[GH-ISSUE #13418] issue: When admin user is logged into via OAUTH, role is reset to user #103897

New Issue

Closed

opened 2026-05-18 01:30:16 -05:00 by GiteaMirror · 3 comments

GiteaMirror commented 2026-05-18 01:30:16 -05:00

Owner

Copy Link

Originally created by @Lutherwaves on GitHub (May 1, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/13418

Check Existing Issues

• I have searched the existing issues and discussions.
• I am using the latest version of Open WebUI.

Installation Method

Other

Open WebUI Version

0.6.5

Ollama Version (if applicable)

No response

Operating System

Ubuntu 22.04

Browser (if applicable)

No response

Confirmation

• I have read and followed all instructions in README.md.
• I am using the latest version of both Open WebUI and Ollama.
• I have included the browser console logs.
• I have included the Docker container logs.
• I have listed steps to reproduce the bug in detail.

Expected Behavior

When admin user logs in via oAUTH, the user remains admin.

Actual Behavior

When a user with an email matching the email of the original Admin (first logged in user), the role of the admin is changed to user.

Steps to Reproduce

1. Setup openwebui and login first time with a user email that you have an OAUTH user for
2. Re-deploy the setup, now with OAUTH environment variables
3. Logout, select "login via " and login with a user that has the same email as the original admin user
4. Upon login, the user is no longer admin

Logs & Screenshots

Recording of login via admin, then login with same user via Auth0 changing the role
https://github.com/user-attachments/assets/e0404853-4705-4a14-b7f3-14fa27cd65d4

Additional Information

• I initially deployed without OAUTH and added the env variables afterwards
• Env variables (obfuscated):

- name: ENABLE_SIGNUP
    value: "false"
- name: ENABLE_LOGIN_FORM
   value: "true"
- name: ENABLE_OAUTH_SIGNUP
   value: "true"
- name: ENABLE_OAUTH_GROUP_MANAGEMENT
  value: "true"
- name: ENABLE_OAUTH_ROLE_MANAGEMENT
   value: "true"
- name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
  value: "true"
- name: OAUTH_CLIENT_ID
   value: "<CLIENT_ID>"
- name: OAUTH_CLIENT_SECRET
   value: "<SECRET>"
- name: OPENID_PROVIDER_URL
   value: "<PROVIDER>"
- name: OAUTH_PROVIDER_NAME
   value: "Auth0"

• Fix is to edit user role directly in database (postgres)
• If I add a new admin user (local, outside oauth) it cannot edit the "original admin" back to admin due to security restrictions

Originally created by @Lutherwaves on GitHub (May 1, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/13418 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Other ### Open WebUI Version 0.6.5 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 22.04 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have listed steps to reproduce the bug in detail. ### Expected Behavior When admin user logs in via oAUTH, the user remains admin. ### Actual Behavior When a user with an email matching the email of the original Admin (first logged in user), the role of the admin is changed to user. ### Steps to Reproduce 1. Setup openwebui and login first time with a user email that you have an OAUTH user for 2. Re-deploy the setup, now with OAUTH environment variables 3. Logout, select "login via <your oauth name here>" and login with a user that has the same email as the original admin user 4. Upon login, the user is no longer admin ### Logs & Screenshots Recording of login via admin, then login with same user via Auth0 changing the role https://github.com/user-attachments/assets/e0404853-4705-4a14-b7f3-14fa27cd65d4 ### Additional Information * I initially deployed without OAUTH and added the env variables afterwards * Env variables (obfuscated): ``` - name: ENABLE_SIGNUP value: "false" - name: ENABLE_LOGIN_FORM value: "true" - name: ENABLE_OAUTH_SIGNUP value: "true" - name: ENABLE_OAUTH_GROUP_MANAGEMENT value: "true" - name: ENABLE_OAUTH_ROLE_MANAGEMENT value: "true" - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL value: "true" - name: OAUTH_CLIENT_ID value: "<CLIENT_ID>" - name: OAUTH_CLIENT_SECRET value: "<SECRET>" - name: OPENID_PROVIDER_URL value: "<PROVIDER>" - name: OAUTH_PROVIDER_NAME value: "Auth0" ``` * Fix is to edit user role directly in database (postgres) * If I add a new admin user (local, outside oauth) it cannot edit the "original admin" back to admin due to security restrictions

GiteaMirror added the bug label 2026-05-18 01:30:16 -05:00

GiteaMirror closed this issue 2026-05-18 01:30:18 -05:00

GiteaMirror commented 2026-05-18 01:30:19 -05:00

Author

Owner

Copy Link

@Lutherwaves commented on GitHub (May 1, 2025):

https://discord.com/channels/1170866489302188073/1367487568622649416/1367487568622649416

<!-- gh-comment-id:2845793975 --> @Lutherwaves commented on GitHub (May 1, 2025): https://discord.com/channels/1170866489302188073/1367487568622649416/1367487568622649416

GiteaMirror commented 2026-05-18 01:30:20 -05:00

Author

Owner

Copy Link

@Lutherwaves commented on GitHub (May 2, 2025):

Actually, this seems not to be a bug when using OAUTH. In order to avoid overwriting the admin (in case users overlap), proper RBAC needs to be setup using the respective OAUTH variables and setup on the OAUTH provider.

ENABLE_SIGNUP=true
ENABLE_LOGIN_FORM=true
ENABLE_OAUTH_SIGNUP=true
ENABLE_OAUTH_GROUP_MANAGEMENT=true
ENABLE_OAUTH_ROLE_MANAGEMENT=true
OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true
OAUTH_CLIENT_ID=id
OAUTH_CLIENT_SECRET=secret
OPENID_PROVIDER_URL=https://oauth/realms/dev/.well-known/openid-configuration
OAUTH_PROVIDER_NAME=<Name>
OAUTH_ROLES_CLAIM=<ROLES/CLAIM>
OAUTH_ALLOWED_ROLES=open-webui-user
OAUTH_ADMIN_ROLES=open-webui-admin
OAUTH_SCOPES=openid email profile

above ensures proper setup and this issue is no longer seen.

With that being said, there is no bug

<!-- gh-comment-id:2847209703 --> @Lutherwaves commented on GitHub (May 2, 2025): Actually, this seems not to be a bug when using OAUTH. In order to avoid overwriting the admin (in case users overlap), proper RBAC needs to be setup using the respective OAUTH variables and setup on the OAUTH provider. ``` ENABLE_SIGNUP=true ENABLE_LOGIN_FORM=true ENABLE_OAUTH_SIGNUP=true ENABLE_OAUTH_GROUP_MANAGEMENT=true ENABLE_OAUTH_ROLE_MANAGEMENT=true OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true OAUTH_CLIENT_ID=id OAUTH_CLIENT_SECRET=secret OPENID_PROVIDER_URL=https://oauth/realms/dev/.well-known/openid-configuration OAUTH_PROVIDER_NAME=<Name> OAUTH_ROLES_CLAIM=<ROLES/CLAIM> OAUTH_ALLOWED_ROLES=open-webui-user OAUTH_ADMIN_ROLES=open-webui-admin OAUTH_SCOPES=openid email profile ``` above ensures proper setup and this issue is no longer seen. With that being said, there is no bug

GiteaMirror commented 2026-05-18 01:30:20 -05:00

Author

Owner

Copy Link

@xkww3n commented on GitHub (Jun 5, 2025):

Hello, I'm also using Auth0 with Open WebUI and facing exactly the same issue. I've followed lots of guidance but still got my administrator account reset to normal user. May I know the actual OAUTH_ROLES_CLAIM variable and specific Auth0 configuration? My configuration is on Discord: https://discord.com/channels/1170866489302188073/1241654544639725609/threads/1373627876192157746

<!-- gh-comment-id:2945033257 --> @xkww3n commented on GitHub (Jun 5, 2025): Hello, I'm also using Auth0 with Open WebUI and facing exactly the same issue. I've followed lots of guidance but still got my administrator account reset to normal user. May I know the actual `OAUTH_ROLES_CLAIM` variable and specific Auth0 configuration? My configuration is on Discord: https://discord.com/channels/1170866489302188073/1241654544639725609/threads/1373627876192157746

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#103897