Files
litellm/tests
michelligabriele f4a0b80a25 fix(sso): extract user roles from JWT access token for Keycloak compatibility (#20591)
Keycloak (and similar OIDC providers) include role claims in the JWT
access token but not in the UserInfo endpoint response. Previously,
roles were only extracted from UserInfo, causing all SSO users to
default to internal_user_view_only regardless of their actual role.

Changes:
- Extract user roles from JWT access token in process_sso_jwt_access_token()
  when UserInfo doesn't provide them (tries role_mappings first, then
  GENERIC_USER_ROLE_ATTRIBUTE)
- Handle list-type role values in get_litellm_user_role() since Keycloak
  returns roles as arrays (e.g. ["proxy_admin"] instead of "proxy_admin")
- Add 9 new unit tests covering role extraction and list handling
- Update 3 existing tests for new JWT decode behavior

Closes #20407
2026-02-06 16:05:51 -08:00
..
2026-01-20 18:37:56 +05:30
2026-01-11 08:00:31 -08:00
2026-01-31 19:08:07 -08:00
2026-02-05 21:44:00 -08:00
2026-01-22 10:50:23 -08:00
2026-01-02 17:38:52 +09:00
2026-01-22 15:21:44 -08:00
2026-02-05 09:40:21 +05:30

In total litellm runs 1000+ tests

[02/20/2025] Update:

To make it easier to contribute and map what behavior is tested,

we've started mapping the litellm directory in tests/test_litellm

This folder can only run mock tests.