[BETA] Support OIDC role based access to proxy

[krrishdholakia]

Title

Support OIDC role based access to proxy

general_settings:
  enable_jwt_auth: True
  litellm_jwtauth:
    object_id_jwt_field: "client_id" # can be either user / team, inferred from the role mapping
    roles_jwt_field: "resource_access.litellm-test-client-id.roles"
    role_mappings:
      - role: litellm.api.consumer
        internal_role: "team"
    enforce_rbac: true

  role_permissions: # default model + endpoint permissions for a role. 
    - role: team
      models: ["anthropic-claude"]
      routes: ["openai_routes"]

Relevant issues

Allows services and users call proxy via OIDC roles.

Let's proxy admin not need to add each user/service to DB for model access + cost tracking.

Type

🆕 New Feature
🐛 Bug Fix
🧹 Refactoring
📖 Documentation
🚄 Infrastructure
✅ Test

Changes

• introduces new fields to jwt auth - object_id_jwt_field, roles_jwt_field, and role_mappings
• updates role_permissions to allow proxy admin to control allowed routes
• enforces id always available for cost tracking if enforce_rbac = true

[REQUIRED] Testing - Attach a screenshot of any new tests passing locally

If UI changes, send a screenshot/GIF of working UI fixes

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
litellm	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Feb 5, 2025 6:00am