[GH-ISSUE #19415] issue: v0.6.37 breaks Okta OAuth: "Cannot supply multiple client credentials" error #122179

Closed
opened 2026-05-21 00:41:09 -05:00 by GiteaMirror · 18 comments
Owner

Originally created by @WonwooKang on GitHub (Nov 24, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/19415

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.6.37

Ollama Version (if applicable)

No response

Operating System

macOS Tahoe 26.1

Browser (if applicable)

Chrome 142.0

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Login via Okta should be successful.

Actual Behavior

Despite not using an email address or password, the following error message appears and the login attempt fails.

"The email or password provided is incorrect. Please check for typos and try logging in again."

Steps to Reproduce

First, let me share the case where I was able to get it working through a manual modification.

File: backend/open_webui/utils/oauth.py
Line: ~1283
Git Diff Link : https://github.com/open-webui/open-webui/pull/19132/files#diff-18f89641054f18680b1073ddaf7fb3e8d5b193533ee6dd79b89b60477d2dca61R1235

Change:

# Before (broken in v0.6.37)
token = await client.authorize_access_token(request, **auth_params)

# After (working fix)
token = await client.authorize_access_token(request)

After this change, the login succeeded.


running steps

  1. Run using the docker-compose.yml file below
docker compose pull
docker compose build --no-cache
docker compose up -d --force-recreate
services:
  # local test db
  postgres:
    image: postgres:15
    container_name: postgres
    environment:
      POSTGRES_USER: root
      POSTGRES_PASSWORD: rootpassword
      POSTGRES_DB: open-webui
    ports:
      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - oui-test-network

  # Open WebUI
  openwebui:
    image: ghcr.io/open-webui/open-webui:main
    container_name: openwebui
    depends_on:
      - postgres
    ports:
      - "3000:8080"
    volumes:
      - open-webui:/app/backend/data
    networks:
      - oui-test-network
    environment:
      DATABASE_URL: postgresql://root:rootpassword@postgres:5432/open-webui
      ENABLE_LOGIN_FORM: false # dislable form login

      # Okta 설정추가 - PersistentConfig
      ENABLE_OAUTH_SIGNUP: true
      OAUTH_CLIENT_ID: "your_okta_client_id_here"
      OAUTH_CLIENT_SECRET: "your_okta_client_secret_here"
      OPENID_PROVIDER_URL: https://your-domain.okta.com/.well-known/openid-configuration
      # for redirect
      WEBUI_URL: http://localhost:3000
      USE_SLIM: true
      GLOBAL_LOG_LEVEL: DEBUG

      # Tried but didn't work
      # ENABLE_PASSWORD_AUTH: false
      # OAUTH_TOKEN_ENDPOINT_AUTH_METHOD: client_secret_basic or client_secret_post

networks:
  oui-test-network:
    driver: bridge

volumes:
  postgres_data:
  open-webui:
  1. and Log in with sso

Logs & Screenshots

Docker Container Log summary

httpx._client:_send_single_request:1740 - HTTP Request: GET https://[okta uri]/.well-known/openid-configuration "HTTP/1.1 200 OK"
...

uvicorn.protocols.http.httptools_impl:send:476 - [ip address]:59882 - "GET /oauth/oidc/login HTTP/1.1" 302
httpcore._trace:atrace:87 - connect_tcp.started host='[okta uri]' port=443 local_address=None timeout=5.0 socket_options=None
...

httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 401, b'Unauthorized',  ...
httpx._client:_send_single_request:1740 - HTTP Request: POST https://[okta uri]/oauth2/v1/token "HTTP/1.1 401 Unauthorized"


authlib.integrations.base_client.errors.OAuthError: invalid_request: Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body.

According to an AI analysis, it seems that Open WebUI sends client_id and client_secret in both the Authorization header and the POST body simultaneously.
Since Okta only allows one method, it appears to reject the request.

Screen Shot

Image

Additional Information

No response

Originally created by @WonwooKang on GitHub (Nov 24, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/19415 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.6.37 ### Ollama Version (if applicable) _No response_ ### Operating System macOS Tahoe 26.1 ### Browser (if applicable) Chrome 142.0 ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Login via Okta should be successful. ### Actual Behavior Despite not using an email address or password, the following error message appears and the login attempt fails. "The email or password provided is incorrect. Please check for typos and try logging in again." ### Steps to Reproduce First, let me share the case where I was able to get it working through a manual modification. **File:** `backend/open_webui/utils/oauth.py` **Line:** ~1283 **Git Diff Link** : https://github.com/open-webui/open-webui/pull/19132/files#diff-18f89641054f18680b1073ddaf7fb3e8d5b193533ee6dd79b89b60477d2dca61R1235 **Change:** ```python # Before (broken in v0.6.37) token = await client.authorize_access_token(request, **auth_params) # After (working fix) token = await client.authorize_access_token(request) ``` After this change, the login succeeded. --- running steps 1. Run using the docker-compose.yml file below ```shell docker compose pull docker compose build --no-cache docker compose up -d --force-recreate ``` ```YAML services: # local test db postgres: image: postgres:15 container_name: postgres environment: POSTGRES_USER: root POSTGRES_PASSWORD: rootpassword POSTGRES_DB: open-webui ports: - "5432:5432" volumes: - postgres_data:/var/lib/postgresql/data networks: - oui-test-network # Open WebUI openwebui: image: ghcr.io/open-webui/open-webui:main container_name: openwebui depends_on: - postgres ports: - "3000:8080" volumes: - open-webui:/app/backend/data networks: - oui-test-network environment: DATABASE_URL: postgresql://root:rootpassword@postgres:5432/open-webui ENABLE_LOGIN_FORM: false # dislable form login # Okta 설정추가 - PersistentConfig ENABLE_OAUTH_SIGNUP: true OAUTH_CLIENT_ID: "your_okta_client_id_here" OAUTH_CLIENT_SECRET: "your_okta_client_secret_here" OPENID_PROVIDER_URL: https://your-domain.okta.com/.well-known/openid-configuration # for redirect WEBUI_URL: http://localhost:3000 USE_SLIM: true GLOBAL_LOG_LEVEL: DEBUG # Tried but didn't work # ENABLE_PASSWORD_AUTH: false # OAUTH_TOKEN_ENDPOINT_AUTH_METHOD: client_secret_basic or client_secret_post networks: oui-test-network: driver: bridge volumes: postgres_data: open-webui: ``` 2. and Log in with sso ### Logs & Screenshots ### Docker Container Log summary ```text httpx._client:_send_single_request:1740 - HTTP Request: GET https://[okta uri]/.well-known/openid-configuration "HTTP/1.1 200 OK" ... uvicorn.protocols.http.httptools_impl:send:476 - [ip address]:59882 - "GET /oauth/oidc/login HTTP/1.1" 302 httpcore._trace:atrace:87 - connect_tcp.started host='[okta uri]' port=443 local_address=None timeout=5.0 socket_options=None ... httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 401, b'Unauthorized', ... httpx._client:_send_single_request:1740 - HTTP Request: POST https://[okta uri]/oauth2/v1/token "HTTP/1.1 401 Unauthorized" authlib.integrations.base_client.errors.OAuthError: invalid_request: Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body. ``` According to an AI analysis, it seems that Open WebUI sends client_id and client_secret in both the Authorization header and the POST body simultaneously. Since Okta only allows one method, it appears to reject the request. ### Screen Shot <img width="687" height="593" alt="Image" src="https://github.com/user-attachments/assets/5de448d2-7ce3-46d8-aa79-08b1e5a4232d" /> ### Additional Information _No response_
GiteaMirror added the bug label 2026-05-21 00:41:09 -05:00
Author
Owner

@tjbck commented on GitHub (Nov 24, 2025):

@WonwooKang Could you confirm this isn't caused by a misconfiguration from Okta-end?

@Classic298 are you seeing something like this?

<!-- gh-comment-id:3570067620 --> @tjbck commented on GitHub (Nov 24, 2025): @WonwooKang Could you confirm this isn't caused by a misconfiguration from Okta-end? @Classic298 are you seeing something like this?
Author
Owner

@Classic298 commented on GitHub (Nov 24, 2025):

I am not using okta

<!-- gh-comment-id:3570078591 --> @Classic298 commented on GitHub (Nov 24, 2025): I am not using okta
Author
Owner

@WonwooKang commented on GitHub (Nov 24, 2025):

@tjbck The Okta settings I’m using are the same ones I’ve had configured since earlier versions,
and everything worked fine up to v0.6.36,
so I reported this as an issue first.

I’ll also try adjusting various Okta settings on my side to see if anything changes.

<!-- gh-comment-id:3570118627 --> @WonwooKang commented on GitHub (Nov 24, 2025): @tjbck The Okta settings I’m using are the same ones I’ve had configured since earlier versions, and everything worked fine up to v0.6.36, so I reported this as an issue first. I’ll also try adjusting various Okta settings on my side to see if anything changes.
Author
Owner

@tjbck commented on GitHub (Nov 24, 2025):

Might've been addressed in dev, confirmation wanted here!

<!-- gh-comment-id:3570177719 --> @tjbck commented on GitHub (Nov 24, 2025): Might've been addressed in dev, confirmation wanted here!
Author
Owner

@WonwooKang commented on GitHub (Nov 24, 2025):

It’s likely that Okta is strictly adhering to the OAuth specification,
and according to RFC 6749 Section 2.3: link

‘The client MUST NOT use more than one authentication method in each request.’

Based on this, I suspect this may be the root cause of the issue.

I don’t know the full details of the OpenWebUI internals, but based on an AI analysis,
Authlib seems to add the parameters passed through auth_params into the request body,
while the default behavior of ClientAuth is to include the credentials in the header.

If that’s correct..
the combined behavior might be violating the RFC 6749 requirement.

<!-- gh-comment-id:3570204414 --> @WonwooKang commented on GitHub (Nov 24, 2025): It’s likely that Okta is strictly adhering to the OAuth specification, and according to RFC 6749 Section 2.3: [link](https://www.rfc-editor.org/rfc/rfc6749) ‘The client MUST NOT use more than one authentication method in each request.’ Based on this, I suspect this may be the root cause of the issue. I don’t know the full details of the OpenWebUI internals, but based on an AI analysis, Authlib seems to add the parameters passed through auth_params into the request body, while the default behavior of ClientAuth is to include the credentials in the header. If that’s correct.. the combined behavior might be violating the RFC 6749 requirement.
Author
Owner

@tjbck commented on GitHub (Nov 24, 2025):

@WonwooKang could you try pulling the latest dev?

<!-- gh-comment-id:3570212021 --> @tjbck commented on GitHub (Nov 24, 2025): @WonwooKang could you try pulling the latest dev?
Author
Owner

@WonwooKang commented on GitHub (Nov 24, 2025):

@tjbck I also tried switching the image to
image: ghcr.io/open-webui/open-webui:dev,
but the behavior appears to be the same.

Is there another image tag I should be using instead?

open_webui.utils.oauth:handle_callback:1284 - OAuth callback error during authorize_access_token for provider oidc: OAuth callback failed: invalid_request: Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_asser...
<!-- gh-comment-id:3570244345 --> @WonwooKang commented on GitHub (Nov 24, 2025): @tjbck I also tried switching the image to `image: ghcr.io/open-webui/open-webui:dev,` but the behavior appears to be the same. Is there another image tag I should be using instead? ```text open_webui.utils.oauth:handle_callback:1284 - OAuth callback error during authorize_access_token for provider oidc: OAuth callback failed: invalid_request: Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_asser... ```
Author
Owner

@WonwooKang commented on GitHub (Nov 24, 2025):

I’ll give it another try.

<!-- gh-comment-id:3570255371 --> @WonwooKang commented on GitHub (Nov 24, 2025): I’ll give it another try.
Author
Owner

@tjbck commented on GitHub (Nov 24, 2025):

@WonwooKang you might've pull the outdated dev image, let me know if the current latest still raise an error.

<!-- gh-comment-id:3570270721 --> @tjbck commented on GitHub (Nov 24, 2025): @WonwooKang you might've pull the outdated dev image, let me know if the current latest still raise an error.
Author
Owner

@WonwooKang commented on GitHub (Nov 24, 2025):

@tjbck I confirmed the version using the temporary code change,
but the issue still seems to persist.

token = await client.authorize_access_token(request, **auth_params)
# token = await client.authorize_access_token(request)

and..

docker cp ./oauth.py openwebui:/app/backend/open_webui/utils/oauth.py

version check
Image

Reverting the change and checking again results in the same warning.

OAuth callback error during authorize_access_token for provider oidc: OAuth callback failed: invalid_request: Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_asser...
Image
<!-- gh-comment-id:3570317437 --> @WonwooKang commented on GitHub (Nov 24, 2025): @tjbck I confirmed the version using the temporary code change, but the issue still seems to persist. ```python token = await client.authorize_access_token(request, **auth_params) # token = await client.authorize_access_token(request) ``` and.. ```shell docker cp ./oauth.py openwebui:/app/backend/open_webui/utils/oauth.py ``` version check <img width="267" height="197" alt="Image" src="https://github.com/user-attachments/assets/592e0c2c-6067-4ffb-9a53-57922d7be7c2" /> Reverting the change and checking again results in the same warning. ```text OAuth callback error during authorize_access_token for provider oidc: OAuth callback failed: invalid_request: Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_asser... ``` <img width="404" height="123" alt="Image" src="https://github.com/user-attachments/assets/6ba80045-2b30-4d75-a41f-fb1f7462e620" />
Author
Owner

@tjbck commented on GitHub (Nov 24, 2025):

@WonwooKang You're using the latest ghcr.io/open-webui/open-webui:dev image correct?

<!-- gh-comment-id:3570353069 --> @tjbck commented on GitHub (Nov 24, 2025): @WonwooKang You're using the latest `ghcr.io/open-webui/open-webui:dev` image correct?
Author
Owner
<!-- gh-comment-id:3570362219 --> @tjbck commented on GitHub (Nov 24, 2025): Related: https://github.com/open-webui/open-webui/pull/19132 https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
Author
Owner

@tjbck commented on GitHub (Nov 24, 2025):

@WonwooKang 0f8729dea2 should address it, will push 0.6.38 with your confirmation

<!-- gh-comment-id:3570387522 --> @tjbck commented on GitHub (Nov 24, 2025): @WonwooKang 0f8729dea2bd079c5a17b3fb5d193dd56ad06c56 should address it, will push 0.6.38 with your confirmation
Author
Owner

@WonwooKang commented on GitHub (Nov 24, 2025):

@tjbck Yes, I’m using the ghcr.io/open-webui/open-webui:dev image tag.
I’ve already cleared the volumes three to four times and restarted everything.

I also tried one more time just before writing this comment,
and the behavior still seems to be the same. 😭

<!-- gh-comment-id:3570387563 --> @WonwooKang commented on GitHub (Nov 24, 2025): @tjbck Yes, I’m using the ghcr.io/open-webui/open-webui:dev image tag. I’ve already cleared the volumes three to four times and restarted everything. I also tried one more time just before writing this comment, and the behavior still seems to be the same. 😭
Author
Owner

@WonwooKang commented on GitHub (Nov 24, 2025):

@tjbck I just reset everything once more and tested again, but it still seems to be the same.
Image

<!-- gh-comment-id:3570403654 --> @WonwooKang commented on GitHub (Nov 24, 2025): @tjbck I just reset everything once more and tested again, but it still seems to be the same. <img width="674" height="242" alt="Image" src="https://github.com/user-attachments/assets/bb4ffdc9-c003-410d-9e6e-f4fd2b63a823" />
Author
Owner

@tjbck commented on GitHub (Nov 24, 2025):

@WonwooKang you may want to wait a bit, the images are still being built.

<!-- gh-comment-id:3570407440 --> @tjbck commented on GitHub (Nov 24, 2025): @WonwooKang you may want to wait a bit, the images are still being built.
Author
Owner

@jamesmoore commented on GitHub (Nov 24, 2025):

I was getting this error with Authelia:

authelia-1  | time="2025-11-24T07:46:47Z" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client Authentication failed with more than one known authentication method included in the request which is not permitted. The registered client with id 'openwebui' and the authorization server policy does not permit this malformed request. The `token_endpoint_auth_method` methods determined to be used were 'client_secret_basic', 'client_secret_post'." method=POST path=/api/oidc/token remote_ip=172.18.0.1

The latest dev image fixed it for me. Thank you.

<!-- gh-comment-id:3570412890 --> @jamesmoore commented on GitHub (Nov 24, 2025): I was getting this error with Authelia: ``` authelia-1 | time="2025-11-24T07:46:47Z" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client Authentication failed with more than one known authentication method included in the request which is not permitted. The registered client with id 'openwebui' and the authorization server policy does not permit this malformed request. The `token_endpoint_auth_method` methods determined to be used were 'client_secret_basic', 'client_secret_post'." method=POST path=/api/oidc/token remote_ip=172.18.0.1 ``` The latest dev image fixed it for me. Thank you.
Author
Owner

@WonwooKang commented on GitHub (Nov 24, 2025):

@tjbck Oh, after seeing the comment above and trying it again,
it worked on my side as well.
Thank you for resolving this so quickly! 🙌

<!-- gh-comment-id:3570429023 --> @WonwooKang commented on GitHub (Nov 24, 2025): @tjbck Oh, after seeing the comment above and trying it again, it worked on my side as well. Thank you for resolving this so quickly! 🙌
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#122179