					void vscode.window.showWarningMessage(
+						"Your LiteLLM OAuth token is about to expire. Please re-authenticate via SSO to avoid interruptions.",
+					)
+				}, warnMs)
+			}
+		} catch {
+			// ignore scheduling errors
+		}
 	}
 
 	// Glama

webview-ui/src/components/settings/providers/LiteLLM.tsx

@@ -115,14 +115,16 @@ export const LiteLLM = ({
 				{t("settings:providers.apiKeyStorageNotice")}
 			</div>
 
-			{apiConfiguration?.litellmBaseUrl && (
-				<VSCodeButtonLink
-					href={getLiteLLMAuthUrl(apiConfiguration.litellmBaseUrl, uriScheme)}
-					style={{ width: "100%" }}
-					appearance="primary">
-					{t("settings:providers.getLiteLLMApiKey")}
-				</VSCodeButtonLink>
-			)}
+			{(() => {
+				if (!apiConfiguration?.litellmBaseUrl || apiConfiguration?.litellmApiKey) return null
+				const authUrl = getLiteLLMAuthUrl(apiConfiguration.litellmBaseUrl, uriScheme)
+				if (!authUrl) return null
+				return (
+					<VSCodeButtonLink href={authUrl} style={{ width: "100%" }} appearance="primary">
+						{t("settings:providers.getLiteLLMApiKey")}
+					</VSCodeButtonLink>
+				)
+			})()}
 
 			<Button
 				variant="outline"

webview-ui/src/oauth/urls.ts

@@ -17,6 +17,13 @@ export function getRequestyAuthUrl(uriScheme?: string) {
 }
 
 export function getLiteLLMAuthUrl(baseUrl: string, uriScheme?: string) {
+	// Validate URL format to avoid malformed links
+	try {
+		// Throws on invalid URL
+		new URL(baseUrl)
+	} catch {
+		return ""
+	}
 	const cleanBaseUrl = baseUrl.replace(/\/+$/, "")
 	return `${cleanBaseUrl}/sso/key/generate?response_type=oauth_token&redirect_uri=${getCallbackUrl("litellm", uriScheme)}`
 }