[PR #15691] [CLOSED] Fix oauth logout #111224

Closed
opened 2026-05-18 11:00:09 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/15691
Author: @Hisma
Created: 7/13/2025
Status: Closed

Base: devHead: fix-oauth-logout


📝 Commits (10+)

  • bd99da4 fix: implement dynamic OpenID discovery for OAuth logout across providers
  • 904a8e9 fix: construct post logout redirect
  • 9656128 fix: import quote from urllib.parse
  • e018b92 fix: update oauth.py to address "mismatching_state: CSRF Warning!" warning in log
  • 2cbd9f3 use starlette RedirectResponse instead of fastapi
  • 6590945 missing comma
  • 0606fbe ci formatting fix
  • 10ecbc3 post formatter fix
  • af0f2ce Merge remote-tracking branch 'upstream/dev' into fix-oauth-logout
  • 944b61d merge updates from dev branch to auth.py

📊 Changes

1 file changed (+71 additions, -9 deletions)

View changed files

📝 backend/open_webui/routers/auths.py (+71 -9)

📄 Description

Pull Request Checklist

Note to first-time contributors: Please open a discussion post in Discussions and describe your changes before submitting a pull request.

Before submitting, make sure you've checked the following:

  • Target branch: Please verify that the pull request targets the dev branch.
  • Description: Provide a concise description of the changes made in this pull request.
  • Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
  • Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
  • Testing: Have you written and run sufficient tests to validate the changes?
  • Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
  • Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
    • BREAKING CHANGE: Significant changes that may affect compatibility
    • build: Changes that affect the build system or external dependencies
    • ci: Changes to our continuous integration processes or workflows
    • chore: Refactor, cleanup, or other non-functional code changes
    • docs: Documentation update or addition
    • feat: Introduces a new feature or enhancement to the codebase
    • fix: Bug fix or error correction
    • i18n: Internationalization or localization changes
    • perf: Performance improvement
    • refactor: Code restructuring for better maintainability, readability, or scalability
    • style: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.)
    • test: Adding missing tests or correcting existing tests
    • WIP: Work in progress, a temporary label for incomplete or ongoing work

Changelog Entry

Description

  • Implements proper OAuth logout support for all providers (Google, Microsoft, GitHub, Generic/OpenID) by dynamically handling OIDC logout endpoints, adding necessary parameters for Microsoft Entra ID, and gracefully managing front-channel logout notifications to eliminate CSRF warnings. This fixes the 500 error on logout and improves redirect behavior, motivated by user reports of failed signouts and incomplete provider support.

Added

  • Dynamic construction of OIDC discovery URLs based on iss and aud claims from oauth_id_token in auths.py.
  • Support for post_logout_redirect_uri and client_id parameters in logout URLs, prioritizing WEBUI_AUTH_SIGNOUT_REDIRECT_URL.
  • Early detection and handling of front-channel logout notifications in oauth.py to return 200 OK silently.
  • Imports for jwt and quote from urllib.parse in auths.py.
  • Import for Response from fastapi in oauth.py.

Changed

  • Updated signout function in auths.py to use decoded token claims for provider-specific logout logic.
  • Modified handle_callback in oauth.py to short-circuit on sid param without state for logout notifications.

Deprecated

  • None

Removed

  • None

Fixed

  • 500 error on OAuth logout for non-generic providers (e.g., Microsoft Entra ID).
  • Hanging redirect after provider logout by adding post_logout_redirect_uri.
  • CSRF state mismatch warnings in logs during front-channel logout notifications.

Security

  • None

Breaking Changes

  • None

Additional Information

  • This PR resolves the issue discussed in #15007, where logout failed for Microsoft Entra ID and lacked support for other providers.
  • Documentation: Suggest updating Open WebUI Docs for OAuth setup, noting to register post_logout_redirect_uri (e.g., /signin) in provider app registrations (e.g., Azure Entra ID under Authentication > Redirect URIs).
  • Testing: Verified with Microsoft Entra ID (login/logout cycle, redirects, no errors); compatible with Google (skips if no endpoint), GitHub (non-OIDC, skips), and generic OIDC. Logs show clean handling without warnings. Testing was performed using the following environment variables:
  • MICROSOFT_CLIENT_ID=${OAUTH_CLIENT_ID}
  • MICROSOFT_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
  • MICROSOFT_CLIENT_TENANT_ID=${AZURE_TENANT_ID}
  • MICROSOFT_REDIRECT_URI=${MICROSOFT_REDIRECT_URI}
  • ENABLE_OAUTH_SIGNUP=true
  • ENABLE_LOGIN_FORM=false
  • OAUTH_ALLOWED_DOMAINS=${OAUTH_ALLOWED_DOMAINS}
  • OAUTH_MERGE_ACCOUNTS_BY_EMAIL=${OAUTH_MERGE_ACCOUNTS_BY_EMAIL}
  • OAUTH_UPDATE_PICTURE_ON_LOGIN=true
  • WEBUI_AUTH_SIGNOUT_REDIRECT_URL=${WEBUI_AUTH_SIGNOUT_REDIRECT_URL}
  • ^^ Note that the WEBUI_AUTH_SIGNOUT_REDIRECT_URL should be set to your domain's root login page, i.e., <owuiaddress>/login

Screenshots or Videos

Testing was performing by building a dev container docker build --build-arg USE_CUDA=true --build-arg USE_CUDA_VER=cu121 --build-arg USE_OLLAMA=false -t openwebui-custom:dev .

  • Screenshot of successful Microsoft logout page:
    image
    returned back to login screen:
    image

  • Backend log snippet demonstrating proper logout behavior (no errors/CSRF warnings):

    2025-07-13 16:42:48.416 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - 172.18.0.1:0 - "GET /api/usage HTTP/1.1" 200 - {}
    2025-07-13 16:42:50.429 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - 172.18.0.1:0 - "GET /api/v1/auths/signout HTTP/1.1" 200 - {}
    2025-07-13 16:42:55.450 | INFO     | open_webui.utils.oauth:handle_callback:352 - Handling front-channel logout notification - {}
    2025-07-13 16:42:55.452 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - 172.18.0.1:0 - "GET /oauth/microsoft/callback?sid=006cd379-248a-bdc4-c55a-6f24ab9df1fb HTTP/1.1" 200 - {}
    2025-07-13 16:43:01.397 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - 172.18.0.1:0 - "GET /login HTTP/1.1" 200 - {}
    

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/15691 **Author:** [@Hisma](https://github.com/Hisma) **Created:** 7/13/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix-oauth-logout` --- ### 📝 Commits (10+) - [`bd99da4`](https://github.com/open-webui/open-webui/commit/bd99da48c47f149343d943c6f5615a0b0309c72a) fix: implement dynamic OpenID discovery for OAuth logout across providers - [`904a8e9`](https://github.com/open-webui/open-webui/commit/904a8e90f7b5827c6f670c629dd243b8077a9b19) fix: construct post logout redirect - [`9656128`](https://github.com/open-webui/open-webui/commit/96561287bde147ca581169f1896ce8a5718acf95) fix: import quote from urllib.parse - [`e018b92`](https://github.com/open-webui/open-webui/commit/e018b92c59f9f263404723d3640de9c6da7400ed) fix: update oauth.py to address "mismatching_state: CSRF Warning!" warning in log - [`2cbd9f3`](https://github.com/open-webui/open-webui/commit/2cbd9f3342ceaf977ffe576d0d0df60181874324) use starlette RedirectResponse instead of fastapi - [`6590945`](https://github.com/open-webui/open-webui/commit/6590945b6ac1b5f5095a7201e6a78c8249646990) missing comma - [`0606fbe`](https://github.com/open-webui/open-webui/commit/0606fbeabaeab4c59bdf9f4ee212a5b4f3691003) ci formatting fix - [`10ecbc3`](https://github.com/open-webui/open-webui/commit/10ecbc3cb55c4b8133ab9dff03d3868a41e373d5) post formatter fix - [`af0f2ce`](https://github.com/open-webui/open-webui/commit/af0f2ce414b24f858672cefda87b35392a96beaa) Merge remote-tracking branch 'upstream/dev' into fix-oauth-logout - [`944b61d`](https://github.com/open-webui/open-webui/commit/944b61dbacf51210b6c9e4d1136902617d45c861) merge updates from dev branch to auth.py ### 📊 Changes **1 file changed** (+71 additions, -9 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/auths.py` (+71 -9) </details> ### 📄 Description # Pull Request Checklist ### Note to first-time contributors: Please open a discussion post in [Discussions](https://github.com/open-webui/open-webui/discussions) and describe your changes before submitting a pull request. **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [x] **Testing:** Have you written and run sufficient tests to validate the changes? - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **BREAKING CHANGE**: Significant changes that may affect compatibility - **build**: Changes that affect the build system or external dependencies - **ci**: Changes to our continuous integration processes or workflows - **chore**: Refactor, cleanup, or other non-functional code changes - **docs**: Documentation update or addition - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction - **i18n**: Internationalization or localization changes - **perf**: Performance improvement - **refactor**: Code restructuring for better maintainability, readability, or scalability - **style**: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.) - **test**: Adding missing tests or correcting existing tests - **WIP**: Work in progress, a temporary label for incomplete or ongoing work # Changelog Entry ### Description - Implements proper OAuth logout support for all providers (Google, Microsoft, GitHub, Generic/OpenID) by dynamically handling OIDC logout endpoints, adding necessary parameters for Microsoft Entra ID, and gracefully managing front-channel logout notifications to eliminate CSRF warnings. This fixes the 500 error on logout and improves redirect behavior, motivated by user reports of failed signouts and incomplete provider support. ### Added - Dynamic construction of OIDC discovery URLs based on `iss` and `aud` claims from `oauth_id_token` in `auths.py`. - Support for `post_logout_redirect_uri` and `client_id` parameters in logout URLs, prioritizing `WEBUI_AUTH_SIGNOUT_REDIRECT_URL`. - Early detection and handling of front-channel logout notifications in `oauth.py` to return 200 OK silently. - Imports for `jwt` and `quote` from `urllib.parse` in `auths.py`. - Import for `Response` from `fastapi` in `oauth.py`. ### Changed - Updated `signout` function in `auths.py` to use decoded token claims for provider-specific logout logic. - Modified `handle_callback` in `oauth.py` to short-circuit on `sid` param without `state` for logout notifications. ### Deprecated - None ### Removed - None ### Fixed - 500 error on OAuth logout for non-generic providers (e.g., Microsoft Entra ID). - Hanging redirect after provider logout by adding `post_logout_redirect_uri`. - CSRF state mismatch warnings in logs during front-channel logout notifications. ### Security - None ### Breaking Changes - None --- ### Additional Information - This PR resolves the issue discussed in #15007, where logout failed for Microsoft Entra ID and lacked support for other providers. - Documentation: Suggest updating [Open WebUI Docs](https://github.com/open-webui/docs) for OAuth setup, noting to register `post_logout_redirect_uri` (e.g., `/signin`) in provider app registrations (e.g., Azure Entra ID under Authentication > Redirect URIs). - Testing: Verified with Microsoft Entra ID (login/logout cycle, redirects, no errors); compatible with Google (skips if no endpoint), GitHub (non-OIDC, skips), and generic OIDC. Logs show clean handling without warnings. Testing was performed using the following environment variables: - MICROSOFT_CLIENT_ID=${OAUTH_CLIENT_ID} - MICROSOFT_CLIENT_SECRET=${OAUTH_CLIENT_SECRET} - MICROSOFT_CLIENT_TENANT_ID=${AZURE_TENANT_ID} - MICROSOFT_REDIRECT_URI=${MICROSOFT_REDIRECT_URI} - ENABLE_OAUTH_SIGNUP=true - ENABLE_LOGIN_FORM=false - OAUTH_ALLOWED_DOMAINS=${OAUTH_ALLOWED_DOMAINS} - OAUTH_MERGE_ACCOUNTS_BY_EMAIL=${OAUTH_MERGE_ACCOUNTS_BY_EMAIL} - OAUTH_UPDATE_PICTURE_ON_LOGIN=true - WEBUI_AUTH_SIGNOUT_REDIRECT_URL=${WEBUI_AUTH_SIGNOUT_REDIRECT_URL} - ^^ **Note** that the WEBUI_AUTH_SIGNOUT_REDIRECT_URL should be set to your domain's root login page, i.e., `<owuiaddress>/login` ### Screenshots or Videos Testing was performing by building a dev container `docker build --build-arg USE_CUDA=true --build-arg USE_CUDA_VER=cu121 --build-arg USE_OLLAMA=false -t openwebui-custom:dev .` - Screenshot of successful Microsoft logout page: <img width="1569" height="1315" alt="image" src="https://github.com/user-attachments/assets/f7c445b3-566b-4976-ba3d-8ed02fe48693" /> returned back to login screen: <img width="1621" height="880" alt="image" src="https://github.com/user-attachments/assets/00f4a165-60bf-4a14-831d-0ceec7802d5d" /> - Backend log snippet demonstrating proper logout behavior (no errors/CSRF warnings): ``` 2025-07-13 16:42:48.416 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 172.18.0.1:0 - "GET /api/usage HTTP/1.1" 200 - {} 2025-07-13 16:42:50.429 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 172.18.0.1:0 - "GET /api/v1/auths/signout HTTP/1.1" 200 - {} 2025-07-13 16:42:55.450 | INFO | open_webui.utils.oauth:handle_callback:352 - Handling front-channel logout notification - {} 2025-07-13 16:42:55.452 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 172.18.0.1:0 - "GET /oauth/microsoft/callback?sid=006cd379-248a-bdc4-c55a-6f24ab9df1fb HTTP/1.1" 200 - {} 2025-07-13 16:43:01.397 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 172.18.0.1:0 - "GET /login HTTP/1.1" 200 - {} ``` ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-18 11:00:09 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#111224