[Enhancement]: Support GROUP instead with ROLE in Keycloak

[mgm-hqtran]

What features would you like to see added?

Add support for OPENID_REQUIRED_GROUP in Keycloak authentication configuration.

Behavior: If set, the system checks the user’s group membership before allowing login.

More details

Currently, LibreChat only supports OPENID_REQUIRED_ROLE for verifying user login with SSO in Keycloak (as documented here).

However, in our setup, we rely on Keycloak Groups rather than Roles to manage access, this is consistent with how other systems in our environment (e.g., Bitbucket, Jenkins) handle permissions.

It would be great to have an additional configuration option, for example:
OPENID_REQUIRED_GROUP=<group_name>
This would allow LibreChat to verify logins against a required Keycloak Group instead of (or in addition to) a Role.

Benefits:

• Aligns LibreChat authentication with other tools in our environment.
• Makes it easier for organizations that primarily use Keycloak Groups for access control.

Thanks

Which components are impacted by your request?

No response

Pictures

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Feel free to submit a PR if you have a solution