Skip to content

feat: add LiteLLM OAuth2 SSO authentication button #6612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

feat: add LiteLLM OAuth2 SSO authentication button #6612

wants to merge 4 commits into from

Conversation

@colesmcintosh
Copy link

@colesmcintosh colesmcintosh commented Aug 2, 2025
edited
Loading

Related GitHub Issue

N/A

Roo Code Task Context (Optional)

<!-- This implementation was developed based on LiteLLM PR #13227 and implementing the corresponding RooCode integration -->

Description

This PR implements OAuth2 SSO integration for LiteLLM proxy authentication, enabling users to authenticate with their LiteLLM proxy via SSO and automatically configure their API key in RooCode.

Key Implementation Details:

  • Added OAuth2 URL generation with proper response_type=oauth_token parameter
  • Implemented VSCode extension URI callback handling for /litellm route
  • Created handleLiteLLMCallback() method in ClineProvider to process OAuth responses
  • Added SSO authentication button in LiteLLM settings UI that appears when base URL is configured
  • Follows OAuth2 RFC 6749 standards and integrates with LiteLLM PR #13227

Design Choices:

  • Button only appears after user enters base URL to ensure functional SSO endpoint
  • Uses existing VSCodeButtonLink component for consistency with other OAuth providers
  • Stores OAuth metadata (token type, expiry, scope) for future reference
  • Maintains backward compatibility with manual API key entry

Test Procedure

Manual Testing Steps:

  1. Open RooCode settings and navigate to LiteLLM provider
  2. Enter a LiteLLM base URL (e.g., https://your-litellm-proxy.com)
  3. Verify "Get LiteLLM API Key via SSO" button appears
  4. Click button and verify redirect to LiteLLM SSO page with correct parameters
  5. Complete SSO authentication flow
  6. Verify callback returns to RooCode with access token
  7. Confirm API key is automatically configured in settings

Testing Environment:

  • Requires LiteLLM proxy instance with SSO configured
  • Should test with LiteLLM version that includes PR #13227 OAuth2 support

Pre-Submission Checklist

  • Issue Linked: This PR addresses LiteLLM OAuth2 integration need
  • Scope: Changes are focused on LiteLLM SSO authentication feature
  • Self-Review: Performed thorough self-review of code
  • Testing: Manual testing procedures outlined above
  • Documentation Impact: No user documentation updates required (feature is self-explanatory in UI)
  • Contribution Guidelines: Read and agree to contributor guidelines

Screenshots / Videos

<!-- To be added after manual testing with LiteLLM proxy instance -->

Documentation Updates

  • No documentation updates are required. (Feature is intuitive through UI - button appears when base URL is configured)

Additional Notes

This implementation is designed to work with LiteLLM proxies that have the OAuth2 SSO endpoint from LiteLLM PR #13227. The feature provides a seamless authentication experience similar to other OAuth providers (OpenRouter, Glama, Requesty) already implemented in RooCode.

The OAuth flow supports:

  • Standard OAuth2 token response with JSON format
  • VSCode extension redirect URI scheme compatibility
  • Multiple IDE support (vscode, cursor, fleet, zed, etc.)
  • Proper error handling for authentication failures

@colesmcintosh
feat: add LiteLLM OAuth2 SSO authentication button
26ef936 
Implement OAuth2 SSO integration for LiteLLM proxy authentication:

- Add OAuth URL generator for LiteLLM SSO flow with proper redirect_uri
- Implement URI callback handler for LiteLLM OAuth2 responses
- Add ClineProvider method to handle LiteLLM OAuth callback and store tokens
- Create LiteLLM SSO authentication button in settings UI
- Add internationalization support for LiteLLM OAuth button text

This enables users to authenticate with their LiteLLM proxy via SSO by:
1. Entering their LiteLLM base URL in settings
2. Clicking "Get LiteLLM API Key via SSO" button
3. Completing OAuth flow in browser
4. Automatically receiving and storing the API token

The implementation follows OAuth2 RFC 6749 standards and supports both
JSON response format and VSCode extension redirect flows as implemented
in LiteLLM PR #13227.
roomote[bot]
roomote bot reviewed Aug 2, 2025
View reviewed changes
Copy link
Contributor

@roomote roomote bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution! I've reviewed the changes and found the implementation to be solid with clean integration following existing OAuth patterns. I have some suggestions for improvement.

src/activate/handleUri.ts
await visibleProvider.handleLiteLLMCallback({
accessToken,
tokenType: tokenType || "Bearer",
expiresIn: expiresIn ? parseInt(expiresIn, 10) : 86400,
Copy link
Contributor

@roomote roomote bot Aug 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is 86400 seconds (24 hours) a reasonable default for token expiry? Some OAuth tokens might have much shorter lifespans. Could we consider a more conservative default or make this configurable?

src/core/webview/ClineProvider.ts

// Store the OAuth response metadata
const { accessToken, tokenType, expiresIn, scope } = oauthResponse
const expiresAt = new Date(Date.now() + expiresIn * 1000).toISOString()
Copy link
Contributor

@roomote roomote bot Aug 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The token expiry time is calculated and logged but doesn't appear to be used elsewhere. Consider implementing token refresh logic or at least warning users when their token is about to expire. This would improve the user experience by preventing unexpected authentication failures.

src/core/webview/ClineProvider.ts
requestyDefaultModelId,
openRouterDefaultModelId,
glamaDefaultModelId,
litellmDefaultModelId,
Copy link
Contributor

@roomote roomote bot Aug 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I notice litellmDefaultModelId is imported here. Could you confirm this constant is already defined in the @roo-code/types package? I want to ensure we're not missing any type definitions.

webview-ui/src/oauth/urls.ts
}

export function getLiteLLMAuthUrl(baseUrl: string, uriScheme?: string) {
const cleanBaseUrl = baseUrl.replace(/\/+$/, "")
Copy link
Contributor

@roomote roomote bot Aug 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding URL validation before constructing the OAuth URL. Something like:

Suggested change
const cleanBaseUrl = baseUrl.replace(/\/+$/, "")
export function getLiteLLMAuthUrl(baseUrl: string, uriScheme?: string) {
try {
new URL(baseUrl); // Validate URL format
} catch (error) {
throw new Error('Invalid LiteLLM base URL');
}
const cleanBaseUrl = baseUrl.replace(/\/+$/, "")
return `${cleanBaseUrl}/sso/key/generate?response_type=oauth_token&redirect_uri=${getCallbackUrl("litellm", uriScheme)}`
}

This would prevent malformed URLs from causing issues downstream.

src/core/webview/ClineProvider.ts
}

// LiteLLM
async handleLiteLLMCallback(oauthResponse: {
Copy link
Contributor

@roomote roomote bot Aug 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding inline documentation explaining the OAuth flow or linking to LiteLLM's OAuth documentation. This would help future maintainers understand the integration better. For example:

Suggested change
async handleLiteLLMCallback(oauthResponse: {
// LiteLLM OAuth2 SSO integration
// This implements the OAuth2 flow described in LiteLLM PR #13227
// The flow: User clicks SSO button -> Redirected to LiteLLM OAuth page ->
// LiteLLM redirects back with access_token -> Token stored as API key
async handleLiteLLMCallback(oauthResponse: {

@hannesrudolph hannesrudolph added the Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. label Aug 2, 2025
@daniel-lxs daniel-lxs moved this from Triage to PR [Draft / In Progress] in Roo Code Roadmap Aug 4, 2025
@hannesrudolph hannesrudolph added PR - Draft / In Progress and removed Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. labels Aug 4, 2025
@github-project-automation github-project-automation bot moved this from PR [Draft / In Progress] to Done in Roo Code Roadmap Sep 23, 2025
@github-project-automation github-project-automation bot moved this from New to Done in Roo Code Roadmap Sep 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roomote roomote[bot] roomote[bot] left review comments

@mrubens mrubens Awaiting requested review from mrubens mrubens will be requested when the pull request is marked ready for review mrubens is a code owner

@cte cte Awaiting requested review from cte cte will be requested when the pull request is marked ready for review cte is a code owner

@jr jr Awaiting requested review from jr jr will be requested when the pull request is marked ready for review jr is a code owner

Assignees

No one assigned

Labels

PR - Draft / In Progress

Projects

Roo Code Roadmap
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@colesmcintosh @hannesrudolph