mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-11 10:34:13 -05:00
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24806
Author: @IVVI0927
Created: 5/16/2026
Status: ❌ Closed
Base:
dev← Head:fix/24730-oauth-scopes-in-authorize-url📝 Commits (1)
7e965fbfix: include scopes_supported from RFC 9728 protected-resource metadata in OAuth static authorize URL📊 Changes
1 file changed (+26 additions, -7 deletions)
View changed files
📝
backend/open_webui/utils/oauth.py(+26 -7)📄 Description
Pull Request Checklist
Note to first-time contributors: Please open a discussion post in Discussions to discuss your idea/fix with the community before creating a pull request, and describe your changes before submitting a pull request.
This is to ensure large feature PRs are discussed with the community first, before starting work on it. If the community does not want this feature or it is not relevant for Open WebUI as a project, it can be identified in the discussion before working on the feature and submitting the PR.
Before submitting, make sure you've checked the following:
Closes #___/Relates to #___. If one does not exist, create one first. PRs without a linked issue or discussion may be closed without review.devbranch. PRs targetingmainwill be immediately closed.devto ensure no unrelated commits (e.g. frommain) are included. Push updates to the existing PR branch instead of closing and reopening.Changelog Entry
Description
Fixes the OAuth 2.1 (Static) authorize URL for MCP connections, which was missing the
scopeparameter. Thescopes_supportedarray advertised in the RFC 9728.well-known/oauth-protected-resourcemetadata document is now parsed and forwarded into the authorize request, resolving sign-in failures with providers like Microsoft Entra v2 that rejectscope-less authorization requests (AADSTS900144).Added
scopes_supported: list[str]field on theProtectedResourceMetadatadataclass inbackend/open_webui/utils/oauth.py, populated from the protected-resource metadata document during OAuth discovery.Changed
get_protected_resource_metadata()now readsscopes_supportedfrom the.well-known/oauth-protected-resourceJSON response and returns it on the resultingProtectedResourceMetadata.get_oauth_client_info_with_static_credentials()no longer hardcodesscope = None. When the discoveredProtectedResourceMetadata.scopes_supportedis non-empty, scopes are joined into a space-separatedscopevalue on the resultingOAuthClientInformationFull. When absent, the previous behaviour (scope = None) is preserved.Deprecated
Removed
Fixed
scopeparameter, causing sign-in to fail withAADSTS900144: The request body must contain the following parameter: 'scope'on Microsoft Entra v2 and similar providers that require explicit scopes. (#24730)Security
Breaking Changes
Additional Information
Testing notes: Did not add automated unit tests in this PR. Importing
backend/open_webui/utils/oauth.pytriggers database initialization at module load, which would require non-trivial test-infrastructure mocking outside the scope of this fix. Happy to add tests in a follow-up if maintainers can point to the recommended test setup for this module.Screenshots or Videos
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.