[PR #24934] [CLOSED] feat: auto-redirect to SSO when OAUTH_AUTO_REDIRECT is set #131599

Closed
opened 2026-05-21 17:18:01 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24934
Author: @zaid-marji
Created: 5/20/2026
Status: Closed

Base: devHead: feat/oauth-auto-redirect


📝 Commits (3)

  • 6bcaca8 feat: auto-redirect to SSO when OAUTH_AUTO_REDIRECT is set
  • 3167422 test: cover the OAuth auto-redirect decision with vitest
  • 3359419 test: add backend pytest for OAUTH_AUTO_REDIRECT

📊 Changes

8 files changed (+419 additions, -3 deletions)

View changed files

📝 backend/open_webui/config.py (+6 -0)
📝 backend/open_webui/main.py (+6 -1)
backend/open_webui/test/util/test_oauth_auto_redirect.py (+58 -0)
backend/open_webui/test/util/test_oauth_auto_redirect_integration.py (+122 -0)
📝 src/lib/stores/index.ts (+2 -0)
src/lib/utils/oauth.test.ts (+127 -0)
src/lib/utils/oauth.ts (+64 -0)
📝 src/routes/auth/+page.svelte (+34 -2)

📄 Description

Description

Adds an OAUTH_AUTO_REDIRECT environment variable. When enabled and exactly one OAuth provider is configured, an unauthenticated visit to /auth is redirected straight to that provider's login — removing the extra Continue with <provider> click on an otherwise SSO-only login page.

Escape hatch: /auth?form=true always renders the local login form, so administrators keep password access if the IdP is unavailable. The redirect is also suppressed after a failed sign-in (/auth?error=...), for an already-authenticated session, when a token is present, during first-run onboarding, and under trusted-header auth.

Why a setting and not a smart default: auto-redirect cannot be defaulted on — that would break every deployment that uses the local login form or has multiple providers, and would silently change behavior for existing installs. It is therefore opt-in (Default: False). The community has requested exactly this opt-in variable across several threads.

Relates to #24421, #7337, #8167, #11612.

Implementation

  • Backend: OAUTH_AUTO_REDIRECT config variable (config.py), wired into app.state.config and exposed as oauth.auto_redirect in /api/config (main.py).
  • Frontend: the redirect decision is a pure function (src/lib/utils/oauth.ts) called from the auth page's onMount; it redirects to /oauth/{provider}/login only when every guard passes.

No new dependencies.

Documentation

Companion docs PR: open-webui/docs#1260

Testing

  • Manual: verified end-to-end in a container — /auth redirects to the provider and completes login via the callback; /auth?form=true shows the local form; /auth?error= keeps the page and surfaces the error.
  • vitest: src/lib/utils/oauth.test.ts covers every guard branch of the redirect decision (runs in the existing npm run test:frontend job).
  • pytest: test_oauth_auto_redirect.py (env var to config wiring) and test_oauth_auto_redirect_integration.py (boots the app against an in-process mock OIDC provider; asserts /api/config exposes oauth.auto_redirect and /oauth/oidc/login redirects to the IdP).

Changelog Entry

Added

  • 🔀 Auto-redirect to SSO. New OAUTH_AUTO_REDIRECT environment variable: when enabled with a single configured OAuth provider, an unauthenticated visit to /auth redirects straight to the provider, removing the extra "Continue with" click. Visit /auth?form=true to reach the local login form.

Contributor License Agreement


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24934 **Author:** [@zaid-marji](https://github.com/zaid-marji) **Created:** 5/20/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `feat/oauth-auto-redirect` --- ### 📝 Commits (3) - [`6bcaca8`](https://github.com/open-webui/open-webui/commit/6bcaca886c6cd995264885f8886ed57328e648f6) feat: auto-redirect to SSO when OAUTH_AUTO_REDIRECT is set - [`3167422`](https://github.com/open-webui/open-webui/commit/31674220e50072876f5036a60296eeb562ebe239) test: cover the OAuth auto-redirect decision with vitest - [`3359419`](https://github.com/open-webui/open-webui/commit/33594195f08bdff5f610797e784a281fe0d1f3bc) test: add backend pytest for OAUTH_AUTO_REDIRECT ### 📊 Changes **8 files changed** (+419 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+6 -0) 📝 `backend/open_webui/main.py` (+6 -1) ➕ `backend/open_webui/test/util/test_oauth_auto_redirect.py` (+58 -0) ➕ `backend/open_webui/test/util/test_oauth_auto_redirect_integration.py` (+122 -0) 📝 `src/lib/stores/index.ts` (+2 -0) ➕ `src/lib/utils/oauth.test.ts` (+127 -0) ➕ `src/lib/utils/oauth.ts` (+64 -0) 📝 `src/routes/auth/+page.svelte` (+34 -2) </details> ### 📄 Description ## Description Adds an `OAUTH_AUTO_REDIRECT` environment variable. When enabled **and exactly one OAuth provider is configured**, an unauthenticated visit to `/auth` is redirected straight to that provider's login — removing the extra `Continue with <provider>` click on an otherwise SSO-only login page. Escape hatch: `/auth?form=true` always renders the local login form, so administrators keep password access if the IdP is unavailable. The redirect is also suppressed after a failed sign-in (`/auth?error=...`), for an already-authenticated session, when a token is present, during first-run onboarding, and under trusted-header auth. **Why a setting and not a smart default:** auto-redirect cannot be defaulted on — that would break every deployment that uses the local login form or has multiple providers, and would silently change behavior for existing installs. It is therefore opt-in (`Default: False`). The community has requested exactly this opt-in variable across several threads. Relates to #24421, #7337, #8167, #11612. ## Implementation - **Backend:** `OAUTH_AUTO_REDIRECT` config variable (`config.py`), wired into `app.state.config` and exposed as `oauth.auto_redirect` in `/api/config` (`main.py`). - **Frontend:** the redirect decision is a pure function (`src/lib/utils/oauth.ts`) called from the auth page's `onMount`; it redirects to `/oauth/{provider}/login` only when every guard passes. No new dependencies. ## Documentation Companion docs PR: open-webui/docs#1260 ## Testing - **Manual:** verified end-to-end in a container — `/auth` redirects to the provider and completes login via the callback; `/auth?form=true` shows the local form; `/auth?error=` keeps the page and surfaces the error. - **vitest:** `src/lib/utils/oauth.test.ts` covers every guard branch of the redirect decision (runs in the existing `npm run test:frontend` job). - **pytest:** `test_oauth_auto_redirect.py` (env var to config wiring) and `test_oauth_auto_redirect_integration.py` (boots the app against an in-process mock OIDC provider; asserts `/api/config` exposes `oauth.auto_redirect` and `/oauth/oidc/login` redirects to the IdP). # Changelog Entry ### Added - 🔀 **Auto-redirect to SSO.** New `OAUTH_AUTO_REDIRECT` environment variable: when enabled with a single configured OAuth provider, an unauthenticated visit to `/auth` redirects straight to the provider, removing the extra "Continue with" click. Visit `/auth?form=true` to reach the local login form. ### Contributor License Agreement - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-21 17:18:01 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#131599