[GH-ISSUE #24615] issue: Older OAuth session deletion not being reflected in the frontend when OAUTH_MAX_SESSIONS_PER_USER is set to 1 #123671

Open
opened 2026-05-21 03:05:51 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @shubhankar-ncp on GitHub (May 12, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/24615

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Other

Open WebUI Version

v0.8.8

Ollama Version (if applicable)

No response

Operating System

Windows 11

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

  1. OAUTH_MAX_SESSIONS_PER_USER is set to 1
  2. User logs in to Open-WebUI using OIDC/SSO on device A, a new OAuth session is started.
  3. User logs into device B, another OAuth session is started
  4. The OAuth session on device A is deleted since OAUTH_MAX_SESSIONS_PER_USER is set to 1.
  5. User can no more interact with session on device A, but can continue interacting with session on device B.

Actual Behavior

  1. OAUTH_MAX_SESSIONS_PER_USER is set to 1
  2. User logs in to Open-WebUI using OIDC/SSO on device A, a new OAuth session is started.
  3. User logs into device B, another OAuth session is started
  4. The OAuth session on device A is deleted since OAUTH_MAX_SESSIONS_PER_USER is set to 1
  5. User can still interact with session on device A, and is able to continue interacting with session on device B

Steps to Reproduce

  1. Set the following environment variables to the corresponding values:
  • ENABLE_OAUTH_SIGNUP: True
  • OAUTH_MERGE_ACCOUNTS_BY_EMAIL: True
  • OAUTH_CLIENT_ID:
  • OAUTH_CLIENT_SECRET:
  • OPENID_PROVIDER_URL: <Corresponding OpenID provider's URL, in my case it is a company internal provider>
  • OAUTH_PROVIDER_NAME:
  • OAUTH_SCOPES: openid email profile
  • WEBUI_SECRET_KEY:
  • OAUTH_SESSION_TOKEN_ENCRYPTION_KEY: WEBUI_SECRET_KEY
  • ENABLE_OAUTH_ID_TOKEN_COOKIE: true
  • OAUTH_USERNAME_CLAIM: given_name
  • OAUTH_REFRESH_TOKEN_INCLUDE_SCOPE: true
  • OAUTH_MAX_SESSIONS_PER_USER: 1
  1. Log into Open-WebUI through the OIDC method which should be enabled after OAuth signup and other related environment variables are set, do this on device A.
  2. User should log into a different device B.
  3. Session on device A is still active and can be interacted with, completions are generated and it seems to work normally, but the OAUTH_MAX_SESSIONS_PER_USER should actually cap the number of active sessions to 1.

Logs & Screenshots

Log in the open-webui pod after logging into a new session on device B, indicating last session cannot be found:

2026-05-12 10:22:49.415 | WARNING | open_webui.utils.oauth:get_oauth_token:980 - No OAuth session found for user ed48f8b8-33ae-4c4a-b696-81057d937577, session b48a75e5-af65-4b57-b873-55fe1f1af7cf

The supposedly deleted session after the above log:

Image

The new session:

Image

Additional Information

Open-WebUI is deployed through Helm chart version 12.8.1 from the repo https://helm.openwebui.com/ on Openshift.

According to the documentation regarding OAUTH_MAX_SESSIONS_PER_USER, the older session should be purged since the value of the variable is set to one. However, the older session can still be interacted with normally.

Originally created by @shubhankar-ncp on GitHub (May 12, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/24615 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [ ] I am using the latest version of Open WebUI. ### Installation Method Other ### Open WebUI Version v0.8.8 ### Ollama Version (if applicable) _No response_ ### Operating System Windows 11 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [ ] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior 1. OAUTH_MAX_SESSIONS_PER_USER is set to 1 2. User logs in to Open-WebUI using OIDC/SSO on device A, a new OAuth session is started. 3. User logs into device B, another OAuth session is started 4. The OAuth session on device A is deleted since OAUTH_MAX_SESSIONS_PER_USER is set to 1. 5. User can no more interact with session on device A, but can continue interacting with session on device B. ### Actual Behavior 1. OAUTH_MAX_SESSIONS_PER_USER is set to 1 2. User logs in to Open-WebUI using OIDC/SSO on device A, a new OAuth session is started. 3. User logs into device B, another OAuth session is started 4. The OAuth session on device A is deleted since OAUTH_MAX_SESSIONS_PER_USER is set to 1 5. User can still interact with session on device A, and is able to continue interacting with session on device B ### Steps to Reproduce 1. Set the following environment variables to the corresponding values: - ENABLE_OAUTH_SIGNUP: True - OAUTH_MERGE_ACCOUNTS_BY_EMAIL: True - OAUTH_CLIENT_ID: <Client ID as set on your system> - OAUTH_CLIENT_SECRET: <Client Secret as set on your system> - OPENID_PROVIDER_URL: <Corresponding OpenID provider's URL, in my case it is a company internal provider> - OAUTH_PROVIDER_NAME: <Corresponding provider name> - OAUTH_SCOPES: openid email profile - WEBUI_SECRET_KEY: <corresponding WEBUI_SECRET_KEY> - OAUTH_SESSION_TOKEN_ENCRYPTION_KEY: WEBUI_SECRET_KEY - ENABLE_OAUTH_ID_TOKEN_COOKIE: true - OAUTH_USERNAME_CLAIM: given_name - OAUTH_REFRESH_TOKEN_INCLUDE_SCOPE: true - **OAUTH_MAX_SESSIONS_PER_USER: 1** 2. Log into Open-WebUI through the OIDC method which should be enabled after OAuth signup and other related environment variables are set, do this on device A. 3. User should log into a different device B. 4. Session on device A is still active and can be interacted with, completions are generated and it seems to work normally, but the OAUTH_MAX_SESSIONS_PER_USER should actually cap the number of active sessions to 1. ### Logs & Screenshots Log in the open-webui pod after logging into a new session on device B, indicating last session cannot be found: 2026-05-12 10:22:49.415 | WARNING | open_webui.utils.oauth:get_oauth_token:980 - No OAuth session found for user ed48f8b8-33ae-4c4a-b696-81057d937577, session b48a75e5-af65-4b57-b873-55fe1f1af7cf The supposedly deleted session after the above log: <img width="1167" height="1887" alt="Image" src="https://github.com/user-attachments/assets/faa2f7e0-cb91-4be8-bde7-7831366c026a" /> The new session: <img width="1163" height="557" alt="Image" src="https://github.com/user-attachments/assets/d4ba85d4-6e25-469e-ab90-6928e97251a7" /> ### Additional Information Open-WebUI is deployed through Helm chart version 12.8.1 from the repo https://helm.openwebui.com/ on Openshift. According to the documentation regarding OAUTH_MAX_SESSIONS_PER_USER, the older session should be purged since the value of the variable is set to one. However, the older session can still be interacted with normally.
GiteaMirror added the bug label 2026-05-21 03:05:51 -05:00
Author
Owner

@owui-terminator[bot] commented on GitHub (May 12, 2026):

🔍 Related Issues Found

I found some existing issues that might be related. Please check if any of these are duplicates or contain helpful solutions:

  1. 🟣 #21647 bug: OAuth sessions deleted on re-login, breaking multi-device usage
    This is the closest match: it describes OAuth sessions being deleted on re-login so another device's session remains usable only until it tries to use the missing server-side session. The new issue differs in that the deletion is triggered by the session limit setting, but the underlying symptom and multi-device session inconsistency are the same.
    by gboston

  2. 🟣 #23234 feat: Configurable maximum lifespan for OAuth sessions
    This feature request is about adding a configurable maximum OAuth session lifespan, which is adjacent to the new issue's session-management behavior. It is less direct than #21647, but still relevant because both concern how OAuth sessions are retained or invalidated over time.
    by lorenzophys


💡 If your issue is a duplicate, please close it and add any additional details to the existing issue instead.

This comment was generated automatically. React with 👍 if helpful, 👎 if not.

<!-- gh-comment-id:4430234633 --> @owui-terminator[bot] commented on GitHub (May 12, 2026): <!-- terminator-bot:related-issues-reply --> 🔍 **Related Issues Found** I found some existing issues that might be related. Please check if any of these are duplicates or contain helpful solutions: 1. 🟣 [#21647](https://github.com/open-webui/open-webui/issues/21647) **bug: OAuth sessions deleted on re-login, breaking multi-device usage** *This is the closest match: it describes OAuth sessions being deleted on re-login so another device's session remains usable only until it tries to use the missing server-side session. The new issue differs in that the deletion is triggered by the session limit setting, but the underlying symptom and multi-device session inconsistency are the same.* *by gboston* 2. 🟣 [#23234](https://github.com/open-webui/open-webui/issues/23234) **feat: Configurable maximum lifespan for OAuth sessions** *This feature request is about adding a configurable maximum OAuth session lifespan, which is adjacent to the new issue's session-management behavior. It is less direct than #21647, but still relevant because both concern how OAuth sessions are retained or invalidated over time.* *by lorenzophys* --- 💡 If your issue is a duplicate, please close it and add any additional details to the existing issue instead. *This comment was generated automatically.* React with 👍 if helpful, 👎 if not.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#123671