From 70f34dc617977b8c9ebd3c6bf4c43ae9cd9ad5f3 Mon Sep 17 00:00:00 2001 From: Brian Vander Schaaf Date: Tue, 1 Oct 2024 18:02:45 -0400 Subject: [PATCH] chore: add to oauth docs --- .../self_hosting/configuration/sso.mdx | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/versioned_docs/version-2.0/self_hosting/configuration/sso.mdx b/versioned_docs/version-2.0/self_hosting/configuration/sso.mdx index 0304cddd..a35c57ab 100644 --- a/versioned_docs/version-2.0/self_hosting/configuration/sso.mdx +++ b/versioned_docs/version-2.0/self_hosting/configuration/sso.mdx @@ -4,19 +4,24 @@ import { HelmBlock, } from "../../../../src/components/InstructionsWithCode"; -# SSO +# SSO with OAuth2.0 and OIDC -## OAuth2.0 and OIDC (PKCE) +LangSmith Self-Hosted provides SSO via OAuth2.0 and OIDC. This will delegate authentication to your Identity Provider (IdP) to manage access to LangSmith. -LangSmith Self-Hosted provides SSO via OAuth2.0 and OIDC. Once configured, this will delegate authentication to your Identity Provider(IdP) to manage access to LangSmith. +Our implementation supports almost anything that is OIDC compliant, with a few exceptions. +Once configured, you will see a login screen like this: + +![LangSmith UI with OAuth SSO](../static/langsmith_ui_sso.png) + +## Without Client Secret (PKCE) {#without-secret} -Our implementation supports almost anything that is OIDC compliant, with a few exceptions. +This flow does _not_ require a `Client Secret` - see the flow [below](#with-secret) for the alternative that does. ### Requirements There are a couple of requirements for using OAuth SSO with LangSmith: -- Your IdP must support the `Authorization Code with PKCE` [flow](https://www.oauth.com/oauth2-servers/pkce) (Google does not support this flow for example, but see [below](#using-oauth10-and-oidc) for an alternative configuration that Google supports). This is often displayed in your OAuth Provider as configuring a "Single Page Application (SPA)" +- Your IdP must support the `Authorization Code with PKCE` [flow](https://www.oauth.com/oauth2-servers/pkce) (Google does not support this flow for example, but see [below](#with-secret) for an alternative configuration that Google supports). This is often displayed in your OAuth Provider as configuring a "Single Page Application (SPA)" - Your IdP must support using an external discovery/issuer URL. We will use this to fetch the necessary routes and keys for your IdP. - You must provide the `OIDC`, `email`, and `profile` scopes to LangSmith. We use these to fetch the necessary user information and email for your users. - You will need to set the callback URL in your IdP to `http:///oauth-callback`, where host is the domain or IP you have provisioned for your LangSmith instance. This is where your IdP will redirect the user after they have authenticated. @@ -39,13 +44,10 @@ OAUTH_ISSUER_URL=https://your-issuer-url ]} /> -Once configured, you will see a login screen like this: - -![LangSmith UI with OAuth SSO](../static/langsmith_ui_sso.png) - -## OAuth2.0 and OIDC (without PKCE) +## With Client Secret {#with-secret} -For providers that do _not_ support `Authorization Code with PKCE`, LangSmith Self-Hosted supports the `Autorization Code` flow with a `Client Secret`. +For providers that do _not_ support `Authorization Code with PKCE`, LangSmith Self-Hosted supports the `Autorization Code` flow with `Client Secret`. +In this version of the flow, your client secret is stored security in the LangSmith platform (not on the frontend) and used for authentication and establishing auth sessions. ### Requirements