mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 14:39:31 -05:00
[PR #23783] [CLOSED] fix: Correct the OAuth2.1 static flow #114677
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/23783
Author: @DonMul
Created: 4/16/2026
Status: ❌ Closed
Base:
dev← Head:fixOauth2.1Static📝 Commits (3)
5dc19c1fix: Correct the OAuth2.1 static flowb88c49bran ruff over the changed files for oauth2.1 static fixingb1fdd8dCorrect code styling of AddToolServerModal.svelte📊 Changes
4 files changed (+48 additions, -27 deletions)
View changed files
📝
backend/open_webui/routers/configs.py(+7 -1)📝
backend/open_webui/utils/oauth.py(+37 -25)📝
src/lib/apis/configs/index.ts(+1 -0)📝
src/lib/components/AddToolServerModal.svelte(+3 -1)📄 Description
Changelog Entry
Description
The OAuth2.1 Static workflow was not working as intended. Somewhere in the conversion of the Static OAuth2.1 authentication for MCP servers Pull Request there was some lost in translation issues i believe (because the original Pull Request has some different functionality than what has been merged. This Pull Request is intended to correct the issues.
Fixed
Additional Information
The intended flow for Static OAuth2.1 credentials is as following:
The user gets the static
client_idandclient_secretfrom the provider of the MCP serverThe user will enter these in the current modal box to manage the MCP server (see below)

The user can (optionally) verify the connection, but Must (not optional) register the client. This client will ALWAYS make use of the entered client_id and client_secret
Whenever the user selects/enables the tool server in his/her chat, the user will be redirected to the authentication page of the MCP provider

The MCP provider will do a callback to the oauth client callback URL. For the example in the screenshots above, that would be
http://localhost:3000/oauth/clients/mcp:udemy/callback. It is possible that this callback URL needs to be configured on the side of the MCP provider as well.The MCP server will then be enabled for the user and can be queried accordingly

Please let me know if there are any unclarities about this feature, i am more than willing to help!
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.