mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-15 21:19:39 -05:00
[PR #24934] [CLOSED] feat: auto-redirect to SSO when OAUTH_AUTO_REDIRECT is set #131599
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24934
Author: @zaid-marji
Created: 5/20/2026
Status: ❌ Closed
Base:
dev← Head:feat/oauth-auto-redirect📝 Commits (3)
6bcaca8feat: auto-redirect to SSO when OAUTH_AUTO_REDIRECT is set3167422test: cover the OAuth auto-redirect decision with vitest3359419test: add backend pytest for OAUTH_AUTO_REDIRECT📊 Changes
8 files changed (+419 additions, -3 deletions)
View changed files
📝
backend/open_webui/config.py(+6 -0)📝
backend/open_webui/main.py(+6 -1)➕
backend/open_webui/test/util/test_oauth_auto_redirect.py(+58 -0)➕
backend/open_webui/test/util/test_oauth_auto_redirect_integration.py(+122 -0)📝
src/lib/stores/index.ts(+2 -0)➕
src/lib/utils/oauth.test.ts(+127 -0)➕
src/lib/utils/oauth.ts(+64 -0)📝
src/routes/auth/+page.svelte(+34 -2)📄 Description
Description
Adds an
OAUTH_AUTO_REDIRECTenvironment variable. When enabled and exactly one OAuth provider is configured, an unauthenticated visit to/authis redirected straight to that provider's login — removing the extraContinue with <provider>click on an otherwise SSO-only login page.Escape hatch:
/auth?form=truealways renders the local login form, so administrators keep password access if the IdP is unavailable. The redirect is also suppressed after a failed sign-in (/auth?error=...), for an already-authenticated session, when a token is present, during first-run onboarding, and under trusted-header auth.Why a setting and not a smart default: auto-redirect cannot be defaulted on — that would break every deployment that uses the local login form or has multiple providers, and would silently change behavior for existing installs. It is therefore opt-in (
Default: False). The community has requested exactly this opt-in variable across several threads.Relates to #24421, #7337, #8167, #11612.
Implementation
OAUTH_AUTO_REDIRECTconfig variable (config.py), wired intoapp.state.configand exposed asoauth.auto_redirectin/api/config(main.py).src/lib/utils/oauth.ts) called from the auth page'sonMount; it redirects to/oauth/{provider}/loginonly when every guard passes.No new dependencies.
Documentation
Companion docs PR: open-webui/docs#1260
Testing
/authredirects to the provider and completes login via the callback;/auth?form=trueshows the local form;/auth?error=keeps the page and surfaces the error.src/lib/utils/oauth.test.tscovers every guard branch of the redirect decision (runs in the existingnpm run test:frontendjob).test_oauth_auto_redirect.py(env var to config wiring) andtest_oauth_auto_redirect_integration.py(boots the app against an in-process mock OIDC provider; asserts/api/configexposesoauth.auto_redirectand/oauth/oidc/loginredirects to the IdP).Changelog Entry
Added
OAUTH_AUTO_REDIRECTenvironment variable: when enabled with a single configured OAuth provider, an unauthenticated visit to/authredirects straight to the provider, removing the extra "Continue with" click. Visit/auth?form=trueto reach the local login form.Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.