[PR #24937] feat: auto-redirect to SSO when OAUTH_AUTO_REDIRECT is set #131602

Open
opened 2026-05-21 17:18:28 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24937
Author: @zaid-marji
Created: 5/20/2026
Status: 🔄 Open

Base: devHead: feat/oauth-auto-redirect


📝 Commits (3)

  • 6bcaca8 feat: auto-redirect to SSO when OAUTH_AUTO_REDIRECT is set
  • 3167422 test: cover the OAuth auto-redirect decision with vitest
  • 3359419 test: add backend pytest for OAUTH_AUTO_REDIRECT

📊 Changes

8 files changed (+419 additions, -3 deletions)

View changed files

📝 backend/open_webui/config.py (+6 -0)
📝 backend/open_webui/main.py (+6 -1)
backend/open_webui/test/util/test_oauth_auto_redirect.py (+58 -0)
backend/open_webui/test/util/test_oauth_auto_redirect_integration.py (+122 -0)
📝 src/lib/stores/index.ts (+2 -0)
src/lib/utils/oauth.test.ts (+127 -0)
src/lib/utils/oauth.ts (+64 -0)
📝 src/routes/auth/+page.svelte (+34 -2)

📄 Description

Pull Request Checklist

  • Linked Issue/Discussion: Relates to discussions #24421, #7337, #8167, and #11612, which request an opt-in auto-redirect to a single SSO provider.
  • Target branch: The pull request targets the dev branch.
  • Description: Adds an OAUTH_AUTO_REDIRECT environment variable that redirects an unauthenticated /auth visit straight to a single configured OAuth provider. Details below.
  • Changelog: A changelog entry is included below.
  • Documentation: Companion docs PR — open-webui/docs#1260.
  • Dependencies: No new or updated dependencies.
  • Testing: vitest and pytest coverage added; manual end-to-end verification performed in a container. Details below.
  • No Unchecked AI Code: The change has undergone human review and manual end-to-end testing.
  • Self-Review: The diff is scoped to the OAuth auto-redirect feature and its tests, and is rebased on dev.
  • Architecture: Introduces one opt-in setting; auto-redirect cannot be a safe default (rationale below).
  • Git Hygiene: Three commits — feature plus two test commits — rebased on dev with no unrelated changes.
  • Title Prefix: The PR title uses the feat prefix.

Changelog Entry

Description

  • Adds an OAUTH_AUTO_REDIRECT environment variable. When enabled and exactly one OAuth provider is configured, an unauthenticated visit to /auth is redirected straight to that provider's login, removing the extra "Continue with" click on an otherwise SSO-only login page. /auth?form=true reaches the local login form.

Added

  • 🔀 Auto-redirect to SSO. New OAUTH_AUTO_REDIRECT environment variable: when enabled with a single configured OAuth provider, an unauthenticated visit to /auth redirects straight to the provider, removing the extra "Continue with" click. Visit /auth?form=true to reach the local login form.

Changed

  • None.

Deprecated

  • None.

Removed

  • None.

Fixed

  • None.

Security

  • None.

Breaking Changes

  • None.

Additional Information

Behavior. When OAUTH_AUTO_REDIRECT=true and exactly one OAuth provider is configured, an unauthenticated visit to /auth redirects straight to /oauth/{provider}/login. The redirect is suppressed when the local login form is explicitly requested (/auth?form=true), after a failed sign-in (/auth?error=...), for an already-authenticated session, when a token is present, during first-run onboarding, and under trusted-header auth.

Why a setting and not a smart default. Auto-redirect cannot be defaulted on — it would break every deployment that uses the local login form or has multiple providers, and would silently change behavior for existing installs. It is therefore opt-in (Default: False).

Implementation.

  • Backend: OAUTH_AUTO_REDIRECT config variable (config.py), wired into app.state.config and exposed as oauth.auto_redirect in /api/config (main.py).
  • Frontend: the redirect decision is a pure function (src/lib/utils/oauth.ts) called from the auth page's onMount.

Commit structure. Three commits, ordered so the test commits can be dropped independently of the feature:

  1. feat: — the feature
  2. test: — vitest unit coverage of the redirect decision (runs in the existing frontend.yaml unit-tests job)
  3. test: — backend pytest (env-to-config wiring + a mock-OIDC integration test)

If you'd prefer the feature without (re)introducing backend pytest files, commit 3 is last and can be dropped on its own — the feature and the frontend test stay intact.

Verification.

  • Manual: verified end-to-end in a container — /auth redirects to the provider and completes login via the callback; /auth?form=true shows the local form; /auth?error= keeps the page and surfaces the error.
  • vitestsrc/lib/utils/oauth.test.ts covers every guard branch of the redirect decision.
  • pytesttest_oauth_auto_redirect.py (env-to-config wiring) and test_oauth_auto_redirect_integration.py (boots the app against an in-process mock OIDC provider; asserts /api/config exposes oauth.auto_redirect and /oauth/oidc/login redirects to the IdP).

Screenshots or Videos

  • Not applicable — the change is a redirect; behavior is covered by the verification steps above.

Contributor License Agreement


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24937 **Author:** [@zaid-marji](https://github.com/zaid-marji) **Created:** 5/20/2026 **Status:** 🔄 Open **Base:** `dev` ← **Head:** `feat/oauth-auto-redirect` --- ### 📝 Commits (3) - [`6bcaca8`](https://github.com/open-webui/open-webui/commit/6bcaca886c6cd995264885f8886ed57328e648f6) feat: auto-redirect to SSO when OAUTH_AUTO_REDIRECT is set - [`3167422`](https://github.com/open-webui/open-webui/commit/31674220e50072876f5036a60296eeb562ebe239) test: cover the OAuth auto-redirect decision with vitest - [`3359419`](https://github.com/open-webui/open-webui/commit/33594195f08bdff5f610797e784a281fe0d1f3bc) test: add backend pytest for OAUTH_AUTO_REDIRECT ### 📊 Changes **8 files changed** (+419 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+6 -0) 📝 `backend/open_webui/main.py` (+6 -1) ➕ `backend/open_webui/test/util/test_oauth_auto_redirect.py` (+58 -0) ➕ `backend/open_webui/test/util/test_oauth_auto_redirect_integration.py` (+122 -0) 📝 `src/lib/stores/index.ts` (+2 -0) ➕ `src/lib/utils/oauth.test.ts` (+127 -0) ➕ `src/lib/utils/oauth.ts` (+64 -0) 📝 `src/routes/auth/+page.svelte` (+34 -2) </details> ### 📄 Description # Pull Request Checklist - [x] **Linked Issue/Discussion:** Relates to discussions #24421, #7337, #8167, and #11612, which request an opt-in auto-redirect to a single SSO provider. - [x] **Target branch:** The pull request targets the `dev` branch. - [x] **Description:** Adds an `OAUTH_AUTO_REDIRECT` environment variable that redirects an unauthenticated `/auth` visit straight to a single configured OAuth provider. Details below. - [x] **Changelog:** A changelog entry is included below. - [x] **Documentation:** Companion docs PR — open-webui/docs#1260. - [x] **Dependencies:** No new or updated dependencies. - [x] **Testing:** vitest and pytest coverage added; manual end-to-end verification performed in a container. Details below. - [x] **No Unchecked AI Code:** The change has undergone human review and manual end-to-end testing. - [x] **Self-Review:** The diff is scoped to the OAuth auto-redirect feature and its tests, and is rebased on `dev`. - [x] **Architecture:** Introduces one opt-in setting; auto-redirect cannot be a safe default (rationale below). - [x] **Git Hygiene:** Three commits — feature plus two test commits — rebased on `dev` with no unrelated changes. - [x] **Title Prefix:** The PR title uses the `feat` prefix. # Changelog Entry ### Description - Adds an `OAUTH_AUTO_REDIRECT` environment variable. When enabled and exactly one OAuth provider is configured, an unauthenticated visit to `/auth` is redirected straight to that provider's login, removing the extra "Continue with" click on an otherwise SSO-only login page. `/auth?form=true` reaches the local login form. ### Added - 🔀 **Auto-redirect to SSO.** New `OAUTH_AUTO_REDIRECT` environment variable: when enabled with a single configured OAuth provider, an unauthenticated visit to `/auth` redirects straight to the provider, removing the extra "Continue with" click. Visit `/auth?form=true` to reach the local login form. ### Changed - None. ### Deprecated - None. ### Removed - None. ### Fixed - None. ### Security - None. ### Breaking Changes - None. --- ### Additional Information **Behavior.** When `OAUTH_AUTO_REDIRECT=true` and exactly one OAuth provider is configured, an unauthenticated visit to `/auth` redirects straight to `/oauth/{provider}/login`. The redirect is suppressed when the local login form is explicitly requested (`/auth?form=true`), after a failed sign-in (`/auth?error=...`), for an already-authenticated session, when a token is present, during first-run onboarding, and under trusted-header auth. **Why a setting and not a smart default.** Auto-redirect cannot be defaulted on — it would break every deployment that uses the local login form or has multiple providers, and would silently change behavior for existing installs. It is therefore opt-in (`Default: False`). **Implementation.** - Backend: `OAUTH_AUTO_REDIRECT` config variable (`config.py`), wired into `app.state.config` and exposed as `oauth.auto_redirect` in `/api/config` (`main.py`). - Frontend: the redirect decision is a pure function (`src/lib/utils/oauth.ts`) called from the auth page's `onMount`. **Commit structure.** Three commits, ordered so the test commits can be dropped independently of the feature: 1. `feat:` — the feature 2. `test:` — vitest unit coverage of the redirect decision (runs in the existing `frontend.yaml` unit-tests job) 3. `test:` — backend pytest (env-to-config wiring + a mock-OIDC integration test) If you'd prefer the feature without (re)introducing backend pytest files, commit 3 is last and can be dropped on its own — the feature and the frontend test stay intact. **Verification.** - Manual: verified end-to-end in a container — `/auth` redirects to the provider and completes login via the callback; `/auth?form=true` shows the local form; `/auth?error=` keeps the page and surfaces the error. - `vitest` — `src/lib/utils/oauth.test.ts` covers every guard branch of the redirect decision. - `pytest` — `test_oauth_auto_redirect.py` (env-to-config wiring) and `test_oauth_auto_redirect_integration.py` (boots the app against an in-process mock OIDC provider; asserts `/api/config` exposes `oauth.auto_redirect` and `/oauth/oidc/login` redirects to the IdP). ### Screenshots or Videos - Not applicable — the change is a redirect; behavior is covered by the verification steps above. ### Contributor License Agreement - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-21 17:18:28 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#131602