[GH-ISSUE #9632] OAuth names and emails suppressed on certain OIDC instances #135315

Closed
opened 2026-05-25 02:06:07 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @gabrc52 on GitHub (Feb 8, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/9632

Bug Report

On OAuth providers that return identity tokens that are less complete than querying the user info endpoint (i.e. only sub and no name or email), Open WebUI never queries the user info endpoint resulting in those claims being suppressed and unusable.

Installation Method

pip in venv

Environment

  • Open WebUI Version: v0.5.10

  • Ollama (if applicable): yes

  • Operating System: Linux

  • Browser (if applicable): Firefox 133

Confirmation:

  • I have read and followed all the instructions provided in the README.md.
  • I am on the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below.

Description

Bug Summary:
On OAuth providers that return identity tokens that are less complete than querying the user info endpoint (i.e. only sub and no name or email), Open WebUI never queries the user info endpoint resulting in those claims being suppressed and unusable.

Expected Behavior:

Open WebUI can find name and email from the user info, assuming OAUTH_USERNAME_CLAIM=name and OAUTH_EMAIL_CLAIM=email

Actual Behavior:

Open WebUI can only find sub, so it fails at authenticating unless one uses the workaround to set the name and username to sub.

Reproduction Details

Steps to Reproduce:

  1. Host an OpenID Connect server (e.g. using SATOSA) whose JWTs contain only sub and to get the name or email you have to query the user info endpoint.
  2. Create a client id and secret
  3. Set environment variables ENABLE_OAUTH_SIGNUP=true, OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, OPENID_PROVIDER_URL, OPENID_REDIRECT_URI, leaving other default values.

Logs and Screenshots

Docker Container Logs:
We are not using docker but this is the log part from journalctl:

INFO:     10.31.142.175:0 - "GET /oauth/oidc/login HTTP/1.1" 302 Found
INFO:     ('10.31.142.175', 0) - "WebSocket /ws/socket.io/?EIO=4&transport=websocket" [accepted]
INFO:     connection open
INFO:     connection closed
WARNI [open_webui.utils.oauth] OAuth callback failed, email is missing: {'iss': 'https://petrock.mit.edu', 'sub': 'rgabriel@mit.edu', 'aud': ['xxxxxxxxxxxx'], 'iat': 1738980398, 'exp': 1738983998, 'at_hash': 'xxxxxxxxxxxxxxxxxxxxxx', 'nonce': 'xxxxxxxxxxxxxxxxxxxx'}
INFO:     10.31.142.175:0 - "GET /oauth/oidc/callback?code=652c929cec9e4c938857950043efe204&state=ymgSQOBktYEJjY0wtOi23cvQG4RmXO HTTP/1.1" 400 Bad Request

Additional Information

We are using https://github.com/IdentityPython/SATOSA as an OpenID Connect provider for Open WebUI.

In this case, our OIDC provider gives id tokens that look like this (they contain only sub):

{'iss': 'https://petrock.mit.edu', 'sub': 'rgabriel@mit.edu', 'aud': ['xxxxxxxxxxxx'], 'iat': 1738985157, 'exp': 1738988757, 'at_hash': 'xxxxxxxxxx-xxxxxxxxxxx', 'nonce': 'xxxxxxxxxxxxxxxxxxxx'}

However, our user info HTTPS endpoint is more complete and also returns email, name, given_name and family_name.

As a result, if a user tries to login they will get the following error: {"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."}

And this will be in the logs: OAuth callback failed, email is missing

A workaround for such an instance would be to set the following environment variables, however this makes it impossible to get users' names and also relies on the implementation detail (bug?) of sub coincidentally containing the email address.

OAUTH_USERNAME_CLAIM="sub"
OAUTH_EMAIL_CLAIM="sub" 

We believe that the issue lies in backend/open_webui/utils/oauth.py line 196:

        user_data: UserInfo = token.get("userinfo")
        if not user_data:
            user_data: UserInfo = await client.userinfo(token=token)

Because user_data contains something, even if it is incomplete, client.userinfo never gets called because user_data is truthy. We believe that it should be called anyways to complete the missing user info (i.e. user_data.update(await client.userinfo(token=token)). Alternatively, it could call userinfo only if it finds that the identity token/JWT is incomplete (instead of raising an exception that the id token does not contain an email, try to get the email from the userinfo endpoint).

Originally created by @gabrc52 on GitHub (Feb 8, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/9632 ## Bug Report On OAuth providers that return identity tokens that are less complete than querying the user info endpoint (i.e. only `sub` and no `name` or `email`), Open WebUI never queries the user info endpoint resulting in those claims being suppressed and unusable. ## Installation Method pip in venv ## Environment - **Open WebUI Version:** v0.5.10 - **Ollama (if applicable):** yes - **Operating System:** Linux - **Browser (if applicable):** Firefox 133 **Confirmation:** - [x] I have read and followed all the instructions provided in the README.md. - [x] I am on the latest version of both Open WebUI and Ollama. - [ ] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below. ## Description **Bug Summary:** On OAuth providers that return identity tokens that are less complete than querying the user info endpoint (i.e. only `sub` and no `name` or `email`), Open WebUI never queries the user info endpoint resulting in those claims being suppressed and unusable. ## Expected Behavior: Open WebUI can find `name` and `email` from the user info, assuming `OAUTH_USERNAME_CLAIM=name` and `OAUTH_EMAIL_CLAIM=email` ## Actual Behavior: Open WebUI can only find `sub`, so it fails at authenticating unless one uses the workaround to set the name and username to `sub`. ## Reproduction Details **Steps to Reproduce:** 1. Host an OpenID Connect server (e.g. using SATOSA) whose JWTs contain only `sub` and to get the `name` or `email` you have to query the user info endpoint. 2. Create a client id and secret 3. Set environment variables `ENABLE_OAUTH_SIGNUP=true`, `OAUTH_CLIENT_ID`, `OAUTH_CLIENT_SECRET`, `OPENID_PROVIDER_URL`, `OPENID_REDIRECT_URI`, leaving other default values. ## Logs and Screenshots **Docker Container Logs:** We are not using docker but this is the log part from journalctl: ``` INFO: 10.31.142.175:0 - "GET /oauth/oidc/login HTTP/1.1" 302 Found INFO: ('10.31.142.175', 0) - "WebSocket /ws/socket.io/?EIO=4&transport=websocket" [accepted] INFO: connection open INFO: connection closed WARNI [open_webui.utils.oauth] OAuth callback failed, email is missing: {'iss': 'https://petrock.mit.edu', 'sub': 'rgabriel@mit.edu', 'aud': ['xxxxxxxxxxxx'], 'iat': 1738980398, 'exp': 1738983998, 'at_hash': 'xxxxxxxxxxxxxxxxxxxxxx', 'nonce': 'xxxxxxxxxxxxxxxxxxxx'} INFO: 10.31.142.175:0 - "GET /oauth/oidc/callback?code=652c929cec9e4c938857950043efe204&state=ymgSQOBktYEJjY0wtOi23cvQG4RmXO HTTP/1.1" 400 Bad Request ``` ## Additional Information We are using [https://github.com/IdentityPython/SATOSA](SATOSA) as an OpenID Connect provider for Open WebUI. In this case, our OIDC provider gives id tokens that look like this (they contain only `sub`): ``` {'iss': 'https://petrock.mit.edu', 'sub': 'rgabriel@mit.edu', 'aud': ['xxxxxxxxxxxx'], 'iat': 1738985157, 'exp': 1738988757, 'at_hash': 'xxxxxxxxxx-xxxxxxxxxxx', 'nonce': 'xxxxxxxxxxxxxxxxxxxx'} ``` However, our user info HTTPS endpoint is more complete and also returns `email`, `name`, `given_name` and `family_name`. As a result, if a user tries to login they will get the following error: `{"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."}` And this will be in the logs: `OAuth callback failed, email is missing` A workaround for such an instance would be to set the following environment variables, however this makes it impossible to get users' names and also relies on the implementation detail (bug?) of `sub` coincidentally containing the email address. ``` OAUTH_USERNAME_CLAIM="sub" OAUTH_EMAIL_CLAIM="sub" ``` We believe that the issue lies in `backend/open_webui/utils/oauth.py` line 196: ```py user_data: UserInfo = token.get("userinfo") if not user_data: user_data: UserInfo = await client.userinfo(token=token) ``` Because `user_data` contains something, even if it is incomplete, `client.userinfo` never gets called because `user_data` is truthy. We believe that it should be called anyways to complete the missing user info (i.e. `user_data.update(await client.userinfo(token=token))`. Alternatively, it could call userinfo only if it finds that the identity token/JWT is incomplete (instead of raising an exception that the id token does not contain an email, try to get the email from the userinfo endpoint).
Author
Owner

@gabrc52 commented on GitHub (Feb 8, 2025):

Wow, this has been annoying us for a while and we only decided to debug now but it seems like it is actually solved 2 days ago in https://github.com/open-webui/open-webui/pull/9456

It simply has not made it to main or a release so the changes haven't made it to production...

Also, I guess we wrote everything without realizing that this issue is also a duplicate of #9452, which was also filed 2 days ago...

<!-- gh-comment-id:2644497556 --> @gabrc52 commented on GitHub (Feb 8, 2025): Wow, this has been annoying us for a while and we only decided to debug now but it seems like it is actually solved 2 days ago in https://github.com/open-webui/open-webui/pull/9456 It simply has not made it to `main` or a release so the changes haven't made it to production... Also, I guess we wrote everything without realizing that this issue is also a duplicate of #9452, which was also filed 2 days ago...
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#135315