🪪 fix: Add Admin Panel SSO URL Config (#13220)

* fix: Add admin panel URL Helm configuration * fix: Clarify admin panel URL configuration * fix: Avoid duplicate admin panel URL env
2026-06-09 17:31:19 +00:00 · 2026-05-21 00:54:57 -04:00 · 2026-05-21 00:54:57 -04:00 · 830d124e4d
commit 830d124e4d
parent 799a080479
5 changed files with 49 additions and 5 deletions
--- a/.env.example
+++ b/.env.example
@ -33,6 +33,12 @@ MONGO_AUTO_CREATE=
 DOMAIN_CLIENT=http://localhost:3080
 DOMAIN_SERVER=http://localhost:3080

+# External admin panel base URL used for admin OAuth/SSO redirects.
+# Required when the admin panel is hosted separately from LibreChat.
+# May include a path. Do not include a trailing slash.
+# Example: https://admin.example.com/admin
+ADMIN_PANEL_URL=
+
 NO_INDEX=true
 # Use the address that is at most n number of hops away from the Express application.
 # req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
@ -535,6 +541,8 @@ OPENID_ISSUER=
 OPENID_SESSION_SECRET=
 OPENID_SCOPE="openid profile email"
 OPENID_CALLBACK_URL=/oauth/openid/callback
+# Admin panel SSO uses ${DOMAIN_SERVER}/api/admin/oauth/openid/callback as the
+# OpenID provider redirect URI.
 OPENID_REQUIRED_ROLE=
 OPENID_REQUIRED_ROLE_TOKEN_KIND=
 OPENID_REQUIRED_ROLE_PARAMETER_PATH=
--- a/helm/librechat/Chart.yaml
+++ b/helm/librechat/Chart.yaml
@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.0.3
+version: 2.0.4

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/helm/librechat/readme.md
+++ b/helm/librechat/readme.md
@ -34,4 +34,22 @@ kind: Secret

 3. Apply the Secret to the Cluster

-4. Fill out values.yaml and apply the Chart to the Cluster
+4. Fill out values.yaml and apply the Chart to the Cluster
+
+## Admin Panel SSO
+
+When deploying the admin panel at a separate URL, set `librechat.adminPanelUrl`
+to the external admin panel base URL. It may include a path, but it should not
+end with a trailing `/` because LibreChat appends `/auth/...` callback paths.
+
+```yaml
+librechat:
+  adminPanelUrl: https://admin.example.com/admin
+```
+
+This renders `ADMIN_PANEL_URL` for LibreChat's admin OAuth flow. For OpenID SSO,
+also register this LibreChat callback URL with your identity provider:
+
+```text
+https://<librechat-domain>/api/admin/oauth/openid/callback
+```
--- a/helm/librechat/templates/configmap-env.yaml
+++ b/helm/librechat/templates/configmap-env.yaml
@ -3,6 +3,9 @@ apiVersion: v1
 metadata:
  name: {{ include "librechat.fullname" $ }}-configenv
 data:
+  {{- $configEnv := default dict .Values.librechat.configEnv }}
+  {{- $adminPanelUrl := .Values.librechat.adminPanelUrl }}
+  {{- $configAdminPanelUrl := dig "configEnv" "ADMIN_PANEL_URL" "" .Values.librechat }}
  {{- if (index .Values "librechat-rag-api" "enabled") }}
  RAG_API_URL: http://{{ include "rag.fullname" (index .Subcharts "librechat-rag-api") | lower }}.{{ .Release.Namespace | lower }}.svc.cluster.local:8000 
  {{- end }}
@ -18,6 +21,15 @@ data:
  {{- if and (not (dig "configEnv" "REDIS_URI" "" .Values.librechat)) .Values.redis.enabled }}
  REDIS_URI: redis://{{ include "common.names.fullname" .Subcharts.redis }}-master.{{ .Release.Namespace | lower }}.svc.cluster.local:6379
  {{- end }}
-  {{- if .Values.librechat.configEnv }}
-  {{- toYaml .Values.librechat.configEnv | nindent 2 }}
-  {{- end }}
+  {{- if and $adminPanelUrl (not $configAdminPanelUrl) }}
+  ADMIN_PANEL_URL: {{ $adminPanelUrl | quote }}
+  {{- end }}
+  {{- if $configEnv }}
+  {{- $renderedConfigEnv := $configEnv }}
+  {{- if and $adminPanelUrl (hasKey $configEnv "ADMIN_PANEL_URL") (not $configAdminPanelUrl) }}
+  {{- $renderedConfigEnv = omit $configEnv "ADMIN_PANEL_URL" }}
+  {{- end }}
+  {{- if $renderedConfigEnv }}
+  {{- toYaml $renderedConfigEnv | nindent 2 }}
+  {{- end }}
+  {{- end }}
--- a/helm/librechat/values.yaml
+++ b/helm/librechat/values.yaml
@ -33,6 +33,12 @@ global:
    #        key: client_id

 librechat:
+  # External admin panel base URL used for admin OAuth/SSO redirects.
+  # Required when deploying the admin panel on a separate URL.
+  # May include a path. Do not include a trailing slash.
+  # Example: https://admin.example.com/admin
+  adminPanelUrl: ""
+
  configEnv:
    # IMPORTANT -- GENERATE your own: openssl rand -hex 32 and openssl rand -hex 16 for CREDS_IV. Best Practise: Put into Secret. See global.librechat.existingSecretName
    CREDS_KEY: 9e95d9894da7e68dd69c0046caf5343c8b1e80c89609b5a1e40e6568b5b23ce6