Skip to content

feat(ui): add key creation deep-links with SSO return URL support#21065

Merged
yuneng-jiang merged 1 commit into
BerriAI:mainfrom
dibyom:feature/vkey-modal-squashed
Mar 7, 2026
Merged

feat(ui): add key creation deep-links with SSO return URL support#21065
yuneng-jiang merged 1 commit into
BerriAI:mainfrom
dibyom:feature/vkey-modal-squashed

Conversation

@dibyom

@dibyom dibyom commented Feb 12, 2026

Copy link
Copy Markdown
Contributor

Summary

Enables deep-linking directly to the key creation modal with prefilled form data via URL parameters, including support for preserving these deep-links through SSO authentication flows.

**Walk through Video**

deep-link-video-trim.mov

Key Creation Deep-links:

  • Auto-open key creation modal via ?create=true parameter
  • Prefill form fields from URL parameters (team_id, key_alias, models, etc.)
  • Role-based access control for auto-open (requires write access)
  • Race condition protection for redirect handling

Example: /ui?create=true&team_id=abc&key_alias=my-key&models=gpt-4,claude-3

SSO Return URL Preservation:

  • Cookie-based return URL storage (works across ports for SSO flows)
  • URL validation to prevent open redirect attacks
  • Support for both dev and production environments

Relevant issues

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

  • I have Added testing in the tests/litellm/ directory, Adding at least 1 test is a hard requirement - see details
  • My PR passes all unit tests on make test-unit
  • My PR's scope is as isolated as possible, it only solves 1 specific problem
  • I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

CI (LiteLLM team)

CI status guideline:

  • 50-55 passing tests: main is stable with minor issues.
  • 45-49 passing tests: acceptable but needs attention
  • <= 40 passing tests: unstable; be careful with your merges and assess the risk.
  • Branch creation CI run
    Link:

  • CI run for the last commit
    Link:

  • Merge / cherry-pick CI run
    Links:

Type

🆕 New Feature
🧹 Refactoring
✅ Test

Changes

@vercel

vercel Bot commented Feb 12, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
litellm Ready Ready Preview, Comment Feb 26, 2026 8:44pm

Request Review

@CLAassistant

CLAassistant commented Feb 12, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@greptile-apps

greptile-apps Bot commented Feb 12, 2026

Copy link
Copy Markdown
Contributor

Greptile Overview

Greptile Summary

Adds deep-linking to the key creation modal via URL query parameters (e.g., ?create=true&team_id=abc&models=gpt-4) and preserves these deep-links through SSO authentication flows using cookie-based return URL storage. Also refactors formatUserRole into a shared utility.

  • URL parameter parsing with input validation and sanitization (length limits, allowlists for enum fields, team membership checks)
  • Cookie-based return URL preservation across SSO port changes, with open-redirect prevention via isValidReturnUrl
  • Race condition protection using useRef to prevent duplicate redirects
  • Deferred model prefill that waits for the available model list to load before applying
  • Good test coverage across returnUrlUtils, create_key_button prefill scenarios, and the expired-token integration test
  • Issue: The manual "Login with SSO" button on the login page does not forward the return URL to the SSO endpoint, unlike the auto-redirect SSO path — this can cause deep-link loss when users click the button manually

Confidence Score: 4/5

  • This PR is safe to merge with one minor gap in the SSO manual login button flow.
  • The changes are well-structured with proper input validation, open-redirect prevention, and race condition handling. Test coverage is good. The one functional gap (manual SSO button not forwarding return URL) is a feature incompleteness rather than a breaking issue. The indentation regression is cosmetic only.
  • Pay attention to ui/litellm-dashboard/src/app/login/LoginPage.tsx (manual SSO button missing return URL forwarding) and ui/litellm-dashboard/src/app/page.tsx (indentation regression).

Important Files Changed

Filename Overview
ui/litellm-dashboard/src/utils/returnUrlUtils.ts New utility for managing return URLs during auth flows using cookies. Includes URL validation against open redirects, dev vs production environment handling, and cookie-based storage. Well-structured with proper validation.
ui/litellm-dashboard/src/app/page.tsx Core page component updated with deep-link parsing, return URL redirect logic, and prefill data threading. Contains an indentation regression in the SidebarProvider JSX section that hurts readability.
ui/litellm-dashboard/src/app/login/LoginPage.tsx Login page updated to handle return URLs after authentication. Auto-SSO redirect and password login both respect return URLs, but the manual "Login with SSO" button does not forward the return URL.
ui/litellm-dashboard/src/components/organisms/create_key_button.tsx Added deep-link support with auto-open modal, prefill form fields, deferred model selection, and role-based access control. Proper validation of team membership and role-based owned_by restrictions.
ui/litellm-dashboard/src/app/(dashboard)/hooks/useAuthorized.ts Auth hook updated to store return URL and build login URL with redirect parameter before redirecting to login. Clean refactor using shared formatUserRole and new return URL utilities.

Sequence Diagram

sequenceDiagram
    participant User
    participant Browser
    participant PageTSX as page.tsx
    participant LoginPage as LoginPage.tsx
    participant SSO as SSO Provider
    participant CreateKey as create_key_button.tsx

    User->>Browser: Visit /ui?create=true&team_id=abc&models=gpt-4
    Browser->>PageTSX: Load with URL params
    PageTSX->>PageTSX: Parse prefillData from URL params
    alt No valid token
        PageTSX->>PageTSX: storeReturnUrl() (cookie)
        PageTSX->>Browser: Redirect to /ui/login?redirect_to=...
        Browser->>LoginPage: Load login page
        alt Auto SSO redirect
            LoginPage->>SSO: Redirect with redirect_to param
            SSO->>Browser: Redirect back with token
            Browser->>PageTSX: Load with token
        else Password login
            LoginPage->>LoginPage: consumeReturnUrl()
            LoginPage->>Browser: Redirect to return URL
            Browser->>PageTSX: Load with token + original params
        end
    end
    PageTSX->>PageTSX: consumeReturnUrl() on auth success
    PageTSX->>CreateKey: Pass autoOpenCreate + prefillData
    CreateKey->>CreateKey: Check rolesWithWriteAccess
    CreateKey->>CreateKey: Open modal, apply prefill
    CreateKey->>CreateKey: Defer model prefill until models loaded
Loading

Last reviewed commit: 592e227

@greptile-apps greptile-apps Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

11 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

Comment on lines 472 to +474
<div className="mt-2">
<SidebarProvider setPage={updatePage} defaultSelectedKey={page} sidebarCollapsed={sidebarCollapsed} />
</div>

<SidebarProvider setPage={updatePage} defaultSelectedKey={page} sidebarCollapsed={sidebarCollapsed} />
</div>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indentation regression — SidebarProvider and its wrapping </div> lost one level of indent compared to the original. Not a runtime bug (JSX doesn't care about whitespace), but it makes the nesting structure harder to follow. The SidebarProvider should be indented 20 spaces (child of mt-2 div) and </div> should be at 18 spaces.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

@greptile-apps

greptile-apps Bot commented Feb 12, 2026

Copy link
Copy Markdown
Contributor
Additional Comments (1)

ui/litellm-dashboard/src/app/login/LoginPage.tsx
The manual "Login with SSO" button doesn't forward the return URL to the SSO endpoint, unlike the auto-redirect SSO path (line 49-53). If a user with a stored return URL manually clicks this button instead of being auto-redirected, the deep-link destination is lost.

Consider applying the same logic used in the auto-redirect branch:

                  onClick={() => {
                    const returnUrl = getReturnUrl();
                    let ssoUrl = `${getProxyBaseUrl()}/sso/key/generate`;
                    if (returnUrl && isValidReturnUrl(returnUrl)) {
                      ssoUrl += `?redirect_to=${encodeURIComponent(returnUrl)}`;
                    }
                    router.push(ssoUrl);
                  }}

Enables deep-linking directly to the key creation modal with prefilled
form data via URL parameters, including support for preserving these
deep-links through SSO authentication flows.

Key Creation Deep-links:
- Auto-open key creation modal via ?create=true parameter
- Prefill form fields from URL parameters (team_id, key_alias, models, etc.)
- Role-based access control for auto-open (requires write access)
- Race condition protection for redirect handling

Example: /ui?create=true&team_id=abc&key_alias=my-key&models=gpt-4,claude-3

SSO Return URL Preservation:
- Cookie-based return URL storage (works across ports for SSO flows)
- URL validation to prevent open redirect attacks
- Support for both dev and production environments

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@dibyom dibyom force-pushed the feature/vkey-modal-squashed branch from 4476305 to 518cd3e Compare February 26, 2026 20:42
@yuneng-jiang yuneng-jiang changed the base branch from main to litellm_vkey March 7, 2026 00:46
@yuneng-jiang yuneng-jiang changed the base branch from litellm_vkey to main March 7, 2026 02:08
yuneng-jiang added a commit that referenced this pull request Mar 7, 2026
@yuneng-jiang yuneng-jiang merged commit 34769fd into BerriAI:main Mar 7, 2026
28 of 30 checks passed
@dibyom dibyom deleted the feature/vkey-modal-squashed branch March 10, 2026 02:27
fzowl pushed a commit to fzowl/litellm that referenced this pull request Jun 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants