feat: add ADMIN_SSO_ENABLED to hide SSO login button#71
Merged
Conversation
Adds an opt-out env var so deployments can hide the admin-panel SSO
button (and SSO auto-redirect) while keeping email/password login,
even when LibreChat has OpenID configured.
checkOpenIdFn short-circuits to { available: false, ssoOnly: false }
when ADMIN_SSO_ENABLED=false, before calling the backend OpenID check.
Because the SSO button only renders when available is true, the
existing login UI hides it with no component changes. Takes precedence
over ADMIN_SSO_ONLY.
Documents the var in .env.example and README, and adds checkOpenIdFn
unit tests covering default availability, ADMIN_SSO_ONLY, the hide flag,
precedence, and backend-failure fallback.
Closes #61
Contributor
Author
|
@codex review |
|
Codex Review: Didn't find any major issues. You're on a roll. ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
dustinhealy
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #61.
Adds an optional
ADMIN_SSO_ENABLEDenv var (defaults to enabled). SetADMIN_SSO_ENABLED=falseto hide the admin-panel SSO button — and the SSO auto-redirect — while keeping email/password login, even when LibreChat has OpenID configured.This addresses the confusing case described in the issue: when
ADMIN_PANEL_URLisn't configured on the LibreChat server (or redirect URIs aren't registered with the OIDC provider), the SSO button shows up and returns "unauthorized". Admins can now suppress it and use local login for the admin panel while SSO stays configured for the main LibreChat app.Implementation
src/server/auth.ts—checkOpenIdFnshort-circuits to{ available: false, ssoOnly: false }whenADMIN_SSO_ENABLED=false, before calling the backend OpenID check (no wasted request). Because the SSO button only renders whenavailableistrueand auto-redirect only fires whenssoOnlyistrue, the existing login UI hides both with no component changes:src/routes/login.tsxcomputesssoOnly: openIdStatus.available && …→false.src/components/AuthCard.tsxrenders the SSO button inside{ssoAvailable && (…)}.ADMIN_SSO_ONLY(disabling SSO can't coexist with "SSO only").Docs
.env.exampleandREADME.mddocument the new variable (defaulttrue).Tests
src/server/auth.oauth.test.ts— 5 newcheckOpenIdFnunit tests: default availability,ADMIN_SSO_ONLY=true, the hide flag (and that it skips the backend call), precedence overADMIN_SSO_ONLY, and backend-failure fallback.npx vitest run→ 575 passing.Notes
tsccurrently reports two pre-existing errors inRolePermissionsPanel.tsx/constants/role.ts(PermissionTypes.SKILLS, a data-provider version mismatch tied to #53) — in files this PR does not touch.