fix: SSO PKCE support fails in multi-pod Kubernetes deployments

[Harshit28j]

Relevant issues

Fixes PKCE SSO flow in multi-pod setups: when GENERIC_CLIENT_USE_PKCE=true, the code_verifier was stored only in the pod’s in-memory cache, so callbacks landing on another pod could not retrieve it (~50% login failures). This change uses Redis when available so any replica can complete the token exchange.

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

• I have Added testing in the tests/litellm/ directory, Adding at least 1 test is a hard requirement - see details
• My PR passes all unit tests on make test-unit
• My PR's scope is as isolated as possible, it only solves 1 specific problem

CI (LiteLLM team)

CI status guideline:

• 50-55 passing tests: main is stable with minor issues.
• 45-49 passing tests: acceptable but needs attention
• <= 40 passing tests: unstable; be careful with your merges and assess the risk.

• Branch creation CI run
  Link:

• CI run for the last commit
  Link:

• Merge / cherry-pick CI run
  Links:

Type

🐛 Bug Fix
✅ Test

Changes

Problem: With GENERIC_CLIENT_USE_PKCE=true, the PKCE code_verifier was stored only in the pod’s in-memory user_api_key_cache. In multi-pod deployments the callback often hit a different pod, which had no verifier, causing intermittent SSO failures (~50% of logins).

Fix: Use the existing Redis-backed redis_usage_cache for the PKCE verifier when it is configured, so any replica can complete the token exchange.

• litellm/proxy/management_endpoints/ui_sso.py

  • get_generic_sso_redirect_response(): When storing the code_verifier, use redis_usage_cache.set_cache(...) if redis_usage_cache is not None, otherwise keep using user_api_key_cache.set_cache(...).
  • prepare_token_exchange_parameters(): When retrieving/deleting the code_verifier, use redis_usage_cache.get_cache / delete_cache if Redis is available, otherwise keep using user_api_key_cache.
  • Typed token_params as Dict[str, Any] for mypy.

• tests/test_litellm/proxy/management_endpoints/test_ui_sso.py

  • test_pkce_redis_multi_pod_verifier_roundtrip: Fixed assertion (assert on mock_redis._store instead of .assert_called_once() on real methods). Ensures Redis path is used when available and in-memory is not.
  • test_pkce_fallback_in_memory_roundtrip_when_redis_none: New test for fallback when Redis is not configured (in-memory roundtrip on same pod).
  • test_pkce_prepare_token_exchange_returns_nothing_when_no_state: New test for request with no state (no cache access, no code_verifier).

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Feb 14, 2026 5:33am

[greptile-apps]

Greptile Overview

Greptile Summary

Fixes PKCE SSO login failures in multi-pod Kubernetes deployments by using Redis instead of in-memory cache for the code_verifier storage.

Key Changes:

• When redis_usage_cache is available, PKCE verifiers are stored in Redis with json.dumps() serialization, allowing any pod to retrieve them during the OAuth callback
• Falls back to in-memory user_api_key_cache when Redis is not configured (single-pod deployments)
• Comprehensive test coverage for both Redis multi-pod scenario and in-memory fallback
• Code properly handles the string serialization: json.dumps() when storing to Redis, and the value is automatically json.loads() when retrieved via RedisCache._get_cache_logic()

Impact:

• Resolves ~50% SSO login failure rate in multi-pod setups where callbacks landed on a different pod than where the login was initiated
• Maintains backward compatibility for single-pod deployments
• No performance concerns: uses existing redis_usage_cache infrastructure designed for cross-pod data sharing

Confidence Score: 5/5

• Safe to merge - well-tested bug fix that solves a critical multi-pod SSO issue with proper fallback handling
• The implementation correctly addresses the multi-pod PKCE issue by using Redis for shared state. The serialization logic (json.dumps on store, automatic json.loads on retrieve via RedisCache) is correct. Comprehensive tests cover both Redis and fallback scenarios. The change is isolated to PKCE flow and maintains backward compatibility.
• No files require special attention

Important Files Changed

Filename	Overview
litellm/proxy/management_endpoints/ui_sso.py	Adds Redis-backed PKCE verifier storage for multi-pod SSO. When redis_usage_cache is available, uses it instead of in-memory cache, fixing ~50% login failures in multi-pod deployments. Fallback to in-memory cache preserved for single-pod setups.
tests/test_litellm/proxy/management_endpoints/test_ui_sso.py	Adds comprehensive PKCE tests: Redis multi-pod roundtrip, in-memory fallback when Redis unavailable, and no-state edge case. Tests verify verifiers are stored/retrieved correctly and consumed after use (single-use token).

Sequence Diagram

sequenceDiagram
    participant User
    participant Pod_A as Pod A (Login)
    participant Redis
    participant InMemory as In-Memory Cache
    participant Pod_B as Pod B (Callback)
    participant IdP as Identity Provider

    Note over User,IdP: Multi-Pod Deployment (With Redis)
    
    User->>Pod_A: GET /sso/generic/login
    Pod_A->>Pod_A: Generate code_verifier (PKCE)
    Pod_A->>Pod_A: Generate code_challenge
    
    alt redis_usage_cache is not None
        Pod_A->>Redis: set_cache("pkce_verifier:state", json.dumps(code_verifier), ttl=600)
        Note over Redis: Verifier stored in Redis<br/>(accessible by all pods)
    else redis_usage_cache is None
        Pod_A->>InMemory: set_cache("pkce_verifier:state", code_verifier, ttl=600)
        Note over InMemory: Verifier stored in pod-local memory<br/>(single-pod only)
    end
    
    Pod_A->>User: 302 Redirect to IdP with code_challenge
    User->>IdP: Authorization request with code_challenge
    IdP->>User: 302 Redirect to callback with code
    User->>Pod_B: GET /sso/callback?code=...&state=...
    
    Pod_B->>Pod_B: Extract state from query params
    
    alt redis_usage_cache is not None
        Pod_B->>Redis: get_cache("pkce_verifier:state")
        Redis->>Pod_B: json.loads(stored_value) → code_verifier
        Pod_B->>Redis: delete_cache("pkce_verifier:state")
        Note over Redis: ✅ Multi-pod: Pod B retrieves<br/>verifier stored by Pod A
    else redis_usage_cache is None
        Pod_B->>InMemory: get_cache("pkce_verifier:state")
        InMemory->>Pod_B: code_verifier (if same pod)
        Pod_B->>InMemory: delete_cache("pkce_verifier:state")
        Note over InMemory: ⚠️ Multi-pod: ~50% failure<br/>if callback hits different pod
    end
    
    Pod_B->>IdP: Token exchange with code + code_verifier
    IdP->>Pod_B: Access token + user info
    Pod_B->>User: SSO login success

Loading

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[Harshit28j]

@greptile please review this

[greptile-apps]

Greptile Overview

Greptile Summary

Fixes PKCE SSO flow in multi-pod Kubernetes deployments by storing the code_verifier in Redis (via redis_usage_cache) instead of only in the pod's in-memory cache, allowing any replica to complete the OAuth token exchange. Falls back to in-memory cache when Redis is not configured.

• The core production code change in ui_sso.py is sound: it correctly branches on redis_usage_cache is not None for both store and retrieve paths, and makes prepare_token_exchange_parameters async.
• Double serialization bug: json.dumps(code_verifier) is passed to redis_usage_cache.async_set_cache, which internally calls json.dumps() again. This accidentally works because retrieval's json.loads() unwraps one layer back to a string, but it's fragile and inconsistent with the rest of the codebase.
• Test issues: All three new PKCE tests are broken — they call the now-async prepare_token_exchange_parameters without await, and the mock Redis/in-memory objects define sync method names (set_cache, get_cache) while the production code calls async variants (async_set_cache, async_get_cache). These tests need to be fixed before merging.

Confidence Score: 2/5

• The production code logic is correct in concept but the tests are broken and cannot validate the fix; needs revision before merge.
• The core idea (Redis for multi-pod PKCE) is valid and the production branching logic is correct. However: (1) double JSON serialization is fragile, (2) all three new tests have missing await on the async function, and (3) mock objects expose sync methods while production calls async methods — meaning the tests don't actually exercise the code paths they claim to test.
• Pay close attention to tests/test_litellm/proxy/management_endpoints/test_ui_sso.py — three new tests are non-functional due to missing await and wrong mock method names. Also review the json.dumps() call at litellm/proxy/management_endpoints/ui_sso.py:1726.

Important Files Changed

Filename	Overview
litellm/proxy/management_endpoints/ui_sso.py	Core PKCE fix: uses Redis for cross-pod code_verifier storage. Logic is correct but has unnecessary json.dumps() causing double serialization (works accidentally). Also includes formatting cleanups and async conversion of prepare_token_exchange_parameters.
tests/test_litellm/proxy/management_endpoints/test_ui_sso.py	Three new PKCE tests have critical issues: missing await on now-async prepare_token_exchange_parameters, and mock classes define sync methods while production code calls async variants. Tests will either error or silently pass without validating the intended behavior.

Sequence Diagram

sequenceDiagram
    participant User
    participant PodA as Pod A (Login)
    participant Redis as Redis Cache
    participant PodB as Pod B (Callback)
    participant IdP as SSO Provider

    User->>PodA: Initiate SSO login
    PodA->>PodA: Generate PKCE verifier and challenge
    PodA->>Redis: Store verifier with state as cache key
    PodA->>User: Redirect to IdP with challenge

    User->>IdP: Authenticate with provider
    IdP->>User: Redirect back with authorization code

    User->>PodB: Callback lands on different pod
    PodB->>Redis: Retrieve verifier using state
    Redis-->>PodB: Return verifier
    PodB->>IdP: Token exchange with verifier
    IdP-->>PodB: Return access token
    PodB->>Redis: Delete consumed verifier
    PodB->>User: SSO login complete

Loading

_{Last reviewed commit: 1792b3c}

[greptile-apps]

_{2 files reviewed, 6 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Greptile Overview

Greptile Summary

Fixes PKCE SSO flow in multi-pod Kubernetes deployments by storing the code_verifier in redis_usage_cache (when available) instead of only in the pod-local user_api_key_cache. This ensures any pod can complete the OAuth token exchange on callback. The production code changes in ui_sso.py are correct and well-structured.

• The core fix correctly branches on redis_usage_cache is not None to use Redis for cross-pod verifier storage, with graceful fallback to in-memory cache
• prepare_token_exchange_parameters was correctly made async to support await on async cache methods
• All three new tests are broken: they call the now-async prepare_token_exchange_parameters without await, and mock sync cache methods (set_cache, get_cache) instead of the async methods (async_set_cache, async_get_cache) that the production code actually calls. These tests will either fail or pass vacuously without testing real behavior.
• Formatting/whitespace cleanup throughout is fine

Confidence Score: 2/5

• Production code fix is correct, but all new tests are broken and do not validate the fix
• The production code changes are sound and address the multi-pod PKCE issue correctly. However, all three new tests have critical bugs (missing await, wrong mock methods) that mean they either fail at runtime or pass without actually testing the intended behavior. The PR's claim of test coverage is not backed by working tests.
• tests/test_litellm/proxy/management_endpoints/test_ui_sso.py - all three new PKCE tests need fixes for missing await and incorrect mock method names

Important Files Changed

Filename	Overview
litellm/proxy/management_endpoints/ui_sso.py	Core fix is sound: PKCE code_verifier now uses Redis when available for multi-pod SSO. Correctly uses async cache methods. Formatting/whitespace cleanup included.
tests/test_litellm/proxy/management_endpoints/test_ui_sso.py	Three new tests have critical bugs: missing await on async prepare_token_exchange_parameters, and mock objects define sync methods instead of the async methods the production code actually calls. Tests will fail or silently pass without exercising real code paths.

Sequence Diagram

sequenceDiagram
    participant User
    participant PodA as Pod A (Login)
    participant Redis as Redis Cache
    participant PodB as Pod B (Callback)
    participant IdP as SSO IdP

    User->>PodA: GET /sso/login
    PodA->>PodA: Generate PKCE code_verifier + code_challenge
    PodA->>Redis: async_set_cache(pkce_verifier:{state}, verifier, ttl=600)
    PodA->>User: Redirect to IdP (with code_challenge, state)
    User->>IdP: Authenticate
    IdP->>PodB: Callback with auth code + state
    PodB->>Redis: async_get_cache(pkce_verifier:{state})
    Redis-->>PodB: code_verifier
    PodB->>IdP: Token exchange (code + code_verifier)
    IdP-->>PodB: Access token
    PodB->>Redis: async_delete_cache(pkce_verifier:{state})
    PodB->>User: SSO login complete

Loading

_{Last reviewed commit: bc5543c}

[greptile-apps]

_{2 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}

[Harshit28j]

Verification process:

Created have a DockerCompose file that starts services for testing SSO PKCE in a multi-pod environment:

• Redis (for storing PKCE verifiers)
• Postgres (for database)
• Mock OAuth2 server (acts as a fake SSO provider)
• litellm-pod-a and litellm-pod-b (two instances for proxy, simulating multiple pods)

[greptile-apps]

Greptile Overview

Greptile Summary

Fixes PKCE SSO flow in multi-pod Kubernetes deployments by storing the code_verifier in redis_usage_cache (when available) instead of only in the pod-local user_api_key_cache. Also changes prepare_token_exchange_parameters from sync to async to support awaitable cache operations.

• Production code (ui_sso.py): Correctly branches on redis_usage_cache is not None for set/get/delete of the PKCE verifier. Switched from sync set_cache/get_cache/delete_cache to async variants. The caller in get_generic_sso_response now properly awaits the result.
• Tests (test_ui_sso.py): Three new tests cover the Redis roundtrip, in-memory fallback, and no-state edge case. All three are properly async. However, the MockRedisCache doesn't replicate real RedisCache serialization (json.dumps on set), causing a test assertion (json.loads(stored_value)) to fail at runtime.
• Includes formatting cleanups (Black reformatting) and removal of unused imports/print statements across existing tests.

Confidence Score: 3/5

• Production code logic is correct, but the new test has a runtime assertion failure that needs fixing before merge.
• The core fix in ui_sso.py is well-structured and correctly addresses the multi-pod PKCE issue. However, the MockRedisCache in the test doesn't faithfully replicate Redis serialization behavior, causing json.loads(stored_value) on line 3208 to fail at runtime with a JSONDecodeError. This needs to be fixed to ensure the tests actually pass and validate the intended behavior.
• tests/test_litellm/proxy/management_endpoints/test_ui_sso.py - MockRedisCache serialization mismatch and failing assertion on line 3208

Important Files Changed

Filename	Overview
litellm/proxy/management_endpoints/ui_sso.py	Core PKCE fix: stores code_verifier in Redis when available for multi-pod SSO. Changed sync cache ops to async, made prepare_token_exchange_parameters async. Logic is correct. Includes formatting cleanups.
tests/test_litellm/proxy/management_endpoints/test_ui_sso.py	Three new PKCE tests added. Tests now correctly use async/await and async mock methods (addressing earlier review feedback). However, MockRedisCache doesn't faithfully replicate real RedisCache serialization, and one assertion will fail at runtime.

Sequence Diagram

sequenceDiagram
    participant User
    participant PodA as Pod A (Login)
    participant Redis as Redis Cache
    participant PodB as Pod B (Callback)
    participant IdP as SSO Identity Provider

    User->>PodA: GET /sso/login
    PodA->>PodA: Generate PKCE code_verifier + code_challenge
    PodA->>Redis: async_set_cache(pkce_verifier:{state}, code_verifier, ttl=600)
    PodA->>User: Redirect to IdP with code_challenge + state
    User->>IdP: Authenticate
    IdP->>User: Redirect to callback with auth code + state
    User->>PodB: GET /sso/callback?code=...&state=...
    PodB->>Redis: async_get_cache(pkce_verifier:{state})
    Redis-->>PodB: code_verifier
    PodB->>Redis: async_delete_cache(pkce_verifier:{state})
    PodB->>IdP: Exchange code + code_verifier for token
    IdP-->>PodB: Access token
    PodB->>User: Set session cookie, redirect to dashboard

Loading

_{Last reviewed commit: e084638}

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Greptile Overview

Greptile Summary

This PR fixes PKCE SSO flow failures in multi-pod Kubernetes deployments by storing the code_verifier in redis_usage_cache (when Redis is available) instead of only in the pod-local user_api_key_cache. This ensures that any pod receiving the OAuth callback can retrieve the verifier. The fallback to in-memory cache is preserved for single-pod/no-Redis setups. The prepare_token_exchange_parameters method is now async to support awaiting the Redis cache calls.

• Multi-pod fix: get_generic_sso_redirect_response and prepare_token_exchange_parameters now use redis_usage_cache (async methods) when available, falling back to user_api_key_cache.
• Test coverage: Three new tests verify the Redis round-trip, the in-memory fallback, and the no-state edge case. Previous review feedback regarding missing await, wrong mock method names, and JSON serialization in the mock has been addressed.
• Bug in test: The assertion checking len(stored_value) == 43 on the JSON-serialized value in test_pkce_redis_multi_pod_verifier_roundtrip will fail at runtime because json.dumps() adds 2 quote characters to the stored string.

Confidence Score: 3/5

• The production code change is correct and addresses a real multi-pod SSO issue, but the test suite has a failing assertion that should be fixed before merging.
• The core production logic is sound — using Redis for the PKCE code_verifier in multi-pod deployments is the right approach, and the async method usage is correct. However, the test has a length assertion bug that will cause a test failure. Previous review rounds have been largely addressed (async/await, mock method naming, JSON serialization), but one assertion inconsistency remains.
• tests/test_litellm/proxy/management_endpoints/test_ui_sso.py — the len(stored_value) == 43 assertion on line 3208 needs correction.

Important Files Changed

Filename	Overview
litellm/proxy/management_endpoints/ui_sso.py	Core fix: PKCE code_verifier storage switched from in-memory-only to Redis-backed (when available) for multi-pod support, with proper async method usage. Also includes formatting cleanup and the Literal import addition.
tests/test_litellm/proxy/management_endpoints/test_ui_sso.py	Three new PKCE tests added with proper async/await usage. MockRedisCache now uses async methods with JSON serialization. One test assertion (len(stored_value) == 43) will fail because it checks the JSON-serialized length instead of the deserialized value length.

Sequence Diagram

sequenceDiagram
    participant User
    participant PodA as Pod A (Login)
    participant Redis as Redis Cache
    participant PodB as Pod B (Callback)
    participant IdP as SSO Identity Provider

    User->>PodA: GET /sso/login
    PodA->>PodA: Generate PKCE code_verifier + code_challenge
    PodA->>Redis: async_set_cache(pkce_verifier:{state}, code_verifier, ttl=600)
    PodA->>User: Redirect to IdP with code_challenge & state
    User->>IdP: Authenticate
    IdP->>User: Redirect to callback with auth code & state
    User->>PodB: GET /sso/callback?code=...&state=...
    PodB->>Redis: async_get_cache(pkce_verifier:{state})
    Redis-->>PodB: code_verifier
    PodB->>Redis: async_delete_cache(pkce_verifier:{state})
    PodB->>IdP: Token exchange with code + code_verifier
    IdP-->>PodB: Access token
    PodB->>User: Set JWT cookie, redirect to dashboard

Loading

_{Last reviewed commit: c56bbb9}

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[Harshit28j]

@greptile please review this?

[greptile-apps]

Greptile Overview

Greptile Summary

This PR fixes PKCE SSO failures in multi-pod Kubernetes deployments by switching code_verifier storage from in-memory user_api_key_cache to Redis-backed redis_usage_cache when available. Previously, the PKCE verifier was stored only in the local pod's in-memory cache, causing ~50% login failures when the OAuth callback landed on a different pod.

• Core fix: get_generic_sso_redirect_response() and prepare_token_exchange_parameters() now prefer redis_usage_cache (a RedisCache instance) for storing/retrieving/deleting the PKCE verifier, falling back to user_api_key_cache (DualCache) when Redis is not configured.
• Async conversion: prepare_token_exchange_parameters() changed from sync to async to support await on async cache methods; the call site in get_generic_sso_response() correctly adds await.
• Tests: Three new test cases cover the Redis multi-pod roundtrip, the in-memory fallback, and the no-state edge case. Existing tests updated to use AsyncMock and await.
• Formatting: Significant whitespace/formatting cleanup throughout the test file (trailing whitespace, print() removal, line-length reformatting). These are cosmetic but improve consistency.

Confidence Score: 4/5

• This PR is safe to merge with minimal risk; it correctly addresses the multi-pod PKCE failure using existing Redis infrastructure.
• The core logic change is sound: Redis serialization roundtrip (json.dumps in async_set_cache / json.loads in async_get_cache) correctly handles plain string code_verifier values. The async conversion is properly applied at both the definition and call site. Tests cover the three key scenarios (Redis roundtrip, in-memory fallback, no-state). The bulk of the diff is formatting cleanup. Score reduced from 5 to 4 because two pre-existing tests were updated for async but don't explicitly mock redis_usage_cache, creating a minor fragility.
• No files require special attention beyond the minor test fragility noted in comments.

Important Files Changed

Filename	Overview
litellm/proxy/management_endpoints/ui_sso.py	Core PKCE fix: stores/retrieves code_verifier via Redis when available, falls back to in-memory cache. Async conversion of prepare_token_exchange_parameters() is correct. Serialization roundtrip is sound (RedisCache handles json.dumps/loads internally). Minor formatting changes.
tests/test_litellm/proxy/management_endpoints/test_ui_sso.py	Three new PKCE tests (Redis roundtrip, in-memory fallback, no-state). Existing tests updated for async. MockRedisCache correctly replicates json.dumps/loads behavior. Large amount of formatting-only changes.

Sequence Diagram

sequenceDiagram
    participant User
    participant PodA as Pod A (Login)
    participant PodB as Pod B (Callback)
    participant Redis as Redis Cache
    participant IdP as SSO Identity Provider

    User->>PodA: GET /sso/key/generate
    PodA->>PodA: Generate PKCE code_verifier + code_challenge
    PodA->>Redis: async_set_cache(pkce_verifier:{state}, code_verifier, ttl=600)
    PodA->>User: Redirect to IdP with code_challenge + state
    User->>IdP: Authenticate
    IdP->>User: Redirect to /sso/callback?state=...&code=...
    User->>PodB: GET /sso/callback?state=...&code=...
    PodB->>PodB: prepare_token_exchange_parameters()
    PodB->>Redis: async_get_cache(pkce_verifier:{state})
    Redis-->>PodB: code_verifier
    PodB->>Redis: async_delete_cache(pkce_verifier:{state})
    PodB->>IdP: Token exchange with code + code_verifier
    IdP-->>PodB: Access token
    PodB->>User: JWT cookie + redirect to dashboard

Loading

_{Last reviewed commit: 37fc4a3}

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}