[GH-ISSUE #15104] issue: OAuth mismatching_state CSRF Error on Second Login Attempt Due to Incomplete Session Logout #104464

Closed
opened 2026-05-18 02:08:37 -05:00 by GiteaMirror · 3 comments
Owner

Originally created by @Classic298 on GitHub (Jun 18, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/15104

Originally assigned to: @jackthgu on GitHub.

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Pip Install

Open WebUI Version

0.6.15

Ollama Version (if applicable)

No response

Operating System

Debian 12

Browser (if applicable)

Edge

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

After the second login attempt (starting from Step 11), the user should be successfully and seamlessly logged back into the Open WebUI dashboard. The application should re-establish the user's session without any errors, just as it did during the first login.

Actual Behavior

The second login attempt consistently fails.

In the Browser: Immediately after the redirect from Microsoft in Step 12, the user is kicked back to the Open WebUI login page (/auth). The UI does not show any user-friendly error message, but an inspection of the network tab in the developer tools reveals that the callback failed. The user is effectively stuck in a loop where they cannot log in again.

In the Backend Logs: The Open WebUI container logs show a clear and specific error message, confirming the root cause of the failure

ERROR | open_webui.routers.auths:[...]:[...] - OAuth callback error: mismatching_state: CSRF Warning! State not equal in request and response. - {}

The Browser on the other hand shows a dubious error message that makes no sense, and in a json format too:

{"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."}

Steps to Reproduce

My setup is configured to use Microsoft Entra ID as the sole authentication provider. The key environment variables are set as follows to enforce this and handle the session correctly in a scaled environment:

Authentication & OAuth Configuration:
ENABLE_OAUTH_SIGNUP=true (Enables OAuth login)
ENABLE_LOGIN_FORM=false (Disables the traditional email/password form)
ENABLE_SIGNUP=false (Disables traditional user registration)
MICROSOFT_CLIENT_ID=""
MICROSOFT_CLIENT_SECRET=""
MICROSOFT_CLIENT_TENANT_ID=""
OAUTH_SCOPES="openid email profile"

Logout & Redirect Configuration:
WEBUI_URL has been set in admin panel
OPENID_PROVIDER_URL="https://login.microsoftonline.com/{your-microsoft-tenant-id}/.well-known/openid-configuration" (For discovering OIDC endpoints)
WEBUI_AUTH_SIGNOUT_REDIRECT_URL="https://login.microsoftonline.com/{your-microsoft-tenant-id}/oauth2/v2.0/logout" (To initiate the logout at Microsoft)

Session, Security & Scaling Configuration:
WEBUI_SECRET_KEY=""
WEBUI_SESSION_COOKIE_SAME_SITE=lax
WEBUI_AUTH_COOKIE_SAME_SITE=lax
REDIS_URL="redis://"
ENABLE_WEBSOCKET_SUPPORT=true
WEBSOCKET_MANAGER=redis
UVICORN_WORKERS=2 (Running in a multi-worker setup)

Note: The issue has been reproduced and confirmed even when testing with UVICORN_WORKERS=1 and with WEBUI_SESSION_COOKIE_SECURE=False to rule out race conditions or reverse-proxy/SSL termination issues.

  1. Start with a clean browser session (e.g., in a private/incognito window or after clearing all site data for the Open WebUI domain).
  2. Navigate to the Open WebUI login page at https://. The page correctly shows only the "Login with Microsoft" button.
  3. Click the "Login with Microsoft" button.
  4. You are redirected to the standard Microsoft login page. Authenticate successfully with your credentials.
  5. After successful authentication, Microsoft redirects you back to the Open WebUI callback URL (/oauth/microsoft/callback).
  6. Observation: The user is successfully logged into the Open WebUI dashboard. The first login works flawlessly.
  7. Interact with the application, e.g., start a chat.
  8. Click on the user profile icon in the bottom-left corner of the UI to open the user menu.
  9. Click the "Logout" button.
  10. Observation: The user is successfully logged out. The browser is redirected to the Microsoft logout confirmation page, which might say "You have signed out. It's a good idea to close all browser windows." The browser tab then shows the Open WebUI login page again.
  11. Crucial Step: With OR without closing the browser or the tab (does not make a difference), click the "Login with Microsoft" button again on the same page to log in again.
  12. You are redirected to Microsoft. Select your account and authenticate to log in.
  13. FAILURE POINT: The login process fails at this exact moment of redirection back to Open WebUI.

Logs & Screenshots

As above

Additional Information

OAuth Provider: Microsoft Entra ID (Azure)
Setup: Multi-worker (UVICORN_WORKERS > 1) behind a reverse proxy, using Redis for session/websocket management.

Originally created by @Classic298 on GitHub (Jun 18, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/15104 Originally assigned to: @jackthgu on GitHub. ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Pip Install ### Open WebUI Version 0.6.15 ### Ollama Version (if applicable) _No response_ ### Operating System Debian 12 ### Browser (if applicable) Edge ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior After the second login attempt (starting from Step 11), the user should be successfully and seamlessly logged back into the Open WebUI dashboard. The application should re-establish the user's session without any errors, just as it did during the first login. ### Actual Behavior The second login attempt consistently fails. In the Browser: Immediately after the redirect from Microsoft in Step 12, the user is kicked back to the Open WebUI login page (/auth). The UI does not show any user-friendly error message, but an inspection of the network tab in the developer tools reveals that the callback failed. The user is effectively stuck in a loop where they cannot log in again. In the Backend Logs: The Open WebUI container logs show a clear and specific error message, confirming the root cause of the failure ERROR | open_webui.routers.auths:[...]:[...] - OAuth callback error: mismatching_state: CSRF Warning! State not equal in request and response. - {} The Browser on the other hand shows a dubious error message that makes no sense, and in a json format too: {"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."} ### Steps to Reproduce My setup is configured to use Microsoft Entra ID as the sole authentication provider. The key environment variables are set as follows to enforce this and handle the session correctly in a scaled environment: **Authentication & OAuth Configuration:** ENABLE_OAUTH_SIGNUP=true (Enables OAuth login) ENABLE_LOGIN_FORM=false (Disables the traditional email/password form) ENABLE_SIGNUP=false (Disables traditional user registration) MICROSOFT_CLIENT_ID="<your-entra-app-client-id>" MICROSOFT_CLIENT_SECRET="<your-entra-app-client-secret>" MICROSOFT_CLIENT_TENANT_ID="<your-microsoft-tenant-id>" OAUTH_SCOPES="openid email profile" **Logout & Redirect Configuration:** WEBUI_URL has been set in admin panel OPENID_PROVIDER_URL="https://login.microsoftonline.com/{your-microsoft-tenant-id}/.well-known/openid-configuration" (For discovering OIDC endpoints) WEBUI_AUTH_SIGNOUT_REDIRECT_URL="https://login.microsoftonline.com/{your-microsoft-tenant-id}/oauth2/v2.0/logout" (To initiate the logout at Microsoft) **Session, Security & Scaling Configuration:** WEBUI_SECRET_KEY="<a-fixed-random-secret-key>" WEBUI_SESSION_COOKIE_SAME_SITE=lax WEBUI_AUTH_COOKIE_SAME_SITE=lax REDIS_URL="redis://<your-redis-instance>" ENABLE_WEBSOCKET_SUPPORT=true WEBSOCKET_MANAGER=redis UVICORN_WORKERS=2 (Running in a multi-worker setup) **Note: The issue has been reproduced and confirmed even when testing with UVICORN_WORKERS=1 and with WEBUI_SESSION_COOKIE_SECURE=False to rule out race conditions or reverse-proxy/SSL termination issues.** 1. Start with a clean browser session (e.g., in a private/incognito window or after clearing all site data for the Open WebUI domain). 2. Navigate to the Open WebUI login page at https://<your-public-open-webui-domain>. The page correctly shows only the "Login with Microsoft" button. 3. Click the "Login with Microsoft" button. 4. You are redirected to the standard Microsoft login page. Authenticate successfully with your credentials. 5. After successful authentication, Microsoft redirects you back to the Open WebUI callback URL (/oauth/microsoft/callback). 6. Observation: The user is successfully logged into the Open WebUI dashboard. The first login works flawlessly. 7. Interact with the application, e.g., start a chat. 8. Click on the user profile icon in the bottom-left corner of the UI to open the user menu. 9. Click the "Logout" button. 10. Observation: The user is successfully logged out. The browser is redirected to the Microsoft logout confirmation page, which might say "You have signed out. It's a good idea to close all browser windows." The browser tab then shows the Open WebUI login page again. 11. Crucial Step: With OR without closing the browser or the tab (does not make a difference), click the "Login with Microsoft" button again on the same page to log in again. 12. You are redirected to Microsoft. Select your account and authenticate to log in. 13. FAILURE POINT: The login process fails at this exact moment of redirection back to Open WebUI. ### Logs & Screenshots As above ### Additional Information OAuth Provider: Microsoft Entra ID (Azure) Setup: Multi-worker (UVICORN_WORKERS > 1) behind a reverse proxy, using Redis for session/websocket management.
GiteaMirror added the bug label 2026-05-18 02:08:37 -05:00
Author
Owner

@Classic298 commented on GitHub (Jun 18, 2025):

Related to:

https://github.com/open-webui/open-webui/issues/13509

<!-- gh-comment-id:2983214172 --> @Classic298 commented on GitHub (Jun 18, 2025): Related to: https://github.com/open-webui/open-webui/issues/13509
Author
Owner

@Classic298 commented on GitHub (Jun 18, 2025):

Assumption: logout is faulty, logout is not actually fully completed. Why this assumption? Because:

Workaround: once error is shown in browser and console:

Delete cache
Delete local storage in developer console
Delete cookies

Then go back to login page and try to log in again

Now it will work

<!-- gh-comment-id:2983238536 --> @Classic298 commented on GitHub (Jun 18, 2025): Assumption: logout is faulty, logout is not actually fully completed. Why this assumption? Because: Workaround: once error is shown in browser and console: Delete cache Delete local storage in developer console Delete cookies Then go back to login page and try to log in again Now it will work
Author
Owner

@Classic298 commented on GitHub (Jun 19, 2025):

The merged PR fixes this exact issue, and perhaps some other related issues where users experienced similar problems.

I will close this issue now.

Thanks everyone.

<!-- gh-comment-id:2987852159 --> @Classic298 commented on GitHub (Jun 19, 2025): The merged PR fixes this exact issue, and perhaps some other related issues where users experienced similar problems. I will close this issue now. Thanks everyone.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#104464