Skip to main content

SSO

OAuth2.0 and OIDC (PKCE)

LangSmith Self-Hosted provides SSO via OAuth2.0 and OIDC. Once configured, this will delegate authentication to your Identity Provider(IdP) to manage access to LangSmith.

Our implementation supports almost anything that is OIDC compliant, with a few exceptions.

Requirements

There are a couple of requirements for using OAuth SSO with LangSmith:

  • Your IdP must support the Authorization Code with PKCE flow (Google does not support this flow for example, but see below for an alternative configuration that Google supports). This is often displayed in your OAuth Provider as configuring a "Single Page Application (SPA)"
  • Your IdP must support using an external discovery/issuer URL. We will use this to fetch the necessary routes and keys for your IdP.
  • You must provide the OIDC, email, and profile scopes to LangSmith. We use these to fetch the necessary user information and email for your users.
  • You will need to set the callback URL in your IdP to http://<host>/oauth-callback, where host is the domain or IP you have provisioned for your LangSmith instance. This is where your IdP will redirect the user after they have authenticated.
  • You will need to provide the oauthClientId and oauthIssuerUrl in your values.yaml file. This is where you will configure your LangSmith instance.
config:
  oauth:
    enabled: true
    oauthClientId: <YOUR CLIENT ID>
    oauthIssuerUrl: <YOUR DISCOVERY URL>

Once configured, you will see a login screen like this:

LangSmith UI with OAuth SSO

OAuth2.0 and OIDC (without PKCE)

For providers that do not support Authorization Code with PKCE, LangSmith Self-Hosted supports the Autorization Code flow with a Client Secret.

Requirements

note

You may upgrade a basic auth installation to this mode, but not a none auth installation. In order to upgrade, simply remove the basic auth configuration and add the required configuration parameters as shown below. Users may then login via OAuth only.

danger

LangSmith does not support moving from SSO to basic auth mode in self-hosted at the moment.

  • Your IdP must support the Authorization Code flow without PKCE.
  • Your IdP must support using an external discovery/issuer URL. We will use this to fetch the necessary routes and keys for your IdP.
  • You must provide the OIDC, email, and profile scopes to LangSmith. We use these to fetch the necessary user information and email for your users.
  • You will need to set the callback URL in your IdP to http://<host>/api/v1/oauth/custom-oidc/callback, where host is the domain or IP you have provisioned for your LangSmith instance. This is where your IdP will redirect the user after they have authenticated.
  • You will need to provide the oauthClientId, oauthClientSecret, hostname, and oauthIssuerUrl in your values.yaml file. This is where you will configure your LangSmith instance.
config:
  authType: mixed
  hostname: https://langsmith.example.com
  oauth:
    enabled: true
    oauthClientId: <YOUR CLIENT ID>
    oauthClientSecret: <YOUR CLIENT SECRET>
    oauthIssuerUrl: <YOUR DISCOVERY URL>

Was this page helpful?


You can leave detailed feedback on GitHub.