mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-11 10:03:05 -05:00
[PR #24690] fix(oauth): use Protected Resource Metadata scopes in static OAuth 2.1 flow #131449
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24690
Author: @JustinJohnWilliams
Created: 5/13/2026
Status: 🔄 Open
Base:
dev← Head:fix/static-oauth-scopes-from-prm📝 Commits (1)
f8d8824fix(oauth): use Protected Resource Metadata scopes in static OAuth 2.1 flow📊 Changes
1 file changed (+12 additions, -7 deletions)
View changed files
📝
backend/open_webui/utils/oauth.py(+12 -7)📄 Description
Pull Request Checklist
devbranch./.well-known/oauth-protected-resourceendpoint. Confirmed scopes are included in the authorization request.dev.fix:Changelog Entry
Description
The static credentials OAuth 2.1 flow (
oauth_2.1_static) currently setsscope=None, relying on the OAuth provider's default scopes. This breaks providers like GitHub that default to minimal/public-only access when no scope is requested — making it impossible to access private resources via MCP tool servers using static OAuth credentials.This PR reads
scopes_supportedfrom the Protected Resource Metadata document (RFC 9728) and uses them in the authorization request.Why this doesn't break Entra ID:
The original change (
349ea4ea) correctly identified that requesting all scopes from the Authorization Server Metadata breaks providers like Entra ID. However, the Protected Resource Metadata'sscopes_supportedis semantically different:scopes_supported: Full catalog of every scope the authorization server can grant across all resourcesscopes_supported(RFC 9728 §2): Scopes required by this specific protected resourcePer the MCP spec's Scope Selection Strategy, clients should use
scopes_supportedfrom the Protected Resource Metadata when no explicit scope is provided in theWWW-Authenticatechallenge.Added
scopes_supportedfield onProtectedResourceMetadatadataclassChanged
get_protected_resource_metadata()now extractsscopes_supportedfrom the PRM documentget_oauth_client_info_with_static_credentials()uses PRM scopes instead ofNoneFixed
Additional Information
github/github-mcp-serverwhich advertisesrepo,read:org, etc. in its PRMscopes_supportedscope=Nonewhen PRM does not includescopes_supported, preserving current behavior for Entra ID and similar providersContributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.