[Enhancement]: Allow checking userinfo for OPENID_REQUIRED_ROLE_PARAMETER_PATH

[ar2427]

What features would you like to see added?

1. The current OIDC authorization process feels overly simplistic, as it does not allow for validation based on the 'userinfo' object during the authorization step. At present, it solely depends on the access token and ID token for authorization purposes.

It would be beneficial if the 'OPENID_REQUIRED_ROLE_PARAMETER_PATH' environment variable's value could be used to navigate and evaluate the 'userinfo' object for authorization criteria.

2. Support for encrypted tokens should be added in the OIDC authorization process, to deal with the case when the tokens are not JWT-decodable. This would provide greater flexibility when handling various token formats.

More details

I am currently working on integrating Shibboleth with my application. I requested relevant team in my organization to provide information about the groups assigned to the logged-in user within the 'userinfo' object. Unfortunately, LibreChat presently supports restricting access by groups only through tokens, utilizing the 'OPENID_REQUIRED_ROLE_PARAMETER_PATH' and 'OPENID_REQUIRED_ROLE' environment variables. As a result, I am unable to leverage the 'userinfo' object to retrieve the group membership details.

Although the group membership information might also be included in the access token, the access token provided by Shibboleth in my organization is encrypted, preventing me from verifying its content.

For reference, the relevant file related to the issue is: openidStrategy.js.

Which components are impacted by your request?

General

Pictures

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

some info-based authentication/role-assignment will definitely be implemented, it would need to be defined by specific openid provider

[rubentalstra]

Going to work on this.

[rubentalstra]

@ar2427 please have a look at my PR:

• refactor: OpenID strategy and Enhance role extraction and validation logic #6741

[ar2427]

Apologies for the delay in response.

I think danny is reviewing it already.