mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 14:39:31 -05:00
[GH-ISSUE #13676] issue: OAUTH_ALLOWED_ROLES ignored, everyone is able to login with a valid OIDC token. #103990
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @tht on GitHub (May 8, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/13676
Check Existing Issues
Installation Method
Other
Open WebUI Version
v0.6.7
Ollama Version (if applicable)
No response
Operating System
Kubernetes Installation
Browser (if applicable)
Edge, Brave
Confirmation
README.md.Expected Behavior
We use SSO using Keycloak as IDP. Keycloak does provide the Roles for User (GPT_USER) and Admin (GPT_ADMIN). We do have a lot of additional users in Keycloak which DO NOT have any of these two Roles.
When setting
OAUTH_ALLOWED_ROLEStoGPT_USERI expect only the users with the role GPT_USER to be able to login. This is what I expect looking a the documentation where this is written:Actual Behavior
It seems the parameter
OAUTH_ALLOWED_ROLESis ignored. Every user with a valid ticket from Keycloak is able to log in even if the roleGPT_USERis missing.Looking at https://github.com/open-webui/open-webui/blob/v0.6.7/backend/open_webui/utils/oauth.py#L297 it seems
OAUTH_ALLOWED_ROLESis not checked when logging in.Steps to Reproduce
OAUTH_ALLOWED_ROLESto the configuration and set to a random string which DOES NOT match an user's role.Login like this works for existing users and also for new users.
Logs & Screenshots
Login from a new User missing the role:
Browser logs not attached as this is a backend issue. The backend does have to prevent a login.
Additional Information
No response
@Menschomat commented on GitHub (May 11, 2025):
Hey there,
we are experiencing that, too!
As a work-around I switched
DEFAULT_USER_ROLEtopending.With Authentik you can easily decide which user can access an application/client. For KeyCloak this seems to be more complicated.
Having a fix for this security-relevant feature indeed would be great.
@tht commented on GitHub (May 12, 2025):
I think we identified the issue. It is this line:
4ce1e88750/backend/open_webui/utils/oauth.py (L122)Assume a user DOES not have the admin or user role in the OIDC ticket, then we receive an empty list here. An empty list is not
Truein Python so we never enter this block and the user keepsDEFAULT_USER_ROLEas this was assigned before.So this may even be by design. In this case the documentation should be updated as this is IMHO not correct:
As proposed by @Menschomat setting
DEFAULT_USER_ROLEdoes help. What remains is the wrong message a non-authorised user gets. Instead of a access denied he's shown a "access pending" message.@tjbck commented on GitHub (May 23, 2025):
docs need to be updated, PR welcome!
@Menschomat commented on GitHub (May 25, 2025):
@tjbck I hope it is not just me, but I love to have this actually fixed... Using OpenWebUI in e.g. an institution for a limited user-base would lead to many unnecessary pending requests. This still keeps "unwanted" users out, but could be avoided if the access could actually be limited to a certian set of user-groups.
Maye an easy way out could be to provide the possibility to set the DEFAULT_USER_ROLE to something like "forbidden". This way you are a bit more flexible than just do a hard restriction by OAUTH_ALLOWED_ROLES.
@AlbertDoesProgramming commented on GitHub (Sep 8, 2025):
So I think this is still an issue since I've come across this myself today. I'll try and sort out in the next 2 weeks time permitting.
@ibizaman commented on GitHub (Oct 9, 2025):
FYI I created a discussion before opening a PR: https://github.com/open-webui/open-webui/discussions/18170
@wolfaba commented on GitHub (Nov 7, 2025):
Version 0.6.36 still affected. User without
userandadminrole can still login. SettingDEFAULT_USER_ROLEtopendingdoes not help. As workaround, we have to configure OIDC in apache reverse proxy to correctly deny access to unauthorized users.