[GH-ISSUE #7102] enh: user groups based on oauth group #101601

New Issue

Closed

opened 2026-05-17 23:04:51 -05:00 by GiteaMirror · 26 comments

GiteaMirror commented 2026-05-17 23:04:51 -05:00

Owner

Copy Link

Originally created by @tkg61 on GitHub (Nov 20, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/7102

Feature Request

Building on the user groups features in 0.4.0 and the work talked about in discussion #5897:

Could we have the ability to map SSO group membership to groups created in Openwebui at the time of logon.

---

Describe the solution you'd like

• User is already in Oauth backend and is a member of N number of groups
• When a user logs in, their group membership in Oauth is compared against the group names in openwebui
  • If there is a matching group name, the user is added.
  • If a user was previously in a group and has been removed on the oauth side they would loose access to that group in openwebui as well
• A User will have access to all the matching groups, there is no approval for joining a group except for what has already been approved/done on the oauth side.

Having this done by the system and a env/ui flag to turn this on and off will ease the administrative burden for larger implementations of openwebui.

This feature would also remove the complication that might arise from multiple frontends and concurrency issues with automation scripts that might come upif these group membership settings don't persist between frontend instances of openwebui (e.g. 5 openwebui containers running all with the same postgres backend)

Describe alternatives you've considered
a script that runs nightly to map users to groups or something that is based on some automation via a ticketing system but it would be tedious and removals would be difficult to manage

Originally created by @tkg61 on GitHub (Nov 20, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/7102 # Feature Request Building on the user groups features in 0.4.0 and the work talked about in discussion #5897: Could we have the ability to map SSO group membership to groups created in Openwebui at the time of logon. --- **Describe the solution you'd like** - User is already in Oauth backend and is a member of N number of groups - When a user logs in, their group membership in Oauth is compared against the group names in openwebui - If there is a matching group name, the user is added. - If a user was previously in a group and has been removed on the oauth side they would loose access to that group in openwebui as well - A User will have access to all the matching groups, there is no approval for joining a group except for what has already been approved/done on the oauth side. Having this done by the system and a env/ui flag to turn this on and off will ease the administrative burden for larger implementations of openwebui. This feature would also remove the complication that might arise from multiple frontends and concurrency issues with automation scripts that might come upif these group membership settings don't persist between frontend instances of openwebui (e.g. 5 openwebui containers running all with the same postgres backend) **Describe alternatives you've considered** a script that runs nightly to map users to groups or something that is based on some automation via a ticketing system but it would be tedious and removals would be difficult to manage

GiteaMirror closed this issue 2026-05-17 23:04:51 -05:00

GiteaMirror commented 2026-05-17 23:04:52 -05:00

Author

Owner

Copy Link

@PieterBecking commented on GitHub (Nov 27, 2024):

Would be super helpful!

<!-- gh-comment-id:2504371496 --> @PieterBecking commented on GitHub (Nov 27, 2024): Would be super helpful!

GiteaMirror commented 2026-05-17 23:04:53 -05:00

Author

Owner

Copy Link

@a3957273 commented on GitHub (Jan 21, 2025):

This seems to have been completed as part of the linked PR. It isn't currently documented, but does appear to work on the latest release.

<!-- gh-comment-id:2604556482 --> @a3957273 commented on GitHub (Jan 21, 2025): This seems to have been completed as part of the linked PR. It isn't currently documented, but does appear to work on the latest release.

GiteaMirror commented 2026-05-17 23:04:53 -05:00

Author

Owner

Copy Link

@maioranisimone commented on GitHub (Jan 23, 2025):

hello everyone I have read the discussion and I am not sure I understand it well. Is it currently possible to create an oauth group, for example named marketing, and assign a user to that group so that when it login into openwebui it is inside that group without having to enter it via openwebui admin panel? I was only able to create role groups, for example an outh admin group. Also, in case it is possible, does the group on openwebui still have to be created manually first or would it be created automatically for the first user with a new group?

<!-- gh-comment-id:2610252157 --> @maioranisimone commented on GitHub (Jan 23, 2025): hello everyone I have read the discussion and I am not sure I understand it well. Is it currently possible to create an oauth group, for example named marketing, and assign a user to that group so that when it login into openwebui it is inside that group without having to enter it via openwebui admin panel? I was only able to create role groups, for example an outh admin group. Also, in case it is possible, does the group on openwebui still have to be created manually first or would it be created automatically for the first user with a new group?

GiteaMirror commented 2026-05-17 23:04:53 -05:00

Author

Owner

Copy Link

@tkg61 commented on GitHub (Jan 24, 2025):

You have to create the group via the api or web ui but if the name matches the oauth group, then users will be auto added

Edit: You wouldn’t want auto create groups cause some organizations have users with over 100 groups and it would just get messy

<!-- gh-comment-id:2611347839 --> @tkg61 commented on GitHub (Jan 24, 2025): You have to create the group via the api or web ui but if the name matches the oauth group, then users will be auto added Edit: You wouldn’t want auto create groups cause some organizations have users with over 100 groups and it would just get messy

GiteaMirror commented 2026-05-17 23:04:54 -05:00

Author

Owner

Copy Link

@maioranisimone commented on GitHub (Jan 24, 2025):

I create group named "marketing" in my keycloak and assign an user to it. Then i login in owui with this account oidc but he doesn't add automatically to the group

<!-- gh-comment-id:2613047605 --> @maioranisimone commented on GitHub (Jan 24, 2025): I create group named "marketing" in my keycloak and assign an user to it. Then i login in owui with this account oidc but he doesn't add automatically to the group

GiteaMirror commented 2026-05-17 23:04:54 -05:00

Author

Owner

Copy Link

@tkg61 commented on GitHub (Jan 24, 2025):

I create group named "marketing" in my keycloak and assign an user to it. Then i login in owui with this account oidc but he doesn't add automatically to the group

Did you enable the environment variable for this? The group name matching is case sensitive as well I believe

ENABLE_OAUTH_GROUP_MANAGEMENT=true

<!-- gh-comment-id:2613438653 --> @tkg61 commented on GitHub (Jan 24, 2025): > I create group named "marketing" in my keycloak and assign an user to it. Then i login in owui with this account oidc but he doesn't add automatically to the group Did you enable the environment variable for this? The group name matching is case sensitive as well I believe ENABLE_OAUTH_GROUP_MANAGEMENT=true

GiteaMirror commented 2026-05-17 23:04:55 -05:00

Author

Owner

Copy Link

@maioranisimone commented on GitHub (Feb 3, 2025):

Yes, I did. I'm using environment variables for OAuth management. For role management, OpenWebUI correctly reads the value from the ID token; however, for group management it does not. I performed a token introspection and confirmed that the value is in the correct position, but when I log in to OWUI, the user is not automatically assigned to the group. I'm using Keycloak.

<!-- gh-comment-id:2631525137 --> @maioranisimone commented on GitHub (Feb 3, 2025): Yes, I did. I'm using environment variables for OAuth management. For role management, OpenWebUI correctly reads the value from the ID token; however, for group management it does not. I performed a token introspection and confirmed that the value is in the correct position, but when I log in to OWUI, the user is not automatically assigned to the group. I'm using Keycloak.

GiteaMirror commented 2026-05-17 23:04:55 -05:00

Author

Owner

Copy Link

@wincentek commented on GitHub (Feb 11, 2025):

I can't get this to work either using OAuth.
ENABLE_OAUTH_SIGNUP=True
ENABLE_OAUTH_GROUP_MANAGEMENT=True

(and also OAUTH_MERGE_ACCOUNTS_BY_EMAIL=True)

User(s) can login. Default user role ('user') is applied, but I can't make any automatic Oath groups assignments. I also tried creating groups manually using the same name, but no go.

Do any other environment variables need to be set for this to work?

Thanks :)

<!-- gh-comment-id:2650012160 --> @wincentek commented on GitHub (Feb 11, 2025): I can't get this to work either using OAuth. ENABLE_OAUTH_SIGNUP=True ENABLE_OAUTH_GROUP_MANAGEMENT=True (and also OAUTH_MERGE_ACCOUNTS_BY_EMAIL=True) User(s) can login. Default user role ('user') is applied, but I can't make any automatic Oath groups assignments. I also tried creating groups manually using the same name, but no go. Do any other environment variables need to be set for this to work? Thanks :)

GiteaMirror commented 2026-05-17 23:04:55 -05:00

Author

Owner

Copy Link

@moellert commented on GitHub (Feb 11, 2025):

I had to change the client config in keycloak and make the group claim a default instead of being optional.
Maybe this helps others.
Also this is indeed no group import, just a mapping for existing groups.

<!-- gh-comment-id:2650021957 --> @moellert commented on GitHub (Feb 11, 2025): I had to change the client config in keycloak and make the group claim a default instead of being optional. Maybe this helps others. Also this is indeed no group import, just a mapping for existing groups.

GiteaMirror commented 2026-05-17 23:04:56 -05:00

Author

Owner

Copy Link

@tarmst commented on GitHub (Feb 11, 2025):

I added some additional debug logging for group management here in case it helps: https://github.com/open-webui/open-webui/pull/9620

<!-- gh-comment-id:2651482928 --> @tarmst commented on GitHub (Feb 11, 2025): I added some additional debug logging for group management here in case it helps: https://github.com/open-webui/open-webui/pull/9620

GiteaMirror commented 2026-05-17 23:04:56 -05:00

Author

Owner

Copy Link

@thiDucTran commented on GitHub (Feb 13, 2025):

EDIT: please ignore my comment...TLDR: oauth group management would work with both group's names and group's object IDs

Hi, in our Dex , we specify for group IDs instead of group names, using the configuration option groupNameFormat: id (link) . Would group IDs work whenever this is officially rolled out?

dex time=2025-02-13T15:40:45.578Z level=INFO msg="login successful" connector_id=microsoft username="Thi Tran" preferred_username="" email=thi.tran@abc.com groups="[2ae34fa-ff66-4c93-8b53-a9a4a114ff18 4ce8587f-3ce7-44cc-9ee2-2886de691646 2db907fb-fd40-4fa5-912c-35e02119683a[]" request_id=23de3c6c-65e5-437e-aaac-bd2a81651398

From below, can confirm that with ENABLE_OAUTH_GROUP_MANAGEMENT=true and if the same group name exists in open-webui...then said oauth user will be automatically added to the matched oauth group names

DEBUG [open_webui.utils.oauth] User oauth groups: ['InfraTeam']
DEBUG [open_webui.utils.oauth] User's current groups: []
DEBUG [open_webui.utils.oauth] All groups available in OpenWebUI: ['InfraTeam']
DEBUG [open_webui.utils.oauth] Adding user to group InfraTeam as it was found in their oauth groups

nevermind... same flow would also work when we switch to group IDs

DEBUG [open_webui.utils.oauth] Running OAUTH Group management
DEBUG [open_webui.utils.oauth] Oauth Groups claim: groups
DEBUG [open_webui.utils.oauth] User oauth groups: ['2ae834fa-ff66-4c93-8b53-a9a4a114ff18', '4ce8587f-3ce7-44cc-9ee2-2886de691646', 'ed605cd2-ec19-4dee-a1d0-cdab649838dc
DEBUG [open_webui.utils.oauth] User's current groups: []
DEBUG [open_webui.utils.oauth] All groups available in OpenWebUI: ['2ae834fa-ff66-4c93-8b53-a9a4a114ff18', 'InfraTeam']
DEBUG [open_webui.utils.oauth] Adding user to group 2ae834fa-ff66-4c93-8b53-a9a4a114ff18 as it was found in their oauth groups

<!-- gh-comment-id:2657031834 --> @thiDucTran commented on GitHub (Feb 13, 2025): EDIT: please ignore my comment...TLDR: oauth group management would work with both group's names and group's object IDs Hi, in our `Dex` , we specify for group IDs instead of group names, using the configuration option `groupNameFormat: id` ([link](https://dexidp.io/docs/connectors/microsoft/#groups)) . Would group IDs work whenever this is officially rolled out? ``` dex time=2025-02-13T15:40:45.578Z level=INFO msg="login successful" connector_id=microsoft username="Thi Tran" preferred_username="" email=thi.tran@abc.com groups="[2ae34fa-ff66-4c93-8b53-a9a4a114ff18 4ce8587f-3ce7-44cc-9ee2-2886de691646 2db907fb-fd40-4fa5-912c-35e02119683a[]" request_id=23de3c6c-65e5-437e-aaac-bd2a81651398 ``` From below, can confirm that with `ENABLE_OAUTH_GROUP_MANAGEMENT=true` and if the same group `name` exists in open-webui...then said oauth user will be automatically added to the matched oauth group names ``` DEBUG [open_webui.utils.oauth] User oauth groups: ['InfraTeam'] DEBUG [open_webui.utils.oauth] User's current groups: [] DEBUG [open_webui.utils.oauth] All groups available in OpenWebUI: ['InfraTeam'] DEBUG [open_webui.utils.oauth] Adding user to group InfraTeam as it was found in their oauth groups ``` nevermind... same flow would also work when we switch to group IDs ``` DEBUG [open_webui.utils.oauth] Running OAUTH Group management DEBUG [open_webui.utils.oauth] Oauth Groups claim: groups DEBUG [open_webui.utils.oauth] User oauth groups: ['2ae834fa-ff66-4c93-8b53-a9a4a114ff18', '4ce8587f-3ce7-44cc-9ee2-2886de691646', 'ed605cd2-ec19-4dee-a1d0-cdab649838dc DEBUG [open_webui.utils.oauth] User's current groups: [] DEBUG [open_webui.utils.oauth] All groups available in OpenWebUI: ['2ae834fa-ff66-4c93-8b53-a9a4a114ff18', 'InfraTeam'] DEBUG [open_webui.utils.oauth] Adding user to group 2ae834fa-ff66-4c93-8b53-a9a4a114ff18 as it was found in their oauth groups

GiteaMirror commented 2026-05-17 23:04:57 -05:00

Author

Owner

Copy Link

@sir3mat commented on GitHub (Feb 19, 2025):

Roles are handled correctly for this scenario thanks to this code
3f3a5bb0ab/backend/open_webui/utils/oauth.py (L102)

But groups are loaded like this
3f3a5bb0ab/backend/open_webui/utils/oauth.py (L143)

Due to this, the OAUTH_GROUPS_CLAIM can only be "groups"

if jwt is like this (with nestes structure for OAUTH_GROUPS_CLAIM) then groups are not loaded correclty. For roles it works fine.

{
  ....
  "resource_access": {
    "openwebui": {
      "roles": [
        "user"
      ],
      "groups": [
        "marketing"
      ]
    }
  },
  "email_verified": false,
  "name": "user",
  "preferred_username": "user",
  "given_name": "user",
  "family_name": "user",
  "email": "user@emailcom"
}

<!-- gh-comment-id:2668393339 --> @sir3mat commented on GitHub (Feb 19, 2025): Roles are handled correctly for this scenario thanks to this code https://github.com/open-webui/open-webui/blob/3f3a5bb0ab8ce3425f317f1e57b084523aa2b2a5/backend/open_webui/utils/oauth.py#L102 But groups are loaded like this https://github.com/open-webui/open-webui/blob/3f3a5bb0ab8ce3425f317f1e57b084523aa2b2a5/backend/open_webui/utils/oauth.py#L143 Due to this, the OAUTH_GROUPS_CLAIM can only be "groups" if jwt is like this (with nestes structure for OAUTH_GROUPS_CLAIM) then groups are not loaded correclty. For roles it works fine. ``` { .... "resource_access": { "openwebui": { "roles": [ "user" ], "groups": [ "marketing" ] } }, "email_verified": false, "name": "user", "preferred_username": "user", "given_name": "user", "family_name": "user", "email": "user@emailcom" } ```

GiteaMirror commented 2026-05-17 23:04:57 -05:00

Author

Owner

Copy Link

@tarmst commented on GitHub (Feb 19, 2025):

@sir3mat You're right -- I'll get started on a PR.

<!-- gh-comment-id:2668779243 --> @tarmst commented on GitHub (Feb 19, 2025): @sir3mat You're right -- I'll get started on a PR.

GiteaMirror commented 2026-05-17 23:04:57 -05:00

Author

Owner

Copy Link

@brandonrich commented on GitHub (Apr 4, 2025):

Very excited about this and have been testing it out. Two things:

1. it looks like it will not create a new Open WebUI group; rather, I have to create the group in advance. Can you have Open WebUI create groups if it encounters a new one?
2. If you remove the user's last oauth group, Open WebUI fails to remove that group. See below for why.

2025-04-04 00:49:58.179 | DEBUG | open_webui.utils.oauth:update_user_groups:140 - Running OAUTH Group management - {}
2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:155 - Oauth Groups claim: groups - {}
2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:156 - User oauth groups: [] - {}
2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:157 - User's current groups: ['openwebui_uganda_project'] - {}
2025-04-04 00:49:58.184 | DEBUG | open_webui.utils.oauth:update_user_groups:158 - All groups available in OpenWebUI: ['openwebui_uganda_project'] - {}

The next log statement, "Removing user from group..." never occurs. This is because when I remove the last group in my IdP, the "groups" claim in the JWT is fully removed. So the first part of the if statement here fails because user_oauth_groups is an empty set, as shown above in the log output.

(utils/oauth.py)

        # Remove groups that user is no longer a part of
        for group_model in user_current_groups:
            if user_oauth_groups and group_model.name not in user_oauth_groups:
                # Remove group from user
                log.debug(
                    f"Removing user from group {group_model.name} as it is no longer in their oauth groups"
                )

<!-- gh-comment-id:2777308721 --> @brandonrich commented on GitHub (Apr 4, 2025): Very excited about this and have been testing it out. Two things: 1. it looks like it will not create a new Open WebUI group; rather, I have to create the group in advance. Can you have Open WebUI create groups if it encounters a new one? 2. If you remove the user's last oauth group, Open WebUI fails to remove that group. See below for why. ``` 2025-04-04 00:49:58.179 | DEBUG | open_webui.utils.oauth:update_user_groups:140 - Running OAUTH Group management - {} 2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:155 - Oauth Groups claim: groups - {} 2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:156 - User oauth groups: [] - {} 2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:157 - User's current groups: ['openwebui_uganda_project'] - {} 2025-04-04 00:49:58.184 | DEBUG | open_webui.utils.oauth:update_user_groups:158 - All groups available in OpenWebUI: ['openwebui_uganda_project'] - {} ``` The next log statement, "Removing user from group..." never occurs. This is because when I remove the last group in my IdP, the "groups" claim in the JWT is fully removed. So the first part of the if statement here fails because `user_oauth_groups` is an empty set, as shown above in the log output. (utils/oauth.py) ``` # Remove groups that user is no longer a part of for group_model in user_current_groups: if user_oauth_groups and group_model.name not in user_oauth_groups: # Remove group from user log.debug( f"Removing user from group {group_model.name} as it is no longer in their oauth groups" ) ```

GiteaMirror commented 2026-05-17 23:04:58 -05:00

Author

Owner

Copy Link

@rgaricano commented on GitHub (Apr 4, 2025):

feat: Allow some way of manual group assignments when using OAUTH_GROUP_MANAGEMENT https://github.com/open-webui/open-webui/issues/12392#issuecomment-2776417604

<!-- gh-comment-id:2777360930 --> @rgaricano commented on GitHub (Apr 4, 2025): feat: Allow some way of manual group assignments when using OAUTH_GROUP_MANAGEMENT https://github.com/open-webui/open-webui/issues/12392#issuecomment-2776417604

GiteaMirror commented 2026-05-17 23:04:58 -05:00

Author

Owner

Copy Link

@tkg61 commented on GitHub (Apr 4, 2025):

Very excited about this and have been testing it out. Two things:

1. it looks like it will not create a new Open WebUI group; rather, I have to create the group in advance. Can you have Open WebUI create groups if it encounters a new one?
2. If you remove the user's last oauth group, Open WebUI fails to remove that group. See below for why.

2025-04-04 00:49:58.179 | DEBUG | open_webui.utils.oauth:update_user_groups:140 - Running OAUTH Group management - {}
2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:155 - Oauth Groups claim: groups - {}
2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:156 - User oauth groups: [] - {}
2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:157 - User's current groups: ['openwebui_uganda_project'] - {}
2025-04-04 00:49:58.184 | DEBUG | open_webui.utils.oauth:update_user_groups:158 - All groups available in OpenWebUI: ['openwebui_uganda_project'] - {}

The next log statement, "Removing user from group..." never occurs. This is because when I remove the last group in my IdP, the "groups" claim in the JWT is fully removed. So the first part of the if statement here fails because user_oauth_groups is an empty set, as shown above in the log output.

(utils/oauth.py)

        # Remove groups that user is no longer a part of
        for group_model in user_current_groups:
            if user_oauth_groups and group_model.name not in user_oauth_groups:
                # Remove group from user
                log.debug(
                    f"Removing user from group {group_model.name} as it is no longer in their oauth groups"
                )

I know one of the main issues with OWUI creating groups is that some users in enterprise environments will have over 100 groups per user and unless it is filtered before hand (not as easy with straight LDAP) then you’d have a lot of clutter.

One idea could be to look for a prefix that is configured in OWUI and any group with said prefix would get created but that also has its limitations

Creating the groups via api is possible now as well to help onboard :)

<!-- gh-comment-id:2777454768 --> @tkg61 commented on GitHub (Apr 4, 2025): > Very excited about this and have been testing it out. Two things: > > 1. it looks like it will not create a new Open WebUI group; rather, I have to create the group in advance. Can you have Open WebUI create groups if it encounters a new one? > 2. If you remove the user's last oauth group, Open WebUI fails to remove that group. See below for why. > > ``` > 2025-04-04 00:49:58.179 | DEBUG | open_webui.utils.oauth:update_user_groups:140 - Running OAUTH Group management - {} > 2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:155 - Oauth Groups claim: groups - {} > 2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:156 - User oauth groups: [] - {} > 2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:157 - User's current groups: ['openwebui_uganda_project'] - {} > 2025-04-04 00:49:58.184 | DEBUG | open_webui.utils.oauth:update_user_groups:158 - All groups available in OpenWebUI: ['openwebui_uganda_project'] - {} > ``` > > The next log statement, "Removing user from group..." never occurs. This is because when I remove the last group in my IdP, the "groups" claim in the JWT is fully removed. So the first part of the if statement here fails because `user_oauth_groups` is an empty set, as shown above in the log output. > > (utils/oauth.py) > > ``` > # Remove groups that user is no longer a part of > for group_model in user_current_groups: > if user_oauth_groups and group_model.name not in user_oauth_groups: > # Remove group from user > log.debug( > f"Removing user from group {group_model.name} as it is no longer in their oauth groups" > ) > ``` I know one of the main issues with OWUI creating groups is that some users in enterprise environments will have over 100 groups per user and unless it is filtered before hand (not as easy with straight LDAP) then you’d have a lot of clutter. One idea could be to look for a prefix that is configured in OWUI and any group with said prefix would get created but that also has its limitations Creating the groups via api is possible now as well to help onboard :)

GiteaMirror commented 2026-05-17 23:04:58 -05:00

Author

Owner

Copy Link

@Ithanil commented on GitHub (Apr 4, 2025):

I would advocate for a whitelist of groups to be managed by this feature (and these should then also be created automatically): https://github.com/open-webui/open-webui/issues/12392
It could just be another env variable. Because in some cases such a whitelist might become lengthy, one could also think about supporting regex.

<!-- gh-comment-id:2777743474 --> @Ithanil commented on GitHub (Apr 4, 2025): I would advocate for a whitelist of groups to be managed by this feature (and these should then also be created automatically): https://github.com/open-webui/open-webui/issues/12392 It could just be another env variable. Because in some cases such a whitelist might become lengthy, one could also think about supporting regex.

GiteaMirror commented 2026-05-17 23:04:59 -05:00

Author

Owner

Copy Link

@taylorwilsdon commented on GitHub (Apr 16, 2025):

Very excited about this and have been testing it out. Two things:

1. it looks like it will not create a new Open WebUI group; rather, I have to create the group in advance. Can you have Open WebUI create groups if it encounters a new one?
2. If you remove the user's last oauth group, Open WebUI fails to remove that group. See below for why.

2025-04-04 00:49:58.179 | DEBUG | open_webui.utils.oauth:update_user_groups:140 - Running OAUTH Group management - {}
2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:155 - Oauth Groups claim: groups - {}
2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:156 - User oauth groups: [] - {}
2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:157 - User's current groups: ['openwebui_uganda_project'] - {}
2025-04-04 00:49:58.184 | DEBUG | open_webui.utils.oauth:update_user_groups:158 - All groups available in OpenWebUI: ['openwebui_uganda_project'] - {}

The next log statement, "Removing user from group..." never occurs. This is because when I remove the last group in my IdP, the "groups" claim in the JWT is fully removed. So the first part of the if statement here fails because user_oauth_groups is an empty set, as shown above in the log output.

(utils/oauth.py)

        # Remove groups that user is no longer a part of
        for group_model in user_current_groups:
            if user_oauth_groups and group_model.name not in user_oauth_groups:
                # Remove group from user
                log.debug(
                    f"Removing user from group {group_model.name} as it is no longer in their oauth groups"
                )

I will have a PR shortly that implements just in time creation of groups if no matching object exists in OWUI and expose as a settings toggle 👍

<!-- gh-comment-id:2810660854 --> @taylorwilsdon commented on GitHub (Apr 16, 2025): > Very excited about this and have been testing it out. Two things: > > 1. it looks like it will not create a new Open WebUI group; rather, I have to create the group in advance. Can you have Open WebUI create groups if it encounters a new one? > 2. If you remove the user's last oauth group, Open WebUI fails to remove that group. See below for why. > > ``` > 2025-04-04 00:49:58.179 | DEBUG | open_webui.utils.oauth:update_user_groups:140 - Running OAUTH Group management - {} > 2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:155 - Oauth Groups claim: groups - {} > 2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:156 - User oauth groups: [] - {} > 2025-04-04 00:49:58.183 | DEBUG | open_webui.utils.oauth:update_user_groups:157 - User's current groups: ['openwebui_uganda_project'] - {} > 2025-04-04 00:49:58.184 | DEBUG | open_webui.utils.oauth:update_user_groups:158 - All groups available in OpenWebUI: ['openwebui_uganda_project'] - {} > ``` > > The next log statement, "Removing user from group..." never occurs. This is because when I remove the last group in my IdP, the "groups" claim in the JWT is fully removed. So the first part of the if statement here fails because `user_oauth_groups` is an empty set, as shown above in the log output. > > (utils/oauth.py) > > ``` > # Remove groups that user is no longer a part of > for group_model in user_current_groups: > if user_oauth_groups and group_model.name not in user_oauth_groups: > # Remove group from user > log.debug( > f"Removing user from group {group_model.name} as it is no longer in their oauth groups" > ) > ``` I will have a PR shortly that implements just in time creation of groups if no matching object exists in OWUI and expose as a settings toggle 👍

GiteaMirror commented 2026-05-17 23:04:59 -05:00

Author

Owner

Copy Link

@taylorwilsdon commented on GitHub (Apr 18, 2025):

https://github.com/open-webui/open-webui/pull/13039 < PR for Just-in-time group creation

<!-- gh-comment-id:2815881427 --> @taylorwilsdon commented on GitHub (Apr 18, 2025): https://github.com/open-webui/open-webui/pull/13039 < PR for Just-in-time group creation

GiteaMirror commented 2026-05-17 23:04:59 -05:00

Author

Owner

Copy Link

@andrefecto commented on GitHub (Apr 21, 2025):

Hi, I was looking at the code for this and while there is an ENV variable for ENABLE_OAUTH_GROUP_CREATION I do not see that anywhere in the codebase. I also looked in oauth.py and I don't see it checked when running update_user_groups. This could cause unintended behavior.

<!-- gh-comment-id:2818466890 --> @andrefecto commented on GitHub (Apr 21, 2025): Hi, I was looking at the code for this and while there is an ENV variable for ENABLE_OAUTH_GROUP_CREATION I do not see that anywhere in the codebase. I also looked in oauth.py and I don't see it checked when running update_user_groups. This could cause unintended behavior.

GiteaMirror commented 2026-05-17 23:05:00 -05:00

Author

Owner

Copy Link

@taylorwilsdon commented on GitHub (Apr 21, 2025):

@andrefecto this is brand new functionality introduced in the PR above and currently only active if you build the dev branch 👍

The docs were merged yesterday in preparation for the group creation feature release

<!-- gh-comment-id:2818614543 --> @taylorwilsdon commented on GitHub (Apr 21, 2025): @andrefecto this is brand new functionality introduced in the PR above and currently only active if you build the dev branch 👍 The docs were merged yesterday in preparation for the group creation feature release

GiteaMirror commented 2026-05-17 23:05:00 -05:00

Author

Owner

Copy Link

@JARZcorp commented on GitHub (Apr 29, 2025):

Great progress! Any estimates when the group creation feature will be released to main?

<!-- gh-comment-id:2838328751 --> @JARZcorp commented on GitHub (Apr 29, 2025): Great progress! Any estimates when the group creation feature will be released to main?

GiteaMirror commented 2026-05-17 23:05:00 -05:00

Author

Owner

Copy Link

@robbiekouwenberg commented on GitHub (May 2, 2025):

Hi, I was testing the group assignment based on the user groups from a JWT token and was rather surprised about a few things:

• Admin's are excluded, we were wondering why this design choice as admin is a role and not a group. if this is about admins being able to join/leave groups being overwritten why not add a manual groups list and keep the group assignment the same for all users. this would be much easier to maintain and also test for functional owner staff.

• Enabling the environment variable ENABLE_OAUTH_GROUP_MANAGEMENT on a live environment fails because of Persistent config not picking up the variable, you need to manually add "oauth": {"enable_group_mapping": "true" }

• On Azure Entra you are limited by claims mapping that can only send the group id as part of the groups claims. this means you need to set the name of the group as a guid. this is easily solved by showing both the owui group id and description on the overview page so you know what to look for.

<!-- gh-comment-id:2847294278 --> @robbiekouwenberg commented on GitHub (May 2, 2025): Hi, I was testing the group assignment based on the user groups from a JWT token and was rather surprised about a few things: - Admin's are excluded, we were wondering why this design choice as admin is a role and not a group. if this is about admins being able to join/leave groups being overwritten why not add a manual groups list and keep the group assignment the same for all users. this would be much easier to maintain and also test for functional owner staff. - Enabling the environment variable ENABLE_OAUTH_GROUP_MANAGEMENT on a live environment fails because of Persistent config not picking up the variable, you need to manually add `"oauth": {"enable_group_mapping": "true" }` - On Azure Entra you are limited by claims mapping that can only send the group id as part of the groups claims. this means you need to set the name of the group as a guid. this is easily solved by showing both the owui group id and description on the overview page so you know what to look for.

GiteaMirror commented 2026-05-17 23:05:01 -05:00

Author

Owner

Copy Link

@ThisIsNotTheUserYouAreLookingFor commented on GitHub (Aug 18, 2025):

Hi, is there any progress on this issue? I just upgraded to a release from a few days ago, but only my role mapping works. no group mapping.

<!-- gh-comment-id:3197383379 --> @ThisIsNotTheUserYouAreLookingFor commented on GitHub (Aug 18, 2025): Hi, is there any progress on this issue? I just upgraded to a release from a few days ago, but only my role mapping works. no group mapping.

GiteaMirror commented 2026-05-17 23:05:02 -05:00

Author

Owner

Copy Link

@taylorwilsdon commented on GitHub (Aug 18, 2025):

There's no issue @ThisIsNotTheUserYouAreLookingFor - it's been live for ages, I use it heavily. If you're not seeing group mapping working, please share your active environment variables, any logs you have and symptoms.

<!-- gh-comment-id:3197736973 --> @taylorwilsdon commented on GitHub (Aug 18, 2025): There's no issue @ThisIsNotTheUserYouAreLookingFor - it's been live for ages, I use it heavily. If you're not seeing group mapping working, please share your active environment variables, any logs you have and symptoms.

GiteaMirror commented 2026-05-17 23:05:02 -05:00

Author

Owner

Copy Link

@heguro commented on GitHub (Oct 21, 2025):

https://github.com/open-webui/open-webui/issues/7102#issuecomment-2777308721

2. If you remove the user's last oauth group, Open WebUI fails to remove that group.

This is because when I remove the last group in my IdP, the "groups" claim in the JWT is fully removed.

I notice this issue appears to still be present in the latest stable release (v0.6.34, using Microsoft Entra ID). Is this considered expected behavior?

<!-- gh-comment-id:3424317400 --> @heguro commented on GitHub (Oct 21, 2025): https://github.com/open-webui/open-webui/issues/7102#issuecomment-2777308721 > 2. If you remove the user's last oauth group, Open WebUI fails to remove that group. > This is because when I remove the last group in my IdP, the "groups" claim in the JWT is fully removed. I notice this issue appears to still be present in the latest stable release (v0.6.34, using Microsoft Entra ID). Is this considered expected behavior?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.6

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#101601