diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py index aa5bc47df6..1a4ed3871c 100644 --- a/backend/open_webui/utils/oauth.py +++ b/backend/open_webui/utils/oauth.py @@ -1081,21 +1081,30 @@ class OAuthManager: log.debug(f'Accepted user roles: {oauth_allowed_roles}') log.debug(f'Accepted admin roles: {oauth_admin_roles}') - # If any roles are found, check if they match the allowed or admin roles + # If roles are present in the token, they must match; otherwise deny access if oauth_roles: - # If role management is enabled, and matching roles are provided, use the roles + matched = False for allowed_role in oauth_allowed_roles: - # If the user has any of the allowed roles, assign the role "user" if allowed_role in oauth_roles: log.debug('Assigned user the user role') role = 'user' + matched = True break for admin_role in oauth_admin_roles: - # If the user has any of the admin roles, assign the role "admin" if admin_role in oauth_roles: log.debug('Assigned user the admin role') role = 'admin' + matched = True break + if not matched: + log.warning( + f'OAuth role management enabled but user roles do not match any allowed/admin roles. ' + f'User roles: {oauth_roles}, allowed: {oauth_allowed_roles}, admin: {oauth_admin_roles}' + ) + raise HTTPException( + status.HTTP_403_FORBIDDEN, + detail=ERROR_MESSAGES.ACCESS_PROHIBITED, + ) else: if not user: # If role management is disabled, use the default role for new users