mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 23:21:44 -05:00
[GH-ISSUE #17510] User role from OAuth Entra ID assignment fails for users with more than 200 AD groups #138040
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @TeodoraBrotea on GitHub (Sep 17, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/17510
Check Existing Issues
Installation Method
Docker
Open WebUI Version
v0.6.28
Ollama Version (if applicable)
No response
Operating System
Ubuntu 22.04
Browser (if applicable)
No response
Confirmation
README.md.Expected Behavior
Enabling OIDC and setting
OAUTH_ROLES_CLAIMto groups, would allow users to login and get an assigned role either as admin or users based on their group membership. Also, as a caution measure,DEFAULT_USER_ROLEwould be set topendingso that users who are not members of the AD groups listed inOAUTH_ADMIN_ROLESandOAUTH_ALLOWED_ROLESwon't be able to access OpenWebUI.Actual Behavior
We have discovered a limitation during OAuth during the authorization process regarding the retrieval of Active Directory (AD) groups. This limitation affects users who are members of a large number of groups and impacts the role assignment functionality. The affected users are mainly the ones who belong to approximately 200 or more AD groups. Groups are not visible during the authorization process and role assignment based on AD groups fails to function properly. The effect is that users are automatically redirected to the default user role instead of their intended role.
Steps to Reproduce
Logs & Screenshots
Less than 180 AD groups:
Around 200 AD groups:
Additional Information
We believe that the issue is related to the
overage claimof Entra ID, but this is currently not supported in OpenWebUI. Implementing a solution for supporting the overage claim, more than 200 AD groups, would solve the issue.Reference: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/get-signed-in-users-groups-in-access-token
@tusharrrr1 commented on GitHub (Sep 18, 2025):
Implement support for overage claims by:
1)Detecting the hasgroups claim.
2)Calling Microsoft Graph API to retrieve the user’s full group membership.
3)Using that data for role assignment.
Allow me to work on this if possible
@beng90 commented on GitHub (Oct 20, 2025):
I've experienced the same problem. Any workaround?
@Ruben-Wien commented on GitHub (Dec 22, 2025):
Hi, I may have a workaround (not a fix) based on how we configured Entra ID group/role forwarding to OpenWebUI.
What we did:
For the
OAUTH_ROLES_CLAIMmapping, we used the default claim (roles) instead of trying to forward all Entra groups.In Entra ID, we went to the Enterprise Application and explicitly assigned only the groups we actually want to pass through to OpenWebUI, and assigned them the appropriate app role:
Enterprise Applications → Your App → Users and groups
Add the selected groups and assign them the app role User or Admin.
Result: Not all groups are forwarded—only the groups explicitly assigned in Entra ID. This avoids the “too many groups” / token size issues and worked well for us.
This should also be automatable via a Terraform script.
My Config:
OAUTH_ROLES_CLAIM=roles
ENABLE_OAUTH_GROUP_MANAGEMENT=true
ENABLE_OAUTH_GROUP_CREATION=true
OAUTH_GROUP_CLAIM=groups
ENABLE_OAUTH_ROLE_MANAGEMENT=true
OAUTH_ALLOWED_ROLES=user,admin
OAUTH_ADMIN_ROLES=admin