mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 23:21:44 -05:00
[PR #24599] [CLOSED] feat(ntid): propagate AMD NTID to LLM Gateway via user HTTP header
#131402
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24599
Author: @datar-ai
Created: 5/12/2026
Status: ❌ Closed
Base:
main← Head:feat/ntid-user-header-propagation📝 Commits (10+)
b731c64feat: Add local MCP server integration for tool registration, discovery, and invocation in Open WebUIa088bb8feat: Add product requirements document for local MCP tool integration in Open WebUI7779a25Create GroupPRD.md10afdfbUpdate PRD7132de6feat: Enhance tool registration documentation for external OpenAPI Tool Servers and internal Python tools828bb66docs: Update documentation for local MCP tool integration and clarify tool invocation processes3a7bb84docs: Update PRD writing guidelines to enhance clarity, completeness, and error handling strategies2d82aefEnhance tool registration documentation and introduce mcpo READMEa4fed4dfeat: Enhance local tool integration by ensuring isolation in multi-user environments8608e08feat: implement group synchronization service for user login📊 Changes
167 files changed (+10354 additions, -883 deletions)
View changed files
➕
.claude/settings.local.json(+14 -0)➕
.claude/skills/dockerbuild-openwebui/SKILL.md(+84 -0)➕
.devcontainer/devcontainer.json(+82 -0)📝
.gitignore(+10 -0)➕
.vscode/Microsoft.PowerShell_profile.ps1(+14 -0)➕
.vscode/launch.json(+35 -0)📝
Dockerfile(+22 -2)📝
LICENSE(+1 -1)📝
README.md(+55 -41)➕
THIRD_PARTY_LICENSES(+42 -0)➕
acp-3825-search-plan-agent-buttons/README.md(+63 -0)➕
acp-3835-selectable-knowledge-source/README.md(+69 -0)➕
backend/DB-Migration-ACP-3780/dev-openwebui-schema.sqlserver.sql(+360 -0)➕
backend/DB-Migration-ACP-3780/import_data_to_mssql.py(+541 -0)➕
backend/DB-Migration-ACP-3780/資料庫遷移標準作業程序 (SOP).md(+1 -0)📝
backend/open_webui/config.py(+30 -2)📝
backend/open_webui/env.py(+40 -3)📝
backend/open_webui/functions.py(+3 -1)📝
backend/open_webui/internal/db.py(+18 -1)📝
backend/open_webui/main.py(+23 -7)...and 80 more files
📄 Description
Summary
Implements the open-webui half of end-to-end NTID propagation per IT mandate (Confluence: User Header Modification, deadline 2026-05-02).
After OIDC login, fetch the user's NTID from Microsoft Graph (
onPremisesSamAccountName), persist it on theuserrow, and forward it in the chat-completions payload so the downstream pipeline can emituser: <NTID>tohttps://llm-api.amd.com.Full design doc:
docs/dev-plans/ntid-header-propagation.md(already on main).Changes
backend/open_webui/models/users.pyntid String(64)column onUser+UserModelfield +insert_new_user(ntid=...)kwarg. Indexed for reverse lookup.backend/open_webui/utils/oauth.py/me?$select=onPremisesSamAccountNameusing the access_token. Persist on both new-user creation and existing-user re-login (refresh on AD drift). All failures logged at WARN, never block login.backend/open_webui/routers/openai.pyuser.ntidin the body sent to pipeline-flagged models (gated by existingif "pipeline" in model and model.get("pipeline")).Total: 3 files, +49 lines (no removals).
Out-of-band actions required (pre-merge / pre-deploy)
1. DDL — must run BEFORE deploy
Without this, SQLAlchemy reads will fail with
column user.ntid does not exist.2. Env var
OAUTH_SCOPESmust includeUser.Read:The App Registration (
pdase-cepm-wapp) already requests this Graph permission. First-time consent will either:3. Pipeline counterpart
C:\Github\pipelinerepo carries the matchingContextVar+CustomHTTPLLM._get_headers()injection (separate PR). Both must ship together — open-webui alone has no effect on the gateway.Design notes
body.user.ntid) is unchanged.ntid = NULLand are excluded from the gateway header. They should use a service-account NTID per IT FAQ.Test plan
dvse-cepm-sqlmi/openwebui)OAUTH_SCOPES=openid email profile User.Readin devdocker-compose.ymldocker compose build openwebui && docker compose up -d openwebuidocker compose logs openwebui | grep '\[NTID\]'— expect[NTID] fetched for ...: <your-ntid>or[NTID] set on new user ...SELECT email, ntid FROM [user] WHERE email = '<your-email>'—ntidpopulateddocker compose logs pipelines | grep -i 'LLM_REQUEST'— confirmuser:header present on outbound tohttps://llm-api.amd.comtcpdump -A -i any 'host llm-api.amd.com'on dev VM for end-to-end wire confirmationRollback
Both changes are additive (new column, new field). Revert is
git revert+ drop column. The Graph call is wrapped in try/except so disabling it doesn't break login.🤖 Generated with Claude Code
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.