[PR #15031] [CLOSED] feat: Add Google Cloud Identity API support for OAuth group-based roles #10487

New Issue

GiteaMirror · 2025-11-11T19:06:14-06:00

GiteaMirror commented

2025-11-11 19:06:14 -06:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/15031
Author: @bdruth
Created: 6/16/2025
Status: ❌ Closed

Base: main ← Head: feat/google-oauth-groups

📝 Commits (3)

a909fd9 feat: Add Google Cloud Identity API support for OAuth group-based roles
64ce040 fix google cloud identity query string
cc6a1a7 update tests for adjusted query string & payload

📊 Changes

4 files changed (+2759 additions, -2432 deletions)

View changed files

➕ backend/open_webui/test/test_oauth_google_groups.py (+266 -0)
📝 backend/open_webui/utils/oauth.py (+158 -28)
➕ docs/oauth-google-groups.md (+95 -0)
📝 uv.lock (+2240 -2404)

📄 Description

See discussion: https://github.com/open-webui/open-webui/discussions/15030

Summary

Enables Google Workspace group-based role assignment by integrating with Google Cloud Identity API to fetch user groups in real-time.

Addresses the limitation where Google Workspace doesn't include group membership claims in OAuth JWT tokens, preventing Open WebUI from assigning admin roles based on Google group membership.

Problem Solved

Currently, Google Workspace users can only receive default roles in Open WebUI regardless of their group memberships. Organizations cannot use their existing Google Workspace group structure (like "admin@company.com") for Open WebUI role management.

Solution

Fetches user groups directly from Google Cloud Identity API during login
Enables role assignment based on Google group membership
Uses https://www.googleapis.com/auth/cloud-identity.groups.readonly scope
Falls back gracefully to existing token-based claims for other OAuth providers
Maintains full backward compatibility

Configuration Example

# Enable Google Cloud Identity API for group fetching
GOOGLE_OAUTH_SCOPE="openid email profile https://www.googleapis.com/auth/cloud-identity.groups.readonly"

# Assign admin role to users in these Google groups
OAUTH_ADMIN_ROLES="admin@company.com,it-admins@company.com"
OAUTH_ALLOWED_ROLES="employees@company.com"

Key Features

✅ Google group-based admin assignment - Users in specified groups get admin role
✅ Real-time group sync - Groups fetched fresh on each login
✅ Nested group support - Uses searchTransitiveGroups API
✅ Backward compatible - Only activates when Cloud Identity scope present
✅ Graceful fallback - Falls back to traditional claims if API unavailable

Files Changed

backend/open_webui/utils/oauth.py - Enhanced OAuth manager with Google Cloud Identity API integration
backend/open_webui/test/test_oauth_google_groups.py - Comprehensive test suite (7 tests)
docs/oauth-google-groups.md - Complete setup documentation
pyproject.toml & uv.lock - Added pytest-asyncio dependency

Test Coverage

Google Groups API success/error/network failure scenarios
Role assignment with Google Groups vs traditional claims
Fallback behavior for non-Google providers
Group management integration
Proper async mocking without warnings

Backward Compatibility

✅ Existing OAuth configurations work unchanged
✅ Only activates when cloud-identity.groups.readonly scope present
✅ No new required environment variables
✅ Falls back to traditional claims for other providers

🤖 Generated with Claude Code

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/15031 **Author:** [@bdruth](https://github.com/bdruth) **Created:** 6/16/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `feat/google-oauth-groups` --- ### 📝 Commits (3) - [`a909fd9`](https://github.com/open-webui/open-webui/commit/a909fd92968e60ba5b89b4627e8e8b26318a92c6) feat: Add Google Cloud Identity API support for OAuth group-based roles - [`64ce040`](https://github.com/open-webui/open-webui/commit/64ce0403885ede55cae632bad2a73dbf6b3a4127) fix google cloud identity query string - [`cc6a1a7`](https://github.com/open-webui/open-webui/commit/cc6a1a7d9f45fe35185b9fb3a74cd67157e99ad5) update tests for adjusted query string & payload ### 📊 Changes **4 files changed** (+2759 additions, -2432 deletions) <details> <summary>View changed files</summary> ➕ `backend/open_webui/test/test_oauth_google_groups.py` (+266 -0) 📝 `backend/open_webui/utils/oauth.py` (+158 -28) ➕ `docs/oauth-google-groups.md` (+95 -0) 📝 `uv.lock` (+2240 -2404) </details> ### 📄 Description See discussion: https://github.com/open-webui/open-webui/discussions/15030 ## Summary Enables Google Workspace group-based role assignment by integrating with Google Cloud Identity API to fetch user groups in real-time. Addresses the limitation where **Google Workspace doesn't include group membership claims in OAuth JWT tokens**, preventing Open WebUI from assigning admin roles based on Google group membership. ## Problem Solved Currently, Google Workspace users can only receive default roles in Open WebUI regardless of their group memberships. Organizations cannot use their existing Google Workspace group structure (like "admin@company.com") for Open WebUI role management. ## Solution - Fetches user groups directly from Google Cloud Identity API during login - Enables role assignment based on Google group membership - Uses `https://www.googleapis.com/auth/cloud-identity.groups.readonly` scope - Falls back gracefully to existing token-based claims for other OAuth providers - Maintains full backward compatibility ## Configuration Example ```bash # Enable Google Cloud Identity API for group fetching GOOGLE_OAUTH_SCOPE="openid email profile https://www.googleapis.com/auth/cloud-identity.groups.readonly" # Assign admin role to users in these Google groups OAUTH_ADMIN_ROLES="admin@company.com,it-admins@company.com" OAUTH_ALLOWED_ROLES="employees@company.com" ``` ## Key Features - ✅ **Google group-based admin assignment** - Users in specified groups get admin role - ✅ **Real-time group sync** - Groups fetched fresh on each login - ✅ **Nested group support** - Uses `searchTransitiveGroups` API - ✅ **Backward compatible** - Only activates when Cloud Identity scope present - ✅ **Graceful fallback** - Falls back to traditional claims if API unavailable ## Files Changed - `backend/open_webui/utils/oauth.py` - Enhanced OAuth manager with Google Cloud Identity API integration - `backend/open_webui/test/test_oauth_google_groups.py` - Comprehensive test suite (7 tests) - `docs/oauth-google-groups.md` - Complete setup documentation - `pyproject.toml` & `uv.lock` - Added `pytest-asyncio` dependency ## Test Coverage - Google Groups API success/error/network failure scenarios - Role assignment with Google Groups vs traditional claims - Fallback behavior for non-Google providers - Group management integration - Proper async mocking without warnings ## Backward Compatibility - ✅ Existing OAuth configurations work unchanged - ✅ Only activates when `cloud-identity.groups.readonly` scope present - ✅ No new required environment variables - ✅ Falls back to traditional claims for other providers 🤖 Generated with [Claude Code](https://claude.ai/code) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2025-11-11 19:06:14 -06:00

GiteaMirror closed this issue

2025-11-11 19:06:14 -06:00

GiteaMirror referenced this issue

2026-04-19 21:59:20 -05:00

[GH-ISSUE #10487] upload files via the open WebUI, keeps shows uploading status with no ending #15909

GiteaMirror referenced this issue

2026-04-25 05:23:16 -05:00

[GH-ISSUE #10487] upload files via the open WebUI, keeps shows uploading status with no ending #31438

GiteaMirror referenced this issue

2026-05-05 16:25:50 -05:00

[GH-ISSUE #10487] upload files via the open WebUI, keeps shows uploading status with no ending #54575