mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 06:03:26 -05:00
[GH-ISSUE #9452] OIDC login fails when email claim only available via userinfo endpoint #118822
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @mitomac on GitHub (Feb 6, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/9452
OIDC authentication issue: userinfo endpoint not called when token contains partial claims
Description
When an OIDC provider returns partial userinfo claims in the token but provides complete claims via the userinfo endpoint, authentication fails with "email is missing" error.
Environment
/app/backend/open_webui/utils/oauth.pyCurrent Behavior
The code checks for userinfo in the token and only calls the userinfo endpoint if no data is present. However, some OIDC providers (like Duke) include partial claims in the token but require the userinfo endpoint call for complete profile information.
Expected Behavior
The code should call the userinfo endpoint if required claims (like email) are missing, even if some userinfo data exists in the token.
Debugging Evidence
Debug logs show the issue clearly:
Current Code
In
/app/backend/open_webui/utils/oauth.py:Proposed Fix
Impact
This affects any OIDC provider that:
The current implementation prevents users from these providers from logging in, even when all required scopes are properly configured.
@tjbck commented on GitHub (Feb 6, 2025):
PR Welcome!