[GH-ISSUE #20140] issue: Google OAuth Callback Handler Not Processing Authorization Codes #106092

Closed
opened 2026-05-18 04:17:10 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @vavenpuneet01-collab on GitHub (Dec 23, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/20140

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.6.37 to v0.6.43

Ollama Version (if applicable)

Using OpenRouter API, not Ollama

Operating System

Ubuntu24

Browser (if applicable)

Chrome or Chrome/Edge or Any browser

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

After Google redirects back with authorization code, the callback handler should:

  1. Exchange authorization code for access token
  2. Fetch user information from Google
  3. Create or update user account
  4. Create OAuth session
  5. Log user in and redirect to main application

Actual Behavior

  1. OAuth login endpoint works correctly (302 redirect to Google)
  2. Google authentication works correctly
  3. Callback handler receives authorization code (HTTP 200)
  4. Callback handler does NOT process the code
  5. Callback handler redirects to /auth (login page)
  6. No OAuth sessions created in database
  7. No user accounts created/updated
  8. User remains logged out

The callback handler receives valid authorization codes from Google but returns HTTP 200 with HTML (login page) instead of processing the OAuth flow.

Steps to Reproduce

  1. Deploy OpenWebUI v0.6.37 (or v0.6.41, v0.6.42, v0.6.43) using Docker on Kubernetes
  2. Configure Google OAuth environment variables:
  3. Ensure Google Cloud Console is configured with matching redirect URI
  4. Restart the OpenWebUI pod to apply configuration
  5. Open browser (Chrome/Edge/Firefox) and navigate to OpenWebUI login page
  6. Click "Continue with Google" button
  7. Complete Google authentication (user signs in with Google account)
  8. Google redirects back to /oauth/callback/google?state=&code=
  9. Observe that browser is redirected to /auth?redirect=%2Foauth%2Fcallback%2Fgoogle%3Fstate%3D
  10. User remains on login page (not logged in)
  11. Check database: SELECT COUNT(*) FROM oauth_session; returns 0
  12. Check API config: /api/config shows oauth.enabled: false

Logs & Screenshots

Logs:

2025-12-23 12:32:07.442 | INFO | "GET /oauth/google/login HTTP/1.1" 302
2025-12-23 12:32:11.592 | INFO | "GET /oauth/callback/google?state=&code=&scope=email+profile+... HTTP/1.1" 200

Database Check:

SELECT COUNT(*) FROM oauth_session;
-- Returns: 0 (no OAuth sessions created)

API Config Response:

{
  "oauth": {
    "enabled": false,
    "google": {
      "enabled": false
    }
  },
  "enable_oauth_signup": false,
  "enable_signup": false
}

Network Request Flow:

  1. GET /oauth/google/login → 302 Found → Redirects to Google OAuth ✅
  2. Google authentication → User signs in ✅
  3. GET /oauth/callback/google?state=&code= → 200 OK → Returns HTML (login page) ❌
  4. Browser redirected to /auth?redirect=%2Foauth%2Fcallback%2Fgoogle%3Fstate%3D ❌

Note: No error messages appear in logs despite DEBUG logging enabled. The callback handler receives valid authorization codes but fails silently.

Network Request Flow:
GET /oauth/google/login → 302 Found → Redirects to Google OAuth ✅
Google authentication → User signs in ✅
GET /oauth/callback/google?state=&code= → 200 OK → Returns HTML (login page) ❌
Browser redirected to /auth?redirect=%2Foauth%2Fcallback%2Fgoogle%3Fstate%3D ❌
Note: No error messages appear in logs despite DEBUG logging enabled. The callback handler receives valid authorization codes but fails silently.

Additional Information

Configuration

Environment Variables Set:

  • ENABLE_GOOGLE_OAUTH: "true"
  • ENABLE_OAUTH_SIGNUP: "true"
  • ENABLE_SIGNUP: "true"
  • GOOGLE_CLIENT_ID: ".apps.googleusercontent.com"
  • GOOGLE_CALLBACK_URL: "https://example.com/oauth/callback/google"
  • OPENID_PROVIDER_URL: "https://accounts.google.com"
  • GLOBAL_LOG_LEVEL: "DEBUG"
  • LOG_LEVEL: "DEBUG"
  • OAUTH_LOG_LEVEL: "DEBUG"
  • WEBUI_URL: "https://example.com"

Google Cloud Console Configuration:

  • Authorized redirect URI matches GOOGLE_CALLBACK_URL
  • Scopes: openid, email, profile
  • OAuth consent screen: Configured and verified

Debugging Attempts

  1. ✅ Verified all environment variables are set correctly
  2. ✅ Verified Google OAuth credentials are valid
  3. ✅ Verified callback URL matches Google Console configuration
  4. ✅ Enabled DEBUG and OAUTH_LOG_LEVEL logging (no errors logged)
  5. ✅ Removed duplicate GOOGLE_REDIRECT_URI variable
  6. ✅ Checked database for OAuth configuration
  7. ✅ Verified callback handler receives authorization codes
  8. ❌ No error messages in logs despite DEBUG logging enabled
  9. ❌ Callback handler fails silently

Additional Details

  • Silent Failure: No errors or exceptions logged despite DEBUG logging enabled
  • Cross-Version Issue: Confirmed in v0.6.37, v0.6.41, v0.6.42, and v0.6.43 (v0.6.40 could not be tested due to database compatibility issues)
  • Configuration Mismatch: API config shows OAuth disabled despite environment variables being set correctly
  • State Parameter: State parameter is present and appears valid
  • Authorization Code: Valid codes are received from Google

Impact

  • Severity: High - Google OAuth login is completely non-functional
  • Users Affected: All users attempting to use Google OAuth login
  • Workaround: Users must use email/password authentication (if enabled)

This issue appears related to:

  • OAuth callback handler not processing authorization codes
  • OAuth configuration not being loaded from environment variables
  • Silent failure in OAuth callback processing

Request

Please investigate why:

  1. The OAuth callback handler receives codes but doesn't process them
  2. No errors are logged despite DEBUG logging enabled
  3. API config shows OAuth disabled despite environment variables being set
  4. The callback handler redirects to login instead of processing the OAuth flow
Originally created by @vavenpuneet01-collab on GitHub (Dec 23, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/20140 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.6.37 to v0.6.43 ### Ollama Version (if applicable) Using OpenRouter API, not Ollama ### Operating System Ubuntu24 ### Browser (if applicable) Chrome or Chrome/Edge or Any browser ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior After Google redirects back with authorization code, the callback handler should: 1. Exchange authorization code for access token 2. Fetch user information from Google 3. Create or update user account 4. Create OAuth session 5. Log user in and redirect to main application ### Actual Behavior 1. ✅ OAuth login endpoint works correctly (302 redirect to Google) 2. ✅ Google authentication works correctly 3. ✅ Callback handler receives authorization code (HTTP 200) 4. ❌ Callback handler does NOT process the code 5. ❌ Callback handler redirects to /auth (login page) 6. ❌ No OAuth sessions created in database 7. ❌ No user accounts created/updated 8. ❌ User remains logged out The callback handler receives valid authorization codes from Google but returns HTTP 200 with HTML (login page) instead of processing the OAuth flow. ### Steps to Reproduce 1. Deploy OpenWebUI v0.6.37 (or v0.6.41, v0.6.42, v0.6.43) using Docker on Kubernetes 2. Configure Google OAuth environment variables: - ENABLE_GOOGLE_OAUTH: "true" - ENABLE_OAUTH_SIGNUP: "true" - ENABLE_SIGNUP: "true" - GOOGLE_CLIENT_ID: "<your-client-id>.apps.googleusercontent.com" - GOOGLE_CALLBACK_URL: "https://example.com/oauth/callback/google" - OPENID_PROVIDER_URL: "https://accounts.google.com" 3. Ensure Google Cloud Console is configured with matching redirect URI 4. Restart the OpenWebUI pod to apply configuration 5. Open browser (Chrome/Edge/Firefox) and navigate to OpenWebUI login page 6. Click "Continue with Google" button 7. Complete Google authentication (user signs in with Google account) 8. Google redirects back to /oauth/callback/google?state=<state>&code=<code> 9. Observe that browser is redirected to /auth?redirect=%2Foauth%2Fcallback%2Fgoogle%3Fstate%3D<state> 10. User remains on login page (not logged in) 11. Check database: SELECT COUNT(*) FROM oauth_session; returns 0 12. Check API config: /api/config shows oauth.enabled: false ### Logs & Screenshots **Logs:** 2025-12-23 12:32:07.442 | INFO | "GET /oauth/google/login HTTP/1.1" 302 2025-12-23 12:32:11.592 | INFO | "GET /oauth/callback/google?state=<state-parameter>&code=<authorization-code>&scope=email+profile+... HTTP/1.1" 200 **Database Check:** ```sql SELECT COUNT(*) FROM oauth_session; -- Returns: 0 (no OAuth sessions created) ``` **API Config Response:** ```json { "oauth": { "enabled": false, "google": { "enabled": false } }, "enable_oauth_signup": false, "enable_signup": false } ``` **Network Request Flow:** 1. GET /oauth/google/login → 302 Found → Redirects to Google OAuth ✅ 2. Google authentication → User signs in ✅ 3. GET /oauth/callback/google?state=<state>&code=<code> → 200 OK → Returns HTML (login page) ❌ 4. Browser redirected to /auth?redirect=%2Foauth%2Fcallback%2Fgoogle%3Fstate%3D<state> ❌ **Note:** No error messages appear in logs despite DEBUG logging enabled. The callback handler receives valid authorization codes but fails silently. Network Request Flow: GET /oauth/google/login → 302 Found → Redirects to Google OAuth ✅ Google authentication → User signs in ✅ GET /oauth/callback/google?state=<state>&code=<code> → 200 OK → Returns HTML (login page) ❌ Browser redirected to /auth?redirect=%2Foauth%2Fcallback%2Fgoogle%3Fstate%3D<state> ❌ Note: No error messages appear in logs despite DEBUG logging enabled. The callback handler receives valid authorization codes but fails silently. ### Additional Information ## Configuration **Environment Variables Set:** - ENABLE_GOOGLE_OAUTH: "true" - ENABLE_OAUTH_SIGNUP: "true" - ENABLE_SIGNUP: "true" - GOOGLE_CLIENT_ID: "<redacted-client-id>.apps.googleusercontent.com" - GOOGLE_CALLBACK_URL: "https://example.com/oauth/callback/google" - OPENID_PROVIDER_URL: "https://accounts.google.com" - GLOBAL_LOG_LEVEL: "DEBUG" - LOG_LEVEL: "DEBUG" - OAUTH_LOG_LEVEL: "DEBUG" - WEBUI_URL: "https://example.com" **Google Cloud Console Configuration:** - Authorized redirect URI matches GOOGLE_CALLBACK_URL - Scopes: openid, email, profile - OAuth consent screen: Configured and verified ## Debugging Attempts 1. ✅ Verified all environment variables are set correctly 2. ✅ Verified Google OAuth credentials are valid 3. ✅ Verified callback URL matches Google Console configuration 4. ✅ Enabled DEBUG and OAUTH_LOG_LEVEL logging (no errors logged) 5. ✅ Removed duplicate GOOGLE_REDIRECT_URI variable 6. ✅ Checked database for OAuth configuration 7. ✅ Verified callback handler receives authorization codes 8. ❌ No error messages in logs despite DEBUG logging enabled 9. ❌ Callback handler fails silently ## Additional Details - **Silent Failure**: No errors or exceptions logged despite DEBUG logging enabled - **Cross-Version Issue**: Confirmed in v0.6.37, v0.6.41, v0.6.42, and v0.6.43 (v0.6.40 could not be tested due to database compatibility issues) - **Configuration Mismatch**: API config shows OAuth disabled despite environment variables being set correctly - **State Parameter**: State parameter is present and appears valid - **Authorization Code**: Valid codes are received from Google ## Impact - **Severity**: High - Google OAuth login is completely non-functional - **Users Affected**: All users attempting to use Google OAuth login - **Workaround**: Users must use email/password authentication (if enabled) ## Related Issues This issue appears related to: - OAuth callback handler not processing authorization codes - OAuth configuration not being loaded from environment variables - Silent failure in OAuth callback processing ## Request Please investigate why: 1. The OAuth callback handler receives codes but doesn't process them 2. No errors are logged despite DEBUG logging enabled 3. API config shows OAuth disabled despite environment variables being set 4. The callback handler redirects to login instead of processing the OAuth flow
GiteaMirror added the bug label 2026-05-18 04:17:10 -05:00
Author
Owner

@owui-terminator[bot] commented on GitHub (Dec 23, 2025):

🔍 Similar Issues Found

I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions:

  1. #19823 Issue: Auth 2.1 Authorization/Token retrival is broken in v0.6.41
    by mllab-nl • Dec 08, 2025 • bug

  2. #19792 issue: OAuth Login redirects to https://openwebui.domain.org/oauth/oidc/openwebui.domain.org after succesful login
    by StNiosem • Dec 06, 2025 • bug

  3. #16512 Issue: Google OAuth - after confirming the account redirected to the auth page
    by dmytropoltorak • Aug 12, 2025 • bug

  4. #19148 issue: Verify OAuth mcp server sends incorrect authorization header
    by Oleg52 • Nov 12, 2025 • bug

  5. #12057 issue: Google oauth redirect does not work
    by frenzybiscuit • Mar 25, 2025 • bug

Show 5 more related issues
  1. #12581 issue: Error Logout with Google Oauth
    by mballesterosc • Apr 07, 2025 • bug

  2. #15551 issue: OAuth Role Management Ignored: OAUTH_ALLOWED_ROLES and OAUTH_ADMIN_ROLES Not Applied on OIDC Login
    by Hani-K • Jul 06, 2025 • bug

  3. #3552 Google OAuth authentication fails
    by m8i-51 • Jun 30, 2024

  4. #5340 Can't make Google Oauth work
    by nick-fullpath • Sep 11, 2024

  5. #19131 issue: client_id parameter is not passed in authorize access token request with OIDC provider
    by Oleg52 • Nov 12, 2025 • bug


💡 Tips:

  • If this is a duplicate, please consider closing this issue and adding any additional details to the existing one
  • If you found a solution in any of these issues, please share it here to help others

This comment was generated automatically by a bot. Please react with a 👍 if this comment was helpful, or a 👎 if it was not.

<!-- gh-comment-id:3686767842 --> @owui-terminator[bot] commented on GitHub (Dec 23, 2025): 🔍 **Similar Issues Found** I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions: 1. [#19823](https://github.com/open-webui/open-webui/issues/19823) **Issue: Auth 2.1 Authorization/Token retrival is broken in v0.6.41** *by mllab-nl • Dec 08, 2025 • `bug`* 2. [#19792](https://github.com/open-webui/open-webui/issues/19792) **issue: OAuth Login redirects to https://openwebui.domain.org/oauth/oidc/openwebui.domain.org after succesful login** *by StNiosem • Dec 06, 2025 • `bug`* 3. [#16512](https://github.com/open-webui/open-webui/issues/16512) **Issue: Google OAuth - after confirming the account redirected to the auth page** *by dmytropoltorak • Aug 12, 2025 • `bug`* 4. [#19148](https://github.com/open-webui/open-webui/issues/19148) **issue: Verify OAuth mcp server sends incorrect authorization header** *by Oleg52 • Nov 12, 2025 • `bug`* 5. [#12057](https://github.com/open-webui/open-webui/issues/12057) **issue: Google oauth redirect does not work** *by frenzybiscuit • Mar 25, 2025 • `bug`* <details> <summary>Show 5 more related issues</summary> 6. [#12581](https://github.com/open-webui/open-webui/issues/12581) **issue: Error Logout with Google Oauth** *by mballesterosc • Apr 07, 2025 • `bug`* 7. [#15551](https://github.com/open-webui/open-webui/issues/15551) **issue: OAuth Role Management Ignored: OAUTH_ALLOWED_ROLES and OAUTH_ADMIN_ROLES Not Applied on OIDC Login** *by Hani-K • Jul 06, 2025 • `bug`* 8. [#3552](https://github.com/open-webui/open-webui/issues/3552) **Google OAuth authentication fails** *by m8i-51 • Jun 30, 2024* 9. [#5340](https://github.com/open-webui/open-webui/issues/5340) **Can't make Google Oauth work** *by nick-fullpath • Sep 11, 2024* 10. [#19131](https://github.com/open-webui/open-webui/issues/19131) **issue: client_id parameter is not passed in authorize access token request with OIDC provider** *by Oleg52 • Nov 12, 2025 • `bug`* </details> --- 💡 **Tips:** - If this is a duplicate, please consider closing this issue and adding any additional details to the existing one - If you found a solution in any of these issues, please share it here to help others *This comment was generated automatically by a bot.* Please react with a 👍 if this comment was helpful, or a 👎 if it was not.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#106092