Skip to content

docs(token_auth): document team_claim_fallback opt-in flag #237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
milan-berri wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs(token_auth): document team_claim_fallback opt-in flag #237

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions docs/proxy/token_auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,36 @@ curl -X POST 'http://0.0.0.0:4000/v1/chat/completions' \
- If no header is provided, LiteLLM auto-selects the first team with access to the requested model


### Fall back to DB team when JWT claims don't resolve

By default, when `team_id_jwt_field` or `team_ids_jwt_field` is configured and the JWT carries a claim value that does **not** map to any LiteLLM team, LiteLLM raises an error — the claim is treated as authoritative.

For deployments where the IdP team claim is **advisory** (e.g. machine tokens whose `groups` claim lives in a separate namespace from LiteLLM `team_id`s), opt in to a fallback: if the configured claim is present but unresolved, LiteLLM defers to the user's single LiteLLM team (when the user belongs to exactly one team in the DB).

```yaml
general_settings:
enable_jwt_auth: True
litellm_jwtauth:
user_id_jwt_field: "sub"
team_ids_jwt_field: "groups"
team_claim_fallback: true # 👈 opt in
```

**Behavior:**

| Trigger | Default (`team_claim_fallback: false`) | Opt-in (`team_claim_fallback: true`) |
|---|---|---|
| `team_id` claim resolves to a real team | 200 / use team | 200 / use team |
| `team_id` claim present, team missing in DB | raise | defer → fallback to user's single DB team |
| `team_alias` claim resolves | 200 / use team | 200 / use team |
| `groups` claim resolves and team grants model | 200 | 200 |
| `groups` claim resolves but team lacks model | 403 (preserved) | 403 (preserved) |
| `groups` claim present, none resolve to a real team | 403 | defer → fallback to user's single DB team |
| no claim at all (single-team fallback baseline) | 200 / fallback | 200 / fallback |

**Security envelope:** the fallback only resolves when the user belongs to exactly one LiteLLM team in the DB; non-404 errors (e.g. `"No DB Connected"`) always propagate. Keep the default (`false`) if your IdP team claims are authoritative for authorization.


### Custom JWT Validate

Validate a JWT Token using custom logic, if you need an extra way to verify if tokens are valid for LiteLLM Proxy.
Expand Down