[PR #24304] [CLOSED] fix: support separate MCP OAuth issuer URL #131259

Closed
opened 2026-05-21 16:31:36 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24304
Author: @Genmin
Created: 5/1/2026
Status: Closed

Base: devHead: fix/mcp-oauth-issuer-url


📝 Commits (10+)

📊 Changes

6 files changed (+110 additions, -12 deletions)

View changed files

📝 backend/open_webui/main.py (+5 -1)
📝 backend/open_webui/routers/configs.py (+5 -2)
backend/open_webui/test/utils/test_oauth.py (+47 -0)
📝 backend/open_webui/utils/oauth.py (+15 -5)
📝 src/lib/apis/configs/index.ts (+1 -0)
📝 src/lib/components/AddToolServerModal.svelte (+37 -4)

📄 Description

Pull Request Checklist

Before submitting, make sure you've checked the following:

  • Target branch: Verify that the pull request targets the dev branch. PRs targeting main will be immediately closed.
  • Description: Provide a concise description of the changes made in this pull request down below.
  • Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Documentation: Add docs in Open WebUI Docs Repository. Document user-facing behavior, environment variables, public APIs/interfaces, or deployment steps.
  • Dependencies: Are there any new or upgraded dependencies? If so, explain why, update the changelog/docs, and include any compatibility notes. Actually run the code/function that uses updated library to ensure it doesn't crash.
  • Testing: Perform manual tests to verify the implemented fix/feature works as intended AND does not break any other functionality. Include reproducible steps to demonstrate the issue before the fix. Test edge cases (URL encoding, HTML entities, types). Take this as an opportunity to make screenshots of the feature/fix and include them in the PR description.
  • Agentic AI Code: Confirm this Pull Request is not written by any AI Agent or has at least gone through additional human review AND manual testing. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR.
  • Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
  • Design & Architecture: Prefer smart defaults over adding new settings; use local state for ephemeral UI logic. Open a Discussion for major architectural or UX changes.
  • Git Hygiene: Keep PRs atomic (one logical change). Clean up commits and rebase on dev to ensure no unrelated commits (e.g. from main) are included. Push updates to the existing PR branch instead of closing and reopening.
  • Title Prefix: Pull request title uses the fix prefix.

Summary

Fixes #24216.

This adds an optional OAuth authorization/discovery URL for MCP OAuth 2.1 static tool servers. It is needed for providers such as Google's official Gmail MCP server, where the MCP endpoint is on gmailmcp.googleapis.com but OAuth discovery lives under accounts.google.com.

When the new field is blank, Open WebUI preserves the existing MCP-server-host discovery fallback. When it is set, registration, connection verification, and persisted re-registration use the explicit authorization server/discovery URL.

Testing

  • Added focused OAuth discovery tests for issuer base URL override, full .well-known/openid-configuration override, and the existing no-override fallback order.
  • Verified the touched Python files compile.
  • Ran formatting on the touched Svelte/API files and compiled the touched Svelte component directly.

Commands run:

  • PYTHONPATH=backend uv run --no-project --with-requirements backend/requirements.txt --with pytest --with pytest-asyncio pytest backend/open_webui/test/utils/test_oauth.py -q
  • uv run --no-sync --with ruff ruff check backend/open_webui/test/utils/test_oauth.py
  • python3 -m compileall -q backend/open_webui/utils/oauth.py backend/open_webui/routers/configs.py backend/open_webui/main.py backend/open_webui/test/utils/test_oauth.py
  • npx prettier --plugin-search-dir --write src/lib/components/AddToolServerModal.svelte src/lib/apis/configs/index.ts
  • direct Svelte compiler check for src/lib/components/AddToolServerModal.svelte
  • git diff --check

Note: npm run check currently fails on the existing repo-wide Svelte/TypeScript baseline diagnostics unrelated to this change; the touched component compiles directly.

Changelog Entry

Description

  • Add optional MCP OAuth authorization server/discovery URL support for OAuth 2.1 Static tool server configuration.

Added

  • Optional Authorization Server URL field for MCP OAuth 2.1 Static tool servers.
  • Backend support for using that URL during OAuth discovery and client registration flows.
  • Regression tests for explicit OAuth issuer and full discovery URL overrides.

Changed

  • OAuth discovery can now be scoped to an explicit authorization server while preserving the existing MCP host fallback when the field is empty.

Deprecated

  • None.

Removed

  • None.

Fixed

  • Fixed OAuth discovery for MCP servers whose OAuth issuer is hosted separately from the MCP endpoint, such as Google Workspace MCP servers.

Security

  • None.

Breaking Changes

  • None.

Additional Information

  • No dependencies were added or upgraded.

Screenshots or Videos

  • Not attached; this is a small configuration field plus backend OAuth discovery behavior. The touched Svelte component was compiler-checked directly.

Contributor License Agreement

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24304 **Author:** [@Genmin](https://github.com/Genmin) **Created:** 5/1/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/mcp-oauth-issuer-url` --- ### 📝 Commits (10+) - [`fe6783c`](https://github.com/open-webui/open-webui/commit/fe6783c16699911c7be17392596d579333fb110c) Merge pull request #19030 from open-webui/dev - [`fc05e0a`](https://github.com/open-webui/open-webui/commit/fc05e0a6c5d39da60b603b4d520f800d6e36f748) Merge pull request #19405 from open-webui/dev - [`e3faec6`](https://github.com/open-webui/open-webui/commit/e3faec62c58e3a83d89aa3df539feacefa125e0c) Merge pull request #19416 from open-webui/dev - [`9899293`](https://github.com/open-webui/open-webui/commit/9899293f050ad50ae12024cbebee7e018acd851e) Merge pull request #19448 from open-webui/dev - [`140605e`](https://github.com/open-webui/open-webui/commit/140605e660b8186a7d5c79fb3be6ffb147a2f498) Merge pull request #19462 from open-webui/dev - [`6f1486f`](https://github.com/open-webui/open-webui/commit/6f1486ffd0cb288d0e21f41845361924e0d742b3) Merge pull request #19466 from open-webui/dev - [`d95f533`](https://github.com/open-webui/open-webui/commit/d95f533214e3fe5beb5e41ec1f349940bc4c7043) Merge pull request #19729 from open-webui/dev - [`a727153`](https://github.com/open-webui/open-webui/commit/a7271532f8a38da46785afcaa7e65f9a45e7d753) 0.6.43 (#20093) - [`6adde20`](https://github.com/open-webui/open-webui/commit/6adde203cd292a9e3af9c64a2ae36b603fed096a) Merge pull request #20394 from open-webui/dev - [`f9b0534`](https://github.com/open-webui/open-webui/commit/f9b0534e0c442631d1cb7205169588b9b6204179) Merge pull request #20522 from open-webui/dev ### 📊 Changes **6 files changed** (+110 additions, -12 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/main.py` (+5 -1) 📝 `backend/open_webui/routers/configs.py` (+5 -2) ➕ `backend/open_webui/test/utils/test_oauth.py` (+47 -0) 📝 `backend/open_webui/utils/oauth.py` (+15 -5) 📝 `src/lib/apis/configs/index.ts` (+1 -0) 📝 `src/lib/components/AddToolServerModal.svelte` (+37 -4) </details> ### 📄 Description # Pull Request Checklist **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Verify that the pull request targets the `dev` branch. **PRs targeting `main` will be immediately closed.** - [x] **Description:** Provide a concise description of the changes made in this pull request down below. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [ ] **Documentation:** Add docs in [Open WebUI Docs Repository](https://github.com/open-webui/docs). Document user-facing behavior, environment variables, public APIs/interfaces, or deployment steps. - [ ] **Dependencies:** Are there any new or upgraded dependencies? If so, explain why, update the changelog/docs, and include any compatibility notes. Actually run the code/function that uses updated library to ensure it doesn't crash. - [x] **Testing:** Perform manual tests to **verify the implemented fix/feature works as intended AND does not break any other functionality**. Include reproducible steps to demonstrate the issue before the fix. Test edge cases (URL encoding, HTML entities, types). Take this as an opportunity to **make screenshots of the feature/fix and include them in the PR description**. - [ ] **Agentic AI Code:** Confirm this Pull Request is **not written by any AI Agent** or has at least **gone through additional human review AND manual testing**. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR. - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Design & Architecture:** Prefer smart defaults over adding new settings; use local state for ephemeral UI logic. Open a Discussion for major architectural or UX changes. - [x] **Git Hygiene:** Keep PRs atomic (one logical change). Clean up commits and rebase on `dev` to ensure no unrelated commits (e.g. from `main`) are included. Push updates to the existing PR branch instead of closing and reopening. - [x] **Title Prefix:** Pull request title uses the `fix` prefix. ## Summary Fixes #24216. This adds an optional OAuth authorization/discovery URL for MCP OAuth 2.1 static tool servers. It is needed for providers such as Google's official Gmail MCP server, where the MCP endpoint is on `gmailmcp.googleapis.com` but OAuth discovery lives under `accounts.google.com`. When the new field is blank, Open WebUI preserves the existing MCP-server-host discovery fallback. When it is set, registration, connection verification, and persisted re-registration use the explicit authorization server/discovery URL. ## Testing - Added focused OAuth discovery tests for issuer base URL override, full `.well-known/openid-configuration` override, and the existing no-override fallback order. - Verified the touched Python files compile. - Ran formatting on the touched Svelte/API files and compiled the touched Svelte component directly. Commands run: - `PYTHONPATH=backend uv run --no-project --with-requirements backend/requirements.txt --with pytest --with pytest-asyncio pytest backend/open_webui/test/utils/test_oauth.py -q` - `uv run --no-sync --with ruff ruff check backend/open_webui/test/utils/test_oauth.py` - `python3 -m compileall -q backend/open_webui/utils/oauth.py backend/open_webui/routers/configs.py backend/open_webui/main.py backend/open_webui/test/utils/test_oauth.py` - `npx prettier --plugin-search-dir --write src/lib/components/AddToolServerModal.svelte src/lib/apis/configs/index.ts` - direct Svelte compiler check for `src/lib/components/AddToolServerModal.svelte` - `git diff --check` Note: `npm run check` currently fails on the existing repo-wide Svelte/TypeScript baseline diagnostics unrelated to this change; the touched component compiles directly. # Changelog Entry ### Description - Add optional MCP OAuth authorization server/discovery URL support for OAuth 2.1 Static tool server configuration. ### Added - Optional Authorization Server URL field for MCP OAuth 2.1 Static tool servers. - Backend support for using that URL during OAuth discovery and client registration flows. - Regression tests for explicit OAuth issuer and full discovery URL overrides. ### Changed - OAuth discovery can now be scoped to an explicit authorization server while preserving the existing MCP host fallback when the field is empty. ### Deprecated - None. ### Removed - None. ### Fixed - Fixed OAuth discovery for MCP servers whose OAuth issuer is hosted separately from the MCP endpoint, such as Google Workspace MCP servers. ### Security - None. ### Breaking Changes - None. --- ### Additional Information - No dependencies were added or upgraded. ### Screenshots or Videos - Not attached; this is a small configuration field plus backend OAuth discovery behavior. The touched Svelte component was compiler-checked directly. ### Contributor License Agreement <!-- 🚨 DO NOT DELETE THE TEXT BELOW 🚨 Keep the "Contributor License Agreement" confirmation text intact. Deleting it will trigger the CLA-Bot to INVALIDATE your PR. Your PR will NOT be reviewed or merged until you check the box below confirming that you have read and agree to the terms of the CLA. --> - [ ] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-21 16:31:37 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#131259