[GH-ISSUE #17241] issue: OAuth with MS Entry stopped working #137944

Closed
opened 2026-05-25 08:53:09 -05:00 by GiteaMirror · 15 comments
Owner

Originally created by @jdeepwell on GitHub (Sep 6, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/17241

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.6.26

Ollama Version (if applicable)

No response

Operating System

Ubuntu 22.04.5 LTS

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

After successful MS Entry OAuth being logged in to OpenWebUI (as it was in previous OpenWebUI versions)

Actual Behavior

MS Entra OAuth works, but user is being sent back to OpenWebUI Auth page

Steps to Reproduce

  1. Configure OAuth in MS Entra and OpenWebUI env
  2. Open OpenWebUI in Browser
  3. Click the "Continue with Microsoft" button
  4. Authenticate at MS

Logs & Screenshots

Log excerpt using OpenID OAuth provider

2025-09-06 09:24:10.316 | DEBUG    | httpcore._trace:atrace:87 - connect_tcp.started host='login.microsoftonline.com' port=443 local_address=None timeout=5.0 socket_options=None
2025-09-06 09:24:10.363 | DEBUG    | httpcore._trace:atrace:87 - connect_tcp.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07ffbe3990>
2025-09-06 09:24:10.363 | DEBUG    | httpcore._trace:atrace:87 - start_tls.started ssl_context=<ssl.SSLContext object at 0x7f07fc498ef0> server_hostname='login.microsoftonline.com' timeout=5.0
2025-09-06 09:24:10.432 | DEBUG    | httpcore._trace:atrace:87 - start_tls.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07ffc65250>
2025-09-06 09:24:10.433 | DEBUG    | httpcore._trace:atrace:87 - send_request_headers.started request=<Request [b'GET']>
2025-09-06 09:24:10.433 | DEBUG    | httpcore._trace:atrace:87 - send_request_headers.complete
2025-09-06 09:24:10.433 | DEBUG    | httpcore._trace:atrace:87 - send_request_body.started request=<Request [b'GET']>
2025-09-06 09:24:10.433 | DEBUG    | httpcore._trace:atrace:87 - send_request_body.complete
2025-09-06 09:24:10.433 | DEBUG    | httpcore._trace:atrace:87 - receive_response_headers.started request=<Request [b'GET']>
2025-09-06 09:24:10.470 | DEBUG    | httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 200, b'OK', [(b'Cache-Control', b'max-age=86400, private'), (b'Content-Type', b'application/json; charset=utf-8'), (b'Strict-Transport-Security', b'max-age=31536000; includeSubDomains'), (b'X-Content-Type-Options', b'nosniff'), (b'Access-Control-Allow-Origin', b'*'), (b'Access-Control-Allow-Methods', b'GET, OPTIONS'), (b'P3P', b'CP="DSP CUR OTPi IND OTRi ONL FIN"'), (b'x-ms-request-id', b'xxxxxxxxxxxxx'), (b'x-ms-ests-server', b'2.1.21665.8 - NEULR1 ProdSlices'), (b'x-ms-srs', b'1.P'), (b'Content-Security-Policy-Report-Only', b"object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-xxxxxxx' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outlook.com https://*.office.com https://*.office365.com https://*.microsoft.com https://*.bing.com 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All"), (b'X-XSS-Protection', b'0'), (b'Set-Cookie', b'fpc=AuUn_6zPBE9Ps1lbhRxodEc; expires=Mon, 06-Oct-2025 09:24:10 GMT; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'esctx=xxxxxxxxxxxxxx; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly'), (b'Set-Cookie', b'stsservicecookie=estsfd; path=/; secure; samesite=none; httponly'), (b'Date', b'Sat, 06 Sep 2025 09:24:09 GMT'), (b'Content-Length', b'1753')])
2025-09-06 09:24:10.471 | INFO     | httpx._client:_send_single_request:1740 - HTTP Request: GET https://login.microsoftonline.com/xxxxxxxx/v2.0/.well-known/openid-configuration "HTTP/1.1 200 OK"
2025-09-06 09:24:10.471 | DEBUG    | httpcore._trace:atrace:87 - receive_response_body.started request=<Request [b'GET']>
2025-09-06 09:24:10.472 | DEBUG    | httpcore._trace:atrace:87 - receive_response_body.complete
2025-09-06 09:24:10.472 | DEBUG    | httpcore._trace:atrace:87 - response_closed.started
2025-09-06 09:24:10.472 | DEBUG    | httpcore._trace:atrace:87 - response_closed.complete
2025-09-06 09:24:10.472 | DEBUG    | httpcore._trace:atrace:87 - close.started
2025-09-06 09:24:10.472 | DEBUG    | httpcore._trace:atrace:87 - close.complete
2025-09-06 09:24:10.502 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /oauth/oidc/login HTTP/1.1" 302
2025-09-06 09:24:10.752 | DEBUG    | httpcore._trace:atrace:87 - connect_tcp.started host='login.microsoftonline.com' port=443 local_address=None timeout=5.0 socket_options=None
2025-09-06 09:24:10.797 | DEBUG    | httpcore._trace:atrace:87 - connect_tcp.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07ffd41fd0>
2025-09-06 09:24:10.797 | DEBUG    | httpcore._trace:atrace:87 - start_tls.started ssl_context=<ssl.SSLContext object at 0x7f07ff91a9f0> server_hostname='login.microsoftonline.com' timeout=5.0
2025-09-06 09:24:10.869 | DEBUG    | httpcore._trace:atrace:87 - start_tls.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07fc46ec90>
2025-09-06 09:24:10.869 | DEBUG    | httpcore._trace:atrace:87 - send_request_headers.started request=<Request [b'POST']>
2025-09-06 09:24:10.869 | DEBUG    | httpcore._trace:atrace:87 - send_request_headers.complete
2025-09-06 09:24:10.870 | DEBUG    | httpcore._trace:atrace:87 - send_request_body.started request=<Request [b'POST']>
2025-09-06 09:24:10.870 | DEBUG    | httpcore._trace:atrace:87 - send_request_body.complete
2025-09-06 09:24:10.870 | DEBUG    | httpcore._trace:atrace:87 - receive_response_headers.started request=<Request [b'POST']>
2025-09-06 09:24:10.983 | DEBUG    | httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 200, b'OK', [(b'Cache-Control', b'no-store, no-cache'), (b'Pragma', b'no-cache'), (b'Content-Type', b'application/json; charset=utf-8'), (b'Expires', b'-1'), (b'Strict-Transport-Security', b'max-age=31536000; includeSubDomains'), (b'X-Content-Type-Options', b'nosniff'), (b'P3P', b'CP="DSP CUR OTPi IND OTRi ONL FIN"'), (b'x-ms-request-id', b'xxxxxxxxxxxx'), (b'x-ms-ests-server', b'2.1.21665.8 - NEULR1 ProdSlices'), (b'x-ms-srs', b'1.P'), (b'Content-Security-Policy-Report-Only', b"object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-vWDOU3d9PeZVP3Iq4v3sPA' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outlook.com https://*.office.com https://*.office365.com https://*.microsoft.com https://*.bing.com 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All"), (b'X-XSS-Protection', b'0'), (b'Set-Cookie', b'fpc=xxxxxxxxxxxxx; expires=Mon, 06-Oct-2025 09:24:10 GMT; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly'), (b'Set-Cookie', b'stsservicecookie=estsfd; path=/; secure; samesite=none; httponly'), (b'Date', b'Sat, 06 Sep 2025 09:24:10 GMT'), (b'Content-Length', b'3922')])
2025-09-06 09:24:10.984 | INFO     | httpx._client:_send_single_request:1740 - HTTP Request: POST https://login.microsoftonline.com/xxxxxxxxxxxxxxxx/oauth2/v2.0/token "HTTP/1.1 200 OK"
2025-09-06 09:24:10.984 | DEBUG    | httpcore._trace:atrace:87 - receive_response_body.started request=<Request [b'POST']>
2025-09-06 09:24:10.984 | DEBUG    | httpcore._trace:atrace:87 - receive_response_body.complete
2025-09-06 09:24:10.984 | DEBUG    | httpcore._trace:atrace:87 - response_closed.started
2025-09-06 09:24:10.984 | DEBUG    | httpcore._trace:atrace:87 - response_closed.complete
2025-09-06 09:24:10.985 | DEBUG    | httpcore._trace:atrace:87 - close.started
2025-09-06 09:24:10.985 | DEBUG    | httpcore._trace:atrace:87 - close.complete
2025-09-06 09:24:11.026 | DEBUG    | httpcore._trace:atrace:87 - connect_tcp.started host='login.microsoftonline.com' port=443 local_address=None timeout=5.0 socket_options=None
2025-09-06 09:24:11.072 | DEBUG    | httpcore._trace:atrace:87 - connect_tcp.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07fc4d5e10>
2025-09-06 09:24:11.072 | DEBUG    | httpcore._trace:atrace:87 - start_tls.started ssl_context=<ssl.SSLContext object at 0x7f07fc4991c0> server_hostname='login.microsoftonline.com' timeout=5.0
2025-09-06 09:24:11.142 | DEBUG    | httpcore._trace:atrace:87 - start_tls.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07fc4d5d90>
2025-09-06 09:24:11.142 | DEBUG    | httpcore._trace:atrace:87 - send_request_headers.started request=<Request [b'GET']>
2025-09-06 09:24:11.143 | DEBUG    | httpcore._trace:atrace:87 - send_request_headers.complete
2025-09-06 09:24:11.143 | DEBUG    | httpcore._trace:atrace:87 - send_request_body.started request=<Request [b'GET']>
2025-09-06 09:24:11.143 | DEBUG    | httpcore._trace:atrace:87 - send_request_body.complete
2025-09-06 09:24:11.144 | DEBUG    | httpcore._trace:atrace:87 - receive_response_headers.started request=<Request [b'GET']>
2025-09-06 09:24:11.180 | DEBUG    | httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 200, b'OK', [(b'Cache-Control', b'max-age=86400, private'), (b'Content-Type', b'application/json; charset=utf-8'), (b'Strict-Transport-Security', b'max-age=31536000; includeSubDomains'), (b'X-Content-Type-Options', b'nosniff'), (b'Access-Control-Allow-Origin', b'*'), (b'Access-Control-Allow-Methods', b'GET, OPTIONS'), (b'P3P', b'CP="DSP CUR OTPi IND OTRi ONL FIN"'), (b'x-ms-request-id', b'xxxxxxxxxxx'), (b'x-ms-ests-server', b'2.1.21665.8 - NEULR1 ProdSlices'), (b'x-ms-srs', b'1.P'), (b'Content-Security-Policy-Report-Only', b"object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-jZMxqwcSHXhV6x97UarRzw' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outlook.com https://*.office.com https://*.office365.com https://*.microsoft.com https://*.bing.com 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All"), (b'X-XSS-Protection', b'0'), (b'Set-Cookie', b'fpc=xxxxxxxxxxxxxxx; expires=Mon, 06-Oct-2025 09:24:11 GMT; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'esctx=xxxxxxxxxxxx; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly'), (b'Set-Cookie', b'stsservicecookie=estsfd; path=/; secure; samesite=none; httponly'), (b'Date', b'Sat, 06 Sep 2025 09:24:11 GMT'), (b'Content-Length', b'4865')])
2025-09-06 09:24:11.181 | INFO     | httpx._client:_send_single_request:1740 - HTTP Request: GET https://login.microsoftonline.com/xxxxxxxxxxxx/discovery/v2.0/keys "HTTP/1.1 200 OK"
2025-09-06 09:24:11.181 | DEBUG    | httpcore._trace:atrace:87 - receive_response_body.started request=<Request [b'GET']>
2025-09-06 09:24:11.182 | DEBUG    | httpcore._trace:atrace:87 - receive_response_body.complete
2025-09-06 09:24:11.182 | DEBUG    | httpcore._trace:atrace:87 - response_closed.started
2025-09-06 09:24:11.182 | DEBUG    | httpcore._trace:atrace:87 - response_closed.complete
2025-09-06 09:24:11.182 | DEBUG    | httpcore._trace:atrace:87 - close.started
2025-09-06 09:24:11.182 | DEBUG    | httpcore._trace:atrace:87 - close.complete
2025-09-06 09:24:11.192 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /oauth/oidc/callback?code=1.ATAAZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1" 307
2025-09-06 09:24:11.232 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /auth HTTP/1.1" 200
2025-09-06 09:24:11.298 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/loader.js HTTP/1.1" 200
2025-09-06 09:24:11.300 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/custom.css HTTP/1.1" 200
2025-09-06 09:24:11.335 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/splash-dark.png HTTP/1.1" 200
2025-09-06 09:24:11.339 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/splash.png HTTP/1.1" 200
2025-09-06 09:24:11.377 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/apple-touch-icon.png HTTP/1.1" 200
2025-09-06 09:24:11.399 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /api/config HTTP/1.1" 200
2025-09-06 09:24:11.438 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/favicon-dark.png HTTP/1.1" 200

Log excerpt using Microsoft OAuth provider

2025-09-06 10:23:09.130 | DEBUG    | httpcore._trace:atrace:87 - connect_tcp.started host='login.microsoftonline.com' port=443 local_address=None timeout=5.0 socket_options=None
2025-09-06 10:23:09.175 | DEBUG    | httpcore._trace:atrace:87 - connect_tcp.complete return_value=<xxxxxx>
2025-09-06 10:23:09.175 | DEBUG    | httpcore._trace:atrace:87 - start_tls.started ssl_context=<xxxxxx> server_hostname='xxxxxx' timeout=5.0
2025-09-06 10:23:09.246 | DEBUG    | httpcore._trace:atrace:87 - start_tls.complete return_value=<xxxxxx>
2025-09-06 10:23:09.247 | DEBUG    | httpcore._trace:atrace:87 - send_request_headers.started request=<Request [b'POST']>
2025-09-06 10:23:09.247 | DEBUG    | httpcore._trace:atrace:87 - send_request_headers.complete
2025-09-06 10:23:09.247 | DEBUG    | httpcore._trace:atrace:87 - send_request_body.started request=<Request [b'POST']>
2025-09-06 10:23:09.247 | DEBUG    | httpcore._trace:atrace:87 - send_request_body.complete
2025-09-06 10:23:09.247 | DEBUG    | httpcore._trace:atrace:87 - receive_response_headers.started request=<Request [b'POST']>
2025-09-06 10:23:09.384 | DEBUG    | httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 200, b'OK', [(b'Cache-Control', b'xxxxxx'), (b'Pragma', b'xxxxxx'), (b'Content-Type', b'xxxxxx'), (b'Expires', b'xxxxxx'), (b'Strict-Transport-Security', b'xxxxxx'), (b'X-Content-Type-Options', b'xxxxxx'), (b'P3P', b'xxxxxx'), (b'x-ms-request-id', b'xxxxxx'), (b'x-ms-ests-server', b'xxxxxx'), (b'x-ms-srs', b'xxxxxx'), (b'Content-Security-Policy-Report-Only', b'xxxxxx'), (b'X-XSS-Protection', b'xxxxxx'), (b'Set-Cookie', b'xxxxxx; expires=xxxxxx; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'xxxxxx; path=/; secure; samesite=none; httponly'), (b'Set-Cookie', b'xxxxxx; path=/; secure; samesite=none; httponly'), (b'Date', b'xxxxxx'), (b'Content-Length', b'xxxxxx')])
2025-09-06 10:23:09.385 | INFO     | httpx._client:_send_single_request:1740 - HTTP Request: POST https:///login.microsoftonline.com/xxxxxx/oauth2/v2.0/token "HTTP/1.1 200 OK"
2025-09-06 10:23:09.385 | DEBUG    | httpcore._trace:atrace:87 - receive_response_body.started request=<Request [b'POST']>
2025-09-06 10:23:09.385 | DEBUG    | httpcore._trace:atrace:87 - receive_response_body.complete
2025-09-06 10:23:09.385 | DEBUG    | httpcore._trace:atrace:87 - response_closed.started
2025-09-06 10:23:09.385 | DEBUG    | httpcore._trace:atrace:87 - response_closed.complete
2025-09-06 10:23:09.386 | DEBUG    | httpcore._trace:atrace:87 - close.started
2025-09-06 10:23:09.386 | DEBUG    | httpcore._trace:atrace:87 - close.complete
2025-09-06 10:23:09.540 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /oauth/microsoft/callback?code=xxxxxx&state=xxxxxx&session_state=xxxxxx HTTP/1.1" 307
2025-09-06 10:23:09.581 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /auth HTTP/1.1" 200
2025-09-06 10:23:09.654 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/loader.js HTTP/1.1" 200
2025-09-06 10:23:09.758 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /api/config HTTP/1.1" 200

Browser console output:

No token found in localStorage, user-join event not emitted +layout.svelte:95:13

Additional Information

I was using MS Auth for some time now and it worked fine. The configuration in OpenWebUI, Apache and MS Entra was not changed, but MS OAuth in OpenWebUI stopped working. I am not sure with which update this started, because each already logged in users still works fine. But fresh users (or after clearing out all cookies for a currently logged in user) fail.

When everything is clean (no auth with MS yet or all cookies cleared), clicking the "Continue with Microsoft SSO" button on the login page sends me to the MS login. I can then perform the login there fine but when coming back OpenWebUI I again end up on the login page. Clicking the "Continue with Microsoft SSO" there again, again ends up at the login page (after a redirect round trip to MS).

I can tell that the MS auth worked, because if I then go to one of our other servers that's using the same auth, I'm logged in there.

Also: If I delete the oauth_sub value for a user and try to login via MS OAth, I get a new oauth_sub value ("oidc@....") - I assume that should mean that the OAuth basically worked. But nevertheless I always end up at the login page.

I see now error message in the logs.

I also switched to debug log mode ("GLOBAL_LOG_LEVEL=DEBUG") - still no error message.

Setup with generic OpenID (OIDC) OAuth:

OAUTH_CLIENT_ID=xxxx
OAUTH_CLIENT_SECRET=xxxx
OPENID_PROVIDER_URL=https://login.microsoftonline.com/xxxx/v2.0/.well-known/openid-configuration
OAUTH_PROVIDER_NAME=Microsoft SSO
OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true
WEBUI_URL=https://x.x.x.x
ENABLE_ADMIN_CHAT_ACCESS=false
WEBUI_SECRET_KEY=xxxxxx
GLOBAL_LOG_LEVEL=DEBUG

I also tried switching from the generic OpenID (OIDC) OAuth provider to the specific Microsoft one - same behaviour.

Setup with explicit MS OAuth:

ENABLE_LOGIN_FORM=false
ENABLE_OAUTH_SIGNUP=true
ENABLE_OAUTH_PERSISTENT_CONFIG=false
OAUTH_UPDATE_PICTURE_ON_LOGIN=true
MICROSOFT_CLIENT_ID=xxxxx
MICROSOFT_CLIENT_SECRET=xxxxx
MICROSOFT_CLIENT_TENANT_ID=xxxxx
OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true
WEBUI_URL=https://x.x.x.x
ENABLE_ADMIN_CHAT_ACCESS=false
WEBUI_SECRET_KEY=xxxxx
GLOBAL_LOG_LEVEL=DEBUG

Here's the flow, when I already authenticated with MS:

(x.x.x.x beeing a placeholder for our server name)

When clicking the "Continue with Microsoft SSO" button on the login page I get directed to https://login.microsoftonline.com/.../oauth2/v2.0/authorize?.... That in turn then redirects to https://x.x.x.x/oauth/oidc/callback?code=... but ends up showing the login page again (the request to /oauth/oidc/callback?... redirects to the /auth page again)

Originally created by @jdeepwell on GitHub (Sep 6, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/17241 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.6.26 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 22.04.5 LTS ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior After successful MS Entry OAuth being logged in to OpenWebUI (as it was in previous OpenWebUI versions) ### Actual Behavior MS Entra OAuth works, but user is being sent back to OpenWebUI Auth page ### Steps to Reproduce 1. Configure OAuth in MS Entra and OpenWebUI env 2. Open OpenWebUI in Browser 3. Click the "Continue with Microsoft" button 4. Authenticate at MS ### Logs & Screenshots Log excerpt using OpenID OAuth provider ``` 2025-09-06 09:24:10.316 | DEBUG | httpcore._trace:atrace:87 - connect_tcp.started host='login.microsoftonline.com' port=443 local_address=None timeout=5.0 socket_options=None 2025-09-06 09:24:10.363 | DEBUG | httpcore._trace:atrace:87 - connect_tcp.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07ffbe3990> 2025-09-06 09:24:10.363 | DEBUG | httpcore._trace:atrace:87 - start_tls.started ssl_context=<ssl.SSLContext object at 0x7f07fc498ef0> server_hostname='login.microsoftonline.com' timeout=5.0 2025-09-06 09:24:10.432 | DEBUG | httpcore._trace:atrace:87 - start_tls.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07ffc65250> 2025-09-06 09:24:10.433 | DEBUG | httpcore._trace:atrace:87 - send_request_headers.started request=<Request [b'GET']> 2025-09-06 09:24:10.433 | DEBUG | httpcore._trace:atrace:87 - send_request_headers.complete 2025-09-06 09:24:10.433 | DEBUG | httpcore._trace:atrace:87 - send_request_body.started request=<Request [b'GET']> 2025-09-06 09:24:10.433 | DEBUG | httpcore._trace:atrace:87 - send_request_body.complete 2025-09-06 09:24:10.433 | DEBUG | httpcore._trace:atrace:87 - receive_response_headers.started request=<Request [b'GET']> 2025-09-06 09:24:10.470 | DEBUG | httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 200, b'OK', [(b'Cache-Control', b'max-age=86400, private'), (b'Content-Type', b'application/json; charset=utf-8'), (b'Strict-Transport-Security', b'max-age=31536000; includeSubDomains'), (b'X-Content-Type-Options', b'nosniff'), (b'Access-Control-Allow-Origin', b'*'), (b'Access-Control-Allow-Methods', b'GET, OPTIONS'), (b'P3P', b'CP="DSP CUR OTPi IND OTRi ONL FIN"'), (b'x-ms-request-id', b'xxxxxxxxxxxxx'), (b'x-ms-ests-server', b'2.1.21665.8 - NEULR1 ProdSlices'), (b'x-ms-srs', b'1.P'), (b'Content-Security-Policy-Report-Only', b"object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-xxxxxxx' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outlook.com https://*.office.com https://*.office365.com https://*.microsoft.com https://*.bing.com 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All"), (b'X-XSS-Protection', b'0'), (b'Set-Cookie', b'fpc=AuUn_6zPBE9Ps1lbhRxodEc; expires=Mon, 06-Oct-2025 09:24:10 GMT; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'esctx=xxxxxxxxxxxxxx; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly'), (b'Set-Cookie', b'stsservicecookie=estsfd; path=/; secure; samesite=none; httponly'), (b'Date', b'Sat, 06 Sep 2025 09:24:09 GMT'), (b'Content-Length', b'1753')]) 2025-09-06 09:24:10.471 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://login.microsoftonline.com/xxxxxxxx/v2.0/.well-known/openid-configuration "HTTP/1.1 200 OK" 2025-09-06 09:24:10.471 | DEBUG | httpcore._trace:atrace:87 - receive_response_body.started request=<Request [b'GET']> 2025-09-06 09:24:10.472 | DEBUG | httpcore._trace:atrace:87 - receive_response_body.complete 2025-09-06 09:24:10.472 | DEBUG | httpcore._trace:atrace:87 - response_closed.started 2025-09-06 09:24:10.472 | DEBUG | httpcore._trace:atrace:87 - response_closed.complete 2025-09-06 09:24:10.472 | DEBUG | httpcore._trace:atrace:87 - close.started 2025-09-06 09:24:10.472 | DEBUG | httpcore._trace:atrace:87 - close.complete 2025-09-06 09:24:10.502 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /oauth/oidc/login HTTP/1.1" 302 2025-09-06 09:24:10.752 | DEBUG | httpcore._trace:atrace:87 - connect_tcp.started host='login.microsoftonline.com' port=443 local_address=None timeout=5.0 socket_options=None 2025-09-06 09:24:10.797 | DEBUG | httpcore._trace:atrace:87 - connect_tcp.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07ffd41fd0> 2025-09-06 09:24:10.797 | DEBUG | httpcore._trace:atrace:87 - start_tls.started ssl_context=<ssl.SSLContext object at 0x7f07ff91a9f0> server_hostname='login.microsoftonline.com' timeout=5.0 2025-09-06 09:24:10.869 | DEBUG | httpcore._trace:atrace:87 - start_tls.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07fc46ec90> 2025-09-06 09:24:10.869 | DEBUG | httpcore._trace:atrace:87 - send_request_headers.started request=<Request [b'POST']> 2025-09-06 09:24:10.869 | DEBUG | httpcore._trace:atrace:87 - send_request_headers.complete 2025-09-06 09:24:10.870 | DEBUG | httpcore._trace:atrace:87 - send_request_body.started request=<Request [b'POST']> 2025-09-06 09:24:10.870 | DEBUG | httpcore._trace:atrace:87 - send_request_body.complete 2025-09-06 09:24:10.870 | DEBUG | httpcore._trace:atrace:87 - receive_response_headers.started request=<Request [b'POST']> 2025-09-06 09:24:10.983 | DEBUG | httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 200, b'OK', [(b'Cache-Control', b'no-store, no-cache'), (b'Pragma', b'no-cache'), (b'Content-Type', b'application/json; charset=utf-8'), (b'Expires', b'-1'), (b'Strict-Transport-Security', b'max-age=31536000; includeSubDomains'), (b'X-Content-Type-Options', b'nosniff'), (b'P3P', b'CP="DSP CUR OTPi IND OTRi ONL FIN"'), (b'x-ms-request-id', b'xxxxxxxxxxxx'), (b'x-ms-ests-server', b'2.1.21665.8 - NEULR1 ProdSlices'), (b'x-ms-srs', b'1.P'), (b'Content-Security-Policy-Report-Only', b"object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-vWDOU3d9PeZVP3Iq4v3sPA' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outlook.com https://*.office.com https://*.office365.com https://*.microsoft.com https://*.bing.com 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All"), (b'X-XSS-Protection', b'0'), (b'Set-Cookie', b'fpc=xxxxxxxxxxxxx; expires=Mon, 06-Oct-2025 09:24:10 GMT; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly'), (b'Set-Cookie', b'stsservicecookie=estsfd; path=/; secure; samesite=none; httponly'), (b'Date', b'Sat, 06 Sep 2025 09:24:10 GMT'), (b'Content-Length', b'3922')]) 2025-09-06 09:24:10.984 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: POST https://login.microsoftonline.com/xxxxxxxxxxxxxxxx/oauth2/v2.0/token "HTTP/1.1 200 OK" 2025-09-06 09:24:10.984 | DEBUG | httpcore._trace:atrace:87 - receive_response_body.started request=<Request [b'POST']> 2025-09-06 09:24:10.984 | DEBUG | httpcore._trace:atrace:87 - receive_response_body.complete 2025-09-06 09:24:10.984 | DEBUG | httpcore._trace:atrace:87 - response_closed.started 2025-09-06 09:24:10.984 | DEBUG | httpcore._trace:atrace:87 - response_closed.complete 2025-09-06 09:24:10.985 | DEBUG | httpcore._trace:atrace:87 - close.started 2025-09-06 09:24:10.985 | DEBUG | httpcore._trace:atrace:87 - close.complete 2025-09-06 09:24:11.026 | DEBUG | httpcore._trace:atrace:87 - connect_tcp.started host='login.microsoftonline.com' port=443 local_address=None timeout=5.0 socket_options=None 2025-09-06 09:24:11.072 | DEBUG | httpcore._trace:atrace:87 - connect_tcp.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07fc4d5e10> 2025-09-06 09:24:11.072 | DEBUG | httpcore._trace:atrace:87 - start_tls.started ssl_context=<ssl.SSLContext object at 0x7f07fc4991c0> server_hostname='login.microsoftonline.com' timeout=5.0 2025-09-06 09:24:11.142 | DEBUG | httpcore._trace:atrace:87 - start_tls.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7f07fc4d5d90> 2025-09-06 09:24:11.142 | DEBUG | httpcore._trace:atrace:87 - send_request_headers.started request=<Request [b'GET']> 2025-09-06 09:24:11.143 | DEBUG | httpcore._trace:atrace:87 - send_request_headers.complete 2025-09-06 09:24:11.143 | DEBUG | httpcore._trace:atrace:87 - send_request_body.started request=<Request [b'GET']> 2025-09-06 09:24:11.143 | DEBUG | httpcore._trace:atrace:87 - send_request_body.complete 2025-09-06 09:24:11.144 | DEBUG | httpcore._trace:atrace:87 - receive_response_headers.started request=<Request [b'GET']> 2025-09-06 09:24:11.180 | DEBUG | httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 200, b'OK', [(b'Cache-Control', b'max-age=86400, private'), (b'Content-Type', b'application/json; charset=utf-8'), (b'Strict-Transport-Security', b'max-age=31536000; includeSubDomains'), (b'X-Content-Type-Options', b'nosniff'), (b'Access-Control-Allow-Origin', b'*'), (b'Access-Control-Allow-Methods', b'GET, OPTIONS'), (b'P3P', b'CP="DSP CUR OTPi IND OTRi ONL FIN"'), (b'x-ms-request-id', b'xxxxxxxxxxx'), (b'x-ms-ests-server', b'2.1.21665.8 - NEULR1 ProdSlices'), (b'x-ms-srs', b'1.P'), (b'Content-Security-Policy-Report-Only', b"object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-jZMxqwcSHXhV6x97UarRzw' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outlook.com https://*.office.com https://*.office365.com https://*.microsoft.com https://*.bing.com 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All"), (b'X-XSS-Protection', b'0'), (b'Set-Cookie', b'fpc=xxxxxxxxxxxxxxx; expires=Mon, 06-Oct-2025 09:24:11 GMT; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'esctx=xxxxxxxxxxxx; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly'), (b'Set-Cookie', b'stsservicecookie=estsfd; path=/; secure; samesite=none; httponly'), (b'Date', b'Sat, 06 Sep 2025 09:24:11 GMT'), (b'Content-Length', b'4865')]) 2025-09-06 09:24:11.181 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://login.microsoftonline.com/xxxxxxxxxxxx/discovery/v2.0/keys "HTTP/1.1 200 OK" 2025-09-06 09:24:11.181 | DEBUG | httpcore._trace:atrace:87 - receive_response_body.started request=<Request [b'GET']> 2025-09-06 09:24:11.182 | DEBUG | httpcore._trace:atrace:87 - receive_response_body.complete 2025-09-06 09:24:11.182 | DEBUG | httpcore._trace:atrace:87 - response_closed.started 2025-09-06 09:24:11.182 | DEBUG | httpcore._trace:atrace:87 - response_closed.complete 2025-09-06 09:24:11.182 | DEBUG | httpcore._trace:atrace:87 - close.started 2025-09-06 09:24:11.182 | DEBUG | httpcore._trace:atrace:87 - close.complete 2025-09-06 09:24:11.192 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /oauth/oidc/callback?code=1.ATAAZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1" 307 2025-09-06 09:24:11.232 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /auth HTTP/1.1" 200 2025-09-06 09:24:11.298 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/loader.js HTTP/1.1" 200 2025-09-06 09:24:11.300 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/custom.css HTTP/1.1" 200 2025-09-06 09:24:11.335 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/splash-dark.png HTTP/1.1" 200 2025-09-06 09:24:11.339 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/splash.png HTTP/1.1" 200 2025-09-06 09:24:11.377 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/apple-touch-icon.png HTTP/1.1" 200 2025-09-06 09:24:11.399 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /api/config HTTP/1.1" 200 2025-09-06 09:24:11.438 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/favicon-dark.png HTTP/1.1" 200 ``` Log excerpt using Microsoft OAuth provider ``` 2025-09-06 10:23:09.130 | DEBUG | httpcore._trace:atrace:87 - connect_tcp.started host='login.microsoftonline.com' port=443 local_address=None timeout=5.0 socket_options=None 2025-09-06 10:23:09.175 | DEBUG | httpcore._trace:atrace:87 - connect_tcp.complete return_value=<xxxxxx> 2025-09-06 10:23:09.175 | DEBUG | httpcore._trace:atrace:87 - start_tls.started ssl_context=<xxxxxx> server_hostname='xxxxxx' timeout=5.0 2025-09-06 10:23:09.246 | DEBUG | httpcore._trace:atrace:87 - start_tls.complete return_value=<xxxxxx> 2025-09-06 10:23:09.247 | DEBUG | httpcore._trace:atrace:87 - send_request_headers.started request=<Request [b'POST']> 2025-09-06 10:23:09.247 | DEBUG | httpcore._trace:atrace:87 - send_request_headers.complete 2025-09-06 10:23:09.247 | DEBUG | httpcore._trace:atrace:87 - send_request_body.started request=<Request [b'POST']> 2025-09-06 10:23:09.247 | DEBUG | httpcore._trace:atrace:87 - send_request_body.complete 2025-09-06 10:23:09.247 | DEBUG | httpcore._trace:atrace:87 - receive_response_headers.started request=<Request [b'POST']> 2025-09-06 10:23:09.384 | DEBUG | httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 200, b'OK', [(b'Cache-Control', b'xxxxxx'), (b'Pragma', b'xxxxxx'), (b'Content-Type', b'xxxxxx'), (b'Expires', b'xxxxxx'), (b'Strict-Transport-Security', b'xxxxxx'), (b'X-Content-Type-Options', b'xxxxxx'), (b'P3P', b'xxxxxx'), (b'x-ms-request-id', b'xxxxxx'), (b'x-ms-ests-server', b'xxxxxx'), (b'x-ms-srs', b'xxxxxx'), (b'Content-Security-Policy-Report-Only', b'xxxxxx'), (b'X-XSS-Protection', b'xxxxxx'), (b'Set-Cookie', b'xxxxxx; expires=xxxxxx; path=/; secure; HttpOnly; SameSite=None'), (b'Set-Cookie', b'xxxxxx; path=/; secure; samesite=none; httponly'), (b'Set-Cookie', b'xxxxxx; path=/; secure; samesite=none; httponly'), (b'Date', b'xxxxxx'), (b'Content-Length', b'xxxxxx')]) 2025-09-06 10:23:09.385 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: POST https:///login.microsoftonline.com/xxxxxx/oauth2/v2.0/token "HTTP/1.1 200 OK" 2025-09-06 10:23:09.385 | DEBUG | httpcore._trace:atrace:87 - receive_response_body.started request=<Request [b'POST']> 2025-09-06 10:23:09.385 | DEBUG | httpcore._trace:atrace:87 - receive_response_body.complete 2025-09-06 10:23:09.385 | DEBUG | httpcore._trace:atrace:87 - response_closed.started 2025-09-06 10:23:09.385 | DEBUG | httpcore._trace:atrace:87 - response_closed.complete 2025-09-06 10:23:09.386 | DEBUG | httpcore._trace:atrace:87 - close.started 2025-09-06 10:23:09.386 | DEBUG | httpcore._trace:atrace:87 - close.complete 2025-09-06 10:23:09.540 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /oauth/microsoft/callback?code=xxxxxx&state=xxxxxx&session_state=xxxxxx HTTP/1.1" 307 2025-09-06 10:23:09.581 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /auth HTTP/1.1" 200 2025-09-06 10:23:09.654 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /static/loader.js HTTP/1.1" 200 2025-09-06 10:23:09.758 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - x.x.x.x:0 - "GET /api/config HTTP/1.1" 200 ``` Browser console output: ``` No token found in localStorage, user-join event not emitted +layout.svelte:95:13 ``` ### Additional Information I was using MS Auth for some time now and it worked fine. The configuration in OpenWebUI, Apache and MS Entra was not changed, but MS OAuth in OpenWebUI stopped working. I am not sure with which update this started, because each already logged in users still works fine. But fresh users (or after clearing out all cookies for a currently logged in user) fail. When everything is clean (no auth with MS yet or all cookies cleared), clicking the "Continue with Microsoft SSO" button on the login page sends me to the MS login. I can then perform the login there fine but when coming back OpenWebUI I again end up on the login page. Clicking the "Continue with Microsoft SSO" there again, again ends up at the login page (after a redirect round trip to MS). I can tell that the MS auth worked, because if I then go to one of our other servers that's using the same auth, I'm logged in there. Also: If I delete the oauth_sub value for a user and try to login via MS OAth, I get a new oauth_sub value ("oidc@....") - I assume that should mean that the OAuth basically worked. But nevertheless I always end up at the login page. I see now error message in the logs. I also switched to debug log mode ("GLOBAL_LOG_LEVEL=DEBUG") - still no error message. Setup with generic OpenID (OIDC) OAuth: ``` OAUTH_CLIENT_ID=xxxx OAUTH_CLIENT_SECRET=xxxx OPENID_PROVIDER_URL=https://login.microsoftonline.com/xxxx/v2.0/.well-known/openid-configuration OAUTH_PROVIDER_NAME=Microsoft SSO OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true WEBUI_URL=https://x.x.x.x ENABLE_ADMIN_CHAT_ACCESS=false WEBUI_SECRET_KEY=xxxxxx GLOBAL_LOG_LEVEL=DEBUG ``` I also tried switching from the generic OpenID (OIDC) OAuth provider to the specific Microsoft one - same behaviour. Setup with explicit MS OAuth: ``` ENABLE_LOGIN_FORM=false ENABLE_OAUTH_SIGNUP=true ENABLE_OAUTH_PERSISTENT_CONFIG=false OAUTH_UPDATE_PICTURE_ON_LOGIN=true MICROSOFT_CLIENT_ID=xxxxx MICROSOFT_CLIENT_SECRET=xxxxx MICROSOFT_CLIENT_TENANT_ID=xxxxx OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true WEBUI_URL=https://x.x.x.x ENABLE_ADMIN_CHAT_ACCESS=false WEBUI_SECRET_KEY=xxxxx GLOBAL_LOG_LEVEL=DEBUG ``` Here's the flow, when I already authenticated with MS: (x.x.x.x beeing a placeholder for our server name) When clicking the "Continue with Microsoft SSO" button on the login page I get directed to `https://login.microsoftonline.com/.../oauth2/v2.0/authorize?...`. That in turn then redirects to `https://x.x.x.x/oauth/oidc/callback?code=...` but ends up showing the login page again (the request to `/oauth/oidc/callback?...` redirects to the `/auth` page again)
GiteaMirror added the bug label 2026-05-25 08:53:09 -05:00
Author
Owner

@mpuzar commented on GitHub (Sep 12, 2025):

I can confirm the exact same behavior with Microsoft SSO in v0.6.28, after upgrading from an older version where everything worked smoothly for months.

Setup here:

  • Open WebUI running in docker at localhost, mapping 3000:8080 (http)
  • haproxy running in front on port 443, adding TLS

The token and oauth_id_token are issued and seem to contain correct information and I can validate the signatures.
The tokens have the secure flag set (even though I tried disabling it with enviornment variables), so I do wonder whether that might be causing the issue.

I could find no error messages in any of the logs. It's just as if the tokens are ignored and every time it serves the non-logged-in page. I tried a lot of combinations of settings via environment variable, but nothing seems to help.

<!-- gh-comment-id:3285104876 --> @mpuzar commented on GitHub (Sep 12, 2025): I can confirm the exact same behavior with Microsoft SSO in v0.6.28, after upgrading from an older version where everything worked smoothly for months. Setup here: * Open WebUI running in docker at localhost, mapping 3000:8080 (http) * haproxy running in front on port 443, adding TLS The token and oauth_id_token are issued and seem to contain correct information and I can validate the signatures. The tokens have the secure flag set (even though I tried disabling it with enviornment variables), so I do wonder whether that might be causing the issue. I could find no error messages in any of the logs. It's just as if the tokens are ignored and every time it serves the non-logged-in page. I tried a lot of combinations of settings via environment variable, but nothing seems to help.
Author
Owner

@jdeepwell commented on GitHub (Sep 13, 2025):

I stumbled over a similar issue with LiteLLM. There it was also closely related to the token cookie, so I checked again now with OpenWebUI.

It turns out it's the very same issue:

After successful authentication via Microsoft the token cookie is set. That token cookie has the HttpOnly set to true.

As long as this is so, I get redirected to the auth page.

Once I set that cookie to HttpOnly=false it immediately works, I am logged in and can use OWUI.

Interestingly the cookie is immediately afterwards set to HttpOnly=true again, but that does not seem to hurt – I can close the window and open it up again and am still logged in can use OWUI normally.

I am assuming the JS code is trying to read that cookie, can not and therefore sends the use back to the auth page.

I am assuming that this as to do with the setup that OWUI is accessed via HTTP (not HTTPS) by the reverse-proxy (all the TLS towards the outside/user is handled by Apache in our case).

<!-- gh-comment-id:3288113660 --> @jdeepwell commented on GitHub (Sep 13, 2025): I stumbled over a similar issue with LiteLLM. There it was also closely related to the token cookie, so I checked again now with OpenWebUI. It turns out it's the very same issue: After successful authentication via Microsoft the token cookie is set. That token cookie has the `HttpOnly` set to `true`. As long as this is so, I get redirected to the auth page. Once I set that cookie to `HttpOnly=false` it immediately works, I am logged in and can use OWUI. Interestingly the cookie is immediately afterwards set to `HttpOnly=true` again, but that does not seem to hurt – I can close the window and open it up again and am still logged in can use OWUI normally. I am assuming the JS code is trying to read that cookie, can not and therefore sends the use back to the auth page. I am assuming that this as to do with the setup that OWUI is accessed via HTTP (not HTTPS) by the reverse-proxy (all the TLS towards the outside/user is handled by Apache in our case).
Author
Owner

@Classic298 commented on GitHub (Sep 13, 2025):

Setup with explicit MS OAuth:

ENABLE_LOGIN_FORM=false
ENABLE_OAUTH_SIGNUP=true
ENABLE_OAUTH_PERSISTENT_CONFIG=false
OAUTH_UPDATE_PICTURE_ON_LOGIN=true
MICROSOFT_CLIENT_ID=xxxxx
MICROSOFT_CLIENT_SECRET=xxxxx
MICROSOFT_CLIENT_TENANT_ID=xxxxx
OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true
WEBUI_URL=https://x.x.x.x
ENABLE_ADMIN_CHAT_ACCESS=false
WEBUI_SECRET_KEY=xxxxx
GLOBAL_LOG_LEVEL=DEBUG

You are missing OPENID_PROVIDER_URL

Also, what's your cookie settings set to?

WEBUI_SESSION_COOKIE_SAME_SITE=lax
WEBUI_AUTH_COOKIE_SAME_SITE=lax
^ these are recommended if you encounter OAUTH issues.

WEBUI_AUTH_COOKIE_SECURE=True
WEBUI_SESSION_COOKIE_SECURE=True

<!-- gh-comment-id:3288534812 --> @Classic298 commented on GitHub (Sep 13, 2025): > Setup with explicit MS OAuth: > ``` > ENABLE_LOGIN_FORM=false > ENABLE_OAUTH_SIGNUP=true > ENABLE_OAUTH_PERSISTENT_CONFIG=false > OAUTH_UPDATE_PICTURE_ON_LOGIN=true > MICROSOFT_CLIENT_ID=xxxxx > MICROSOFT_CLIENT_SECRET=xxxxx > MICROSOFT_CLIENT_TENANT_ID=xxxxx > OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true > WEBUI_URL=https://x.x.x.x > ENABLE_ADMIN_CHAT_ACCESS=false > WEBUI_SECRET_KEY=xxxxx > GLOBAL_LOG_LEVEL=DEBUG > ``` You are missing `OPENID_PROVIDER_URL` Also, what's your cookie settings set to? `WEBUI_SESSION_COOKIE_SAME_SITE=lax` `WEBUI_AUTH_COOKIE_SAME_SITE=lax` ^ these are recommended if you encounter OAUTH issues. WEBUI_AUTH_COOKIE_SECURE=True WEBUI_SESSION_COOKIE_SECURE=True
Author
Owner

@jdeepwell commented on GitHub (Sep 13, 2025):

You are missing OPENID_PROVIDER_URL

Also, what's your cookie settings set to?

WEBUI_SESSION_COOKIE_SAME_SITE=lax WEBUI_AUTH_COOKIE_SAME_SITE=lax ^ these are recommended if you encounter OAUTH issues.

WEBUI_AUTH_COOKIE_SECURE=True WEBUI_SESSION_COOKIE_SECURE=True

Hey @Classic298 - thx for the reply!

So, I added

OPENID_PROVIDER_URL=https://login.microsoftonline.com/xxx-xxx-xx-xx/v2.0/...
WEBUI_SESSION_COOKIE_SAME_SITE=lax
WEBUI_AUTH_COOKIE_SAME_SITE=lax
WEBUI_AUTH_COOKIE_SECURE=True
WEBUI_SESSION_COOKIE_SECURE=True

and updated to v0.6.28

But still the same behavior. Only difference is that I now also see the oauth_id_token and oauth_session_id cookies. But despite the fact that after authenticating @ MS I have a valid token cookie, I still am getting redirected back to the auth page. Only when I (temporarily, once) set the token cookie's HttpOnly to false am I successfully logged in and can use OWUI.

J.

Image
<!-- gh-comment-id:3288592608 --> @jdeepwell commented on GitHub (Sep 13, 2025): > You are missing `OPENID_PROVIDER_URL` > > Also, what's your cookie settings set to? > > `WEBUI_SESSION_COOKIE_SAME_SITE=lax` `WEBUI_AUTH_COOKIE_SAME_SITE=lax` ^ these are recommended if you encounter OAUTH issues. > > WEBUI_AUTH_COOKIE_SECURE=True WEBUI_SESSION_COOKIE_SECURE=True Hey @Classic298 - thx for the reply! So, I added ``` OPENID_PROVIDER_URL=https://login.microsoftonline.com/xxx-xxx-xx-xx/v2.0/... WEBUI_SESSION_COOKIE_SAME_SITE=lax WEBUI_AUTH_COOKIE_SAME_SITE=lax WEBUI_AUTH_COOKIE_SECURE=True WEBUI_SESSION_COOKIE_SECURE=True ``` and updated to v0.6.28 But still the same behavior. Only difference is that I now also see the `oauth_id_token` and `oauth_session_id` cookies. But despite the fact that after authenticating @ MS I have a valid `token` cookie, I still am getting redirected back to the auth page. Only when I (temporarily, once) set the `token` cookie's `HttpOnly` to `false` am I successfully logged in and can use OWUI. J. <img width="918" height="213" alt="Image" src="https://github.com/user-attachments/assets/ab1999ba-d81e-42cb-8eb6-8a71a549fd4c" />
Author
Owner

@Classic298 commented on GitHub (Sep 13, 2025):

what reverse proxy do you use? how did you configure it

<!-- gh-comment-id:3288604208 --> @Classic298 commented on GitHub (Sep 13, 2025): what reverse proxy do you use? how did you configure it
Author
Owner

@jdeepwell commented on GitHub (Sep 13, 2025):

A have to use Apache.
We are using mod_md for TLS / Let's Encrypt and we are using TLS client certificates for additional auth.

MDomain ...
<VirtualHost *:443>
    ServerName ...

    # Configure SSL
    SSLEngine on
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLCACertificateFile /etc/apache2/...

    # Exclude oauth callback from requiring client certificate
    <Location "/oauth/microsoft/callback">
        SSLVerifyClient none
    </Location>

    # Proxy settings
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/

    # Set additional headers
    RequestHeader set Host %{HTTP_HOST}s
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/?(.*) "ws://localhost:3000/$1" [P,L]

    # Allow use of microphone
    Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(self),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"

    # Other settings
    ErrorLog ${APACHE_LOG_DIR}/openwebui_error.log
    CustomLog ${APACHE_LOG_DIR}/openwebui_access.log combined
</VirtualHost>

And here's the OWUI part of the docker-compose.yaml

  open-webui:
    image: ghcr.io/open-webui/open-webui:0.6.28
    container_name: ..._open-webui
    restart: unless-stopped
    ports:
      - "127.0.0.1:3000:8080"
    volumes:
      - open-webui:/app/backend/data
    env_file:
      - .env-openwebui
<!-- gh-comment-id:3288646786 --> @jdeepwell commented on GitHub (Sep 13, 2025): A have to use Apache. We are using `mod_md` for TLS / Let's Encrypt and we are using TLS client certificates for additional auth. ``` MDomain ... <VirtualHost *:443> ServerName ... # Configure SSL SSLEngine on SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /etc/apache2/... # Exclude oauth callback from requiring client certificate <Location "/oauth/microsoft/callback"> SSLVerifyClient none </Location> # Proxy settings ProxyPreserveHost On ProxyPass / http://127.0.0.1:3000/ ProxyPassReverse / http://127.0.0.1:3000/ # Set additional headers RequestHeader set Host %{HTTP_HOST}s RequestHeader set X-Real-IP %{REMOTE_ADDR}s RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s RewriteEngine On RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteCond %{HTTP:Connection} upgrade [NC] RewriteRule ^/?(.*) "ws://localhost:3000/$1" [P,L] # Allow use of microphone Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(self),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" # Other settings ErrorLog ${APACHE_LOG_DIR}/openwebui_error.log CustomLog ${APACHE_LOG_DIR}/openwebui_access.log combined </VirtualHost> ``` And here's the OWUI part of the docker-compose.yaml ``` open-webui: image: ghcr.io/open-webui/open-webui:0.6.28 container_name: ..._open-webui restart: unless-stopped ports: - "127.0.0.1:3000:8080" volumes: - open-webui:/app/backend/data env_file: - .env-openwebui ```
Author
Owner

@Classic298 commented on GitHub (Sep 14, 2025):

@jdeepwell please try these:

WEBUI_SESSION_COOKIE_SECURE=false
WEBUI_AUTH_COOKIE_SECURE=false
WEBUI_SESSION_COOKIE_SAME_SITE=lax
WEBUI_AUTH_COOKIE_SAME_SITE=lax
ENABLE_OAUTH_PERSISTENT_CONFIG=false

and try these for apache

<VirtualHost *:443>
    # ... existing config ...
    
    # Proper header forwarding for OAuth
    ProxyPreserveHost On
    ProxyPassReverse / http://127.0.0.1:3000/
    ProxyPass / http://127.0.0.1:3000/
    
    # Essential headers for OAuth/SSO
    ProxyPassReverse / http://127.0.0.1:3000/
    ProxyPassReverse /oauth/ http://127.0.0.1:3000/oauth/
    
    # Don't cache OAuth endpoints
    <LocationMatch "^/(oauth|api|auth|login|callback)">
        Header unset ETag
        Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
        Header set Pragma "no-cache"
        Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
    </LocationMatch>
    
    # Exclude OAuth Microsoft callback from client cert requirement
    <Location ~ "^/oauth/(microsoft|oidc)/callback">
        SSLVerifyClient none
    </Location>
</VirtualHost>
<!-- gh-comment-id:3289442668 --> @Classic298 commented on GitHub (Sep 14, 2025): @jdeepwell please try these: WEBUI_SESSION_COOKIE_SECURE=false WEBUI_AUTH_COOKIE_SECURE=false WEBUI_SESSION_COOKIE_SAME_SITE=lax WEBUI_AUTH_COOKIE_SAME_SITE=lax ENABLE_OAUTH_PERSISTENT_CONFIG=false and try these for apache ``` <VirtualHost *:443> # ... existing config ... # Proper header forwarding for OAuth ProxyPreserveHost On ProxyPassReverse / http://127.0.0.1:3000/ ProxyPass / http://127.0.0.1:3000/ # Essential headers for OAuth/SSO ProxyPassReverse / http://127.0.0.1:3000/ ProxyPassReverse /oauth/ http://127.0.0.1:3000/oauth/ # Don't cache OAuth endpoints <LocationMatch "^/(oauth|api|auth|login|callback)"> Header unset ETag Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT" </LocationMatch> # Exclude OAuth Microsoft callback from client cert requirement <Location ~ "^/oauth/(microsoft|oidc)/callback"> SSLVerifyClient none </Location> </VirtualHost> ```
Author
Owner

@jdeepwell commented on GitHub (Sep 14, 2025):

@Classic298 many thx for your reply!

I tried the config you proposed - unfortunately without change in outcome.

So the main changes were

  • Session and OAuth cookies secure = false
  • No caching for oauth etc.
  • An additional reverse rule for the oauth path
  • and client cert exception for both OAuth variants, oidc and microsoft

The latter three I would assume could help if the OAuth process itself was the actual issue - but it very much seems that this is not the case. OAuth via Microsoft is successful! Otherwise I should not get a valid token cookie. And that token cookie really is valid, as when I just make it available to the client side JS (by setting its HttpOnly to false) I am successfully logged in.

As to the first one: I am not sure which "session cookies" these setting actually are referring to, but all cookies that end up in the browser still do have the secure set to true:

Image

As far as OWUI is concerned it actually is not a secure connection - the connection from the backend (OWUI) to the reverse proxy (Apache) is http only.

So the behavior still is the same: All of OAuth works fine. but at the very and I still am getting redirected (by some client side JS code) to the login page. Setting the token cookie's HttpOnly to false immediately works and I am successfully logged in (without having to go through OAuth again)

So I therefore tried adding this to the Apache config:

    # Remove the "HttpOnly" flag from the "token" cookie
    Header edit Set-Cookie "^((token)=[^;]*;[^H]*)(;\s*HttpOnly)(.*)" "$1$4"

and this works. I can clear all cookies, start the authentication process via Microsoft and am logged in nicely 👍

the only question is - why? 🤷‍♂️

Why is OWUI setting the HttpOnly flag in the token cookie when there seems to be some client side JS that needs to read it for a successful login?

<!-- gh-comment-id:3289642516 --> @jdeepwell commented on GitHub (Sep 14, 2025): @Classic298 many thx for your reply! I tried the config you proposed - unfortunately without change in outcome. So the main changes were - Session and OAuth cookies secure = false - No caching for oauth etc. - An additional reverse rule for the oauth path - and client cert exception for both OAuth variants, oidc _and_ microsoft The latter three I would assume could help if the OAuth process itself was the actual issue - but it very much seems that this is not the case. OAuth via Microsoft is successful! Otherwise I should not get a valid token cookie. And that token cookie really _is_ valid, as when I just make it available to the client side JS (by setting its HttpOnly to false) I am successfully logged in. As to the first one: I am not sure which "session cookies" these setting actually are referring to, but all cookies that end up in the browser still do have the secure set to true: <img width="877" height="147" alt="Image" src="https://github.com/user-attachments/assets/4a1f71ac-c5f8-43eb-801c-4b7c5074dcb6" /> As far as OWUI is concerned it actually _is not_ a secure connection - the connection from the backend (OWUI) to the reverse proxy (Apache) is http only. So the behavior still is the same: All of OAuth works fine. but at the very and I still am getting redirected (by some client side JS code) to the login page. Setting the `token` cookie's HttpOnly to false immediately works and I am successfully logged in (without having to go through OAuth again) So I therefore tried adding this to the Apache config: ``` # Remove the "HttpOnly" flag from the "token" cookie Header edit Set-Cookie "^((token)=[^;]*;[^H]*)(;\s*HttpOnly)(.*)" "$1$4" ``` and this works. I can clear all cookies, start the authentication process via Microsoft and am logged in nicely 👍 the only question is - why? 🤷‍♂️ Why is OWUI setting the HttpOnly flag in the token cookie when there seems to be some client side JS that needs to read it for a successful login?
Author
Owner

@Classic298 commented on GitHub (Sep 14, 2025):

@jdeepwell

try this: ENABLE_OAUTH_ID_TOKEN_COOKIE=false

As far as OWUI is concerned it actually is not a secure connection - the connection from the backend (OWUI) to the reverse proxy (Apache) is http only.

yes, as intended, and it's a non issue really

<!-- gh-comment-id:3289646133 --> @Classic298 commented on GitHub (Sep 14, 2025): @jdeepwell try this: ENABLE_OAUTH_ID_TOKEN_COOKIE=false > As far as OWUI is concerned it actually is not a secure connection - the connection from the backend (OWUI) to the reverse proxy (Apache) is http only. yes, as intended, and it's a non issue really
Author
Owner

@jdeepwell commented on GitHub (Sep 14, 2025):

@Classic298

Tried it - oauth_id_token is now missing in the browser. Other than that, same as before 😢

BTW: After one turnaround (clicking the "Continue with Microsoft" at the login page - full auth process @ MS - back to OWUI - redirect to login page again), clicking the "Continue with Microsoft" again only flashes the page (sends to MS and right back again)

<!-- gh-comment-id:3289661017 --> @jdeepwell commented on GitHub (Sep 14, 2025): @Classic298 Tried it - `oauth_id_token` is now missing in the browser. Other than that, same as before 😢 BTW: After one turnaround (clicking the "Continue with Microsoft" at the login page - full auth process @ MS - back to OWUI - redirect to login page again), clicking the "Continue with Microsoft" again only flashes the page (sends to MS and right back again)
Author
Owner

@Classic298 commented on GitHub (Sep 14, 2025):

@jdeepwell i know this is possibly out of scope for you, but can you try NGINX instead of apache for testing purposes?

Either way, this seems more and more like a communication issue from the backend to the frontend

The frontend code seemingly hasn't been fully updated to work without direct cookie access

<!-- gh-comment-id:3289665814 --> @Classic298 commented on GitHub (Sep 14, 2025): @jdeepwell i know this is possibly out of scope for you, but can you try NGINX instead of apache for testing purposes? Either way, this seems more and more like a communication issue from the backend to the frontend The frontend code seemingly hasn't been fully updated to work without direct cookie access
Author
Owner

@jdeepwell commented on GitHub (Sep 14, 2025):

I can try to setup some test server that is reachable from the web (to test OAuth) and play it with Nginx. Unfortunately that would not be a solution for me, as I am tied to Apache...😥

It's interesting that I have the very same issue with the LiteLLM UI...🤔 (even without OAuth there)

The frontend code seemingly hasn't been fully updated to work without direct cookie access

Yes, that sounds plausible. For now I will stick to the Header edit Set-Cookie... hack - especially because for some reason the cookie seems to get reset to HttpOnly=true by the frontend code anyway (after successful login), so my security concerns are moderate.

Thx again for your input @Classic298

<!-- gh-comment-id:3289679308 --> @jdeepwell commented on GitHub (Sep 14, 2025): I can try to setup some test server that is reachable from the web (to test OAuth) and play it with Nginx. Unfortunately that would not be a solution for me, as I am tied to Apache...😥 It's interesting that I have the very same issue with the LiteLLM UI...🤔 (even without OAuth there) > The frontend code seemingly hasn't been fully updated to work without direct cookie access Yes, that sounds plausible. For now I will stick to the `Header edit Set-Cookie...` hack - especially because for some reason the cookie seems to get reset to HttpOnly=true by the frontend code anyway (after successful login), so my security concerns are moderate. Thx again for your input @Classic298
Author
Owner

@AlexOrlov21 commented on GitHub (Sep 15, 2025):

@jdeepwell, try - OAUTH_USERNAME_CLAIM=whatever you use for username

It worked for my installation.

<!-- gh-comment-id:3293029841 --> @AlexOrlov21 commented on GitHub (Sep 15, 2025): @jdeepwell, try - OAUTH_USERNAME_CLAIM=*whatever you use for username* It worked for my installation.
Author
Owner

@jdeepwell commented on GitHub (Sep 16, 2025):

@AlexOrlov21 Thx for the tip - unfortunately same result: Sends me right back to the login page after successful auth @ MS...

<!-- gh-comment-id:3300072426 --> @jdeepwell commented on GitHub (Sep 16, 2025): @AlexOrlov21 Thx for the tip - unfortunately same result: Sends me right back to the login page after successful auth @ MS...
Author
Owner

@mpuzar commented on GitHub (Sep 19, 2025):

Ok, I can confirm that it is the HttpOnly parameter that is causing the problem. If I strip it away in haproxy (from all the cookies, while testing), I get in as expected and can seemingly use the application as before.

<!-- gh-comment-id:3311992743 --> @mpuzar commented on GitHub (Sep 19, 2025): Ok, I can confirm that it is the HttpOnly parameter that is causing the problem. If I strip it away in haproxy (from all the cookies, while testing), I get in as expected and can seemingly use the application as before.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#137944