[PR #23529] [CLOSED] feat: add support for custom SSO/OAuth providers #114550

Closed
opened 2026-05-18 15:20:02 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23529
Author: @RoryChou-flux
Created: 4/9/2026
Status: Closed

Base: mainHead: feat/custom-sso-providers


📝 Commits (1)

  • c5f70bc feat: add support for custom SSO/OAuth providers

📊 Changes

8 files changed (+858 additions, -134 deletions)

View changed files

📝 backend/open_webui/config.py (+123 -0)
📝 backend/open_webui/main.py (+14 -1)
📝 backend/open_webui/routers/auths.py (+137 -0)
📝 backend/open_webui/utils/oauth.py (+39 -19)
📝 src/lib/apis/auths/index.ts (+100 -0)
📝 src/lib/components/admin/Settings.svelte (+4 -1)
📝 src/lib/components/admin/Settings/General.svelte (+364 -2)
📝 src/routes/auth/+page.svelte (+77 -111)

📄 Description

Summary

  • Allow administrators to configure multiple custom OAuth/SSO providers at runtime via Admin UI or CUSTOM_OAUTH_PROVIDERS_CONFIG environment variable
  • Enables use cases like multiple Feishu enterprises, multiple OIDC providers, or any OAuth2-compatible provider — without code changes
  • Refactors the login page to dynamically render OAuth buttons instead of hardcoding each provider

Motivation

Currently, Open WebUI hardcodes 5 OAuth providers (Google, Microsoft, GitHub, OIDC, Feishu), each limited to a single instance. Users who need multiple instances of the same provider type (e.g., two Feishu apps for different enterprises) must modify source code. This PR adds a general-purpose custom SSO provider system that solves this limitation.

Changes

Backend

  • config.py: Add CUSTOM_OAUTH_PROVIDERS_CONFIG PersistentConfig, _build_custom_provider_register() helper, extend load_oauth_providers() to register custom providers, add provider_type and name to all built-in providers
  • utils/oauth.py: Refactor handle_callback() to support per-provider claim overrides (sub_claim, email_claim, username_claim, picture_claim, email_fallback), generalize Feishu data-unwrap via provider_type, add reload_providers() for hot-reload
  • routers/auths.py: Add admin CRUD endpoints (GET/POST/POST/{slug}/DELETE/{slug}) for custom OAuth providers with slug validation and secret redaction
  • main.py: Change /api/config oauth.providers response from {key: name_string} to {key: {name, icon_url, is_custom, provider_type}}, register CUSTOM_OAUTH_PROVIDERS_CONFIG on app state

Frontend

  • auth/+page.svelte: Replace hardcoded {#if} blocks for each OAuth provider with a single dynamic {#each} loop, preserving branded SVG icons for built-in providers and supporting icon_url or a default key icon for custom providers
  • General.svelte: Add "Custom SSO Providers" management section in Admin Settings with full CRUD UI (add/edit/delete providers, configure endpoints, claim mappings, etc.)
  • apis/auths/index.ts: Add frontend API functions for custom provider CRUD

No database migration needed

  • Custom provider configs are stored in the existing config table JSON blob
  • User.oauth JSON field already supports arbitrary provider keys
  • OAuthSession.provider text field already accepts any slug

Configuration

Via Admin UI

Admin Settings → General → Custom SSO Providers → Add Provider

Via Environment Variable

CUSTOM_OAUTH_PROVIDERS_CONFIG='[{
  "slug": "feishu-enterprise-b",
  "display_name": "Feishu Enterprise B",
  "provider_type": "feishu",
  "client_id": "cli_xxx",
  "client_secret": "xxx",
  "authorize_url": "https://accounts.feishu.cn/open-apis/authen/v1/authorize",
  "access_token_url": "https://open.feishu.cn/open-apis/authen/v2/oauth/token",
  "userinfo_endpoint": "https://open.feishu.cn/open-apis/authen/v1/user_info",
  "scope": "contact:user.base:readonly",
  "sub_claim": "user_id",
  "email_fallback": true,
  "enabled": true
}]'

Breaking Changes

  • /api/config response: oauth.providers values changed from plain strings to objects. This only affects the bundled frontend (updated in this PR) and any external consumers of this internal API.

Test plan

  • Verify existing built-in OAuth providers (Google, Microsoft, GitHub, OIDC, Feishu) continue to work unchanged
  • Verify login page renders branded icons for built-in providers
  • Create a custom OAuth provider via Admin UI and verify it appears on the login page
  • Create a custom provider via CUSTOM_OAUTH_PROVIDERS_CONFIG env var and verify it loads on startup
  • Test OAuth login flow with a custom provider (e.g., second Feishu enterprise)
  • Test per-provider claim overrides (sub_claim, email_claim, etc.)
  • Test edit and delete of custom providers via Admin UI
  • Verify client_secret is redacted in API responses
  • Verify slug validation rejects invalid or conflicting slugs

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23529 **Author:** [@RoryChou-flux](https://github.com/RoryChou-flux) **Created:** 4/9/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `feat/custom-sso-providers` --- ### 📝 Commits (1) - [`c5f70bc`](https://github.com/open-webui/open-webui/commit/c5f70bc9462d24d8e88ef80504ec22ce5b085115) feat: add support for custom SSO/OAuth providers ### 📊 Changes **8 files changed** (+858 additions, -134 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+123 -0) 📝 `backend/open_webui/main.py` (+14 -1) 📝 `backend/open_webui/routers/auths.py` (+137 -0) 📝 `backend/open_webui/utils/oauth.py` (+39 -19) 📝 `src/lib/apis/auths/index.ts` (+100 -0) 📝 `src/lib/components/admin/Settings.svelte` (+4 -1) 📝 `src/lib/components/admin/Settings/General.svelte` (+364 -2) 📝 `src/routes/auth/+page.svelte` (+77 -111) </details> ### 📄 Description ## Summary - Allow administrators to configure **multiple custom OAuth/SSO providers** at runtime via Admin UI or `CUSTOM_OAUTH_PROVIDERS_CONFIG` environment variable - Enables use cases like multiple Feishu enterprises, multiple OIDC providers, or any OAuth2-compatible provider — without code changes - Refactors the login page to dynamically render OAuth buttons instead of hardcoding each provider ## Motivation Currently, Open WebUI hardcodes 5 OAuth providers (Google, Microsoft, GitHub, OIDC, Feishu), each limited to a single instance. Users who need multiple instances of the same provider type (e.g., two Feishu apps for different enterprises) must modify source code. This PR adds a general-purpose custom SSO provider system that solves this limitation. ## Changes ### Backend - **`config.py`**: Add `CUSTOM_OAUTH_PROVIDERS_CONFIG` PersistentConfig, `_build_custom_provider_register()` helper, extend `load_oauth_providers()` to register custom providers, add `provider_type` and `name` to all built-in providers - **`utils/oauth.py`**: Refactor `handle_callback()` to support per-provider claim overrides (sub_claim, email_claim, username_claim, picture_claim, email_fallback), generalize Feishu data-unwrap via `provider_type`, add `reload_providers()` for hot-reload - **`routers/auths.py`**: Add admin CRUD endpoints (`GET/POST/POST/{slug}/DELETE/{slug}`) for custom OAuth providers with slug validation and secret redaction - **`main.py`**: Change `/api/config` `oauth.providers` response from `{key: name_string}` to `{key: {name, icon_url, is_custom, provider_type}}`, register `CUSTOM_OAUTH_PROVIDERS_CONFIG` on app state ### Frontend - **`auth/+page.svelte`**: Replace hardcoded `{#if}` blocks for each OAuth provider with a single dynamic `{#each}` loop, preserving branded SVG icons for built-in providers and supporting `icon_url` or a default key icon for custom providers - **`General.svelte`**: Add "Custom SSO Providers" management section in Admin Settings with full CRUD UI (add/edit/delete providers, configure endpoints, claim mappings, etc.) - **`apis/auths/index.ts`**: Add frontend API functions for custom provider CRUD ### No database migration needed - Custom provider configs are stored in the existing `config` table JSON blob - `User.oauth` JSON field already supports arbitrary provider keys - `OAuthSession.provider` text field already accepts any slug ## Configuration ### Via Admin UI Admin Settings → General → Custom SSO Providers → Add Provider ### Via Environment Variable ```bash CUSTOM_OAUTH_PROVIDERS_CONFIG='[{ "slug": "feishu-enterprise-b", "display_name": "Feishu Enterprise B", "provider_type": "feishu", "client_id": "cli_xxx", "client_secret": "xxx", "authorize_url": "https://accounts.feishu.cn/open-apis/authen/v1/authorize", "access_token_url": "https://open.feishu.cn/open-apis/authen/v2/oauth/token", "userinfo_endpoint": "https://open.feishu.cn/open-apis/authen/v1/user_info", "scope": "contact:user.base:readonly", "sub_claim": "user_id", "email_fallback": true, "enabled": true }]' ``` ## Breaking Changes - `/api/config` response: `oauth.providers` values changed from plain strings to objects. This only affects the bundled frontend (updated in this PR) and any external consumers of this internal API. ## Test plan - [ ] Verify existing built-in OAuth providers (Google, Microsoft, GitHub, OIDC, Feishu) continue to work unchanged - [ ] Verify login page renders branded icons for built-in providers - [ ] Create a custom OAuth provider via Admin UI and verify it appears on the login page - [ ] Create a custom provider via `CUSTOM_OAUTH_PROVIDERS_CONFIG` env var and verify it loads on startup - [ ] Test OAuth login flow with a custom provider (e.g., second Feishu enterprise) - [ ] Test per-provider claim overrides (sub_claim, email_claim, etc.) - [ ] Test edit and delete of custom providers via Admin UI - [ ] Verify client_secret is redacted in API responses - [ ] Verify slug validation rejects invalid or conflicting slugs --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-18 15:20:02 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#114550