mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 06:03:26 -05:00
[PR #24937] feat: auto-redirect to SSO when OAUTH_AUTO_REDIRECT is set #131602
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24937
Author: @zaid-marji
Created: 5/20/2026
Status: 🔄 Open
Base:
dev← Head:feat/oauth-auto-redirect📝 Commits (3)
6bcaca8feat: auto-redirect to SSO when OAUTH_AUTO_REDIRECT is set3167422test: cover the OAuth auto-redirect decision with vitest3359419test: add backend pytest for OAUTH_AUTO_REDIRECT📊 Changes
8 files changed (+419 additions, -3 deletions)
View changed files
📝
backend/open_webui/config.py(+6 -0)📝
backend/open_webui/main.py(+6 -1)➕
backend/open_webui/test/util/test_oauth_auto_redirect.py(+58 -0)➕
backend/open_webui/test/util/test_oauth_auto_redirect_integration.py(+122 -0)📝
src/lib/stores/index.ts(+2 -0)➕
src/lib/utils/oauth.test.ts(+127 -0)➕
src/lib/utils/oauth.ts(+64 -0)📝
src/routes/auth/+page.svelte(+34 -2)📄 Description
Pull Request Checklist
devbranch.OAUTH_AUTO_REDIRECTenvironment variable that redirects an unauthenticated/authvisit straight to a single configured OAuth provider. Details below.dev.devwith no unrelated changes.featprefix.Changelog Entry
Description
OAUTH_AUTO_REDIRECTenvironment variable. When enabled and exactly one OAuth provider is configured, an unauthenticated visit to/authis redirected straight to that provider's login, removing the extra "Continue with" click on an otherwise SSO-only login page./auth?form=truereaches the local login form.Added
OAUTH_AUTO_REDIRECTenvironment variable: when enabled with a single configured OAuth provider, an unauthenticated visit to/authredirects straight to the provider, removing the extra "Continue with" click. Visit/auth?form=trueto reach the local login form.Changed
Deprecated
Removed
Fixed
Security
Breaking Changes
Additional Information
Behavior. When
OAUTH_AUTO_REDIRECT=trueand exactly one OAuth provider is configured, an unauthenticated visit to/authredirects straight to/oauth/{provider}/login. The redirect is suppressed when the local login form is explicitly requested (/auth?form=true), after a failed sign-in (/auth?error=...), for an already-authenticated session, when a token is present, during first-run onboarding, and under trusted-header auth.Why a setting and not a smart default. Auto-redirect cannot be defaulted on — it would break every deployment that uses the local login form or has multiple providers, and would silently change behavior for existing installs. It is therefore opt-in (
Default: False).Implementation.
OAUTH_AUTO_REDIRECTconfig variable (config.py), wired intoapp.state.configand exposed asoauth.auto_redirectin/api/config(main.py).src/lib/utils/oauth.ts) called from the auth page'sonMount.Commit structure. Three commits, ordered so the test commits can be dropped independently of the feature:
feat:— the featuretest:— vitest unit coverage of the redirect decision (runs in the existingfrontend.yamlunit-tests job)test:— backend pytest (env-to-config wiring + a mock-OIDC integration test)If you'd prefer the feature without (re)introducing backend pytest files, commit 3 is last and can be dropped on its own — the feature and the frontend test stay intact.
Verification.
/authredirects to the provider and completes login via the callback;/auth?form=trueshows the local form;/auth?error=keeps the page and surfaces the error.vitest—src/lib/utils/oauth.test.tscovers every guard branch of the redirect decision.pytest—test_oauth_auto_redirect.py(env-to-config wiring) andtest_oauth_auto_redirect_integration.py(boots the app against an in-process mock OIDC provider; asserts/api/configexposesoauth.auto_redirectand/oauth/oidc/loginredirects to the IdP).Screenshots or Videos
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.