[GH-ISSUE #17678] issue: OAuth token after some time missing in tool calls #138092

Closed
opened 2026-05-25 09:21:20 -05:00 by GiteaMirror · 20 comments
Owner

Originally created by @koflerm on GitHub (Sep 23, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/17678

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Other

Open WebUI Version

v0.6.30

Ollama Version (if applicable)

No response

Operating System

Red Hat CoreOS (Kubernetes Cluster Installation)

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

The oauth token should be always provided by the new tool call parameter __oauth_token__. If the token is expired, the token should either be refreshed or the user should be logged out.

Actual Behavior

We are using the following code in a test tool to print the OAuth token, provided via a parameter in the new Open WebUI version:

def get_oauth_token(
        self, __user__: dict = {}, __oauth_token__: Optional[dict] = None
    ) -> str:
        """
        Return the current user's oauth token
        """

        print(__oauth_token__["access_token"])

However, after the user is logged in for some time, this parameter is no longer set. I get then the following error:

'NoneType' object is not subscriptable

So it seems after some time the session for the user is lost, but the user is then not automatically logged out or the token is not refreshed.

Any idea what could be wrong here?

Steps to Reproduce

Import the following tool in your Open WebUI instance:

def get_oauth_token(
        self, __user__: dict = {}, __oauth_token__: Optional[dict] = None
    ) -> str:
        """
        Return the current user's oauth token
        """

        print(__oauth_token__["access_token"])

After direct login, the variable will be set.

If you try to re-execute the tool after some hours, the parameter will no longer be set (NoneType)

Logs & Screenshots

When querying the logs, I found at a different point in time (not when using the described tool) the following log messages:

/app/backend/open_webui/main.py:1478: RuntimeWarning: coroutine 'OAuthManager._refresh_token' was never awaited
form_data, metadata, events = await process_chat_payload(
RuntimeWarning: Enable tracemalloc to get the object allocation traceback

When a user is performing a login, the following logs are written:

2025-09-23 07:52:44.420 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://sso.example.com/.well-known/openid-configuration "HTTP/1.1 200 OK"
2025-09-23 07:52:44.456 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /oauth/oidc/login HTTP/1.1" 302
2025-09-23 07:52:45.771 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: POST https://sso.example.com/as/token.oauth2 "HTTP/1.1 200 OK"
2025-09-23 07:52:45.865 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://sso.example.com/pf/JWKS "HTTP/1.1 200 OK"
2025-09-23 07:52:45.892 | INFO | open_webui.utils.oauth:handle_callback:853 - Stored OAuth session server-side for user 34a363e7-3629-4ace-aeb3-101812fc9ccc, provider oidc
2025-09-23 07:52:45.893 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /oauth/oidc/callback?code=uzKujWQgms7F1jFqdp2aS44jUtJn3Q4tW-w5DIFa&state=UPVQmqvUFExoYxmQR31KaC7eKZRU0h HTTP/1.1" 307
2025-09-23 07:52:46.021 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /manifest.json HTTP/1.1" 200

Additional Information

No response

Originally created by @koflerm on GitHub (Sep 23, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/17678 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Other ### Open WebUI Version v0.6.30 ### Ollama Version (if applicable) _No response_ ### Operating System Red Hat CoreOS (Kubernetes Cluster Installation) ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior The oauth token should be always provided by the new tool call parameter `__oauth_token__`. If the token is expired, the token should either be refreshed or the user should be logged out. ### Actual Behavior We are using the following code in a test tool to print the OAuth token, provided via a parameter in the new Open WebUI version: ``` def get_oauth_token( self, __user__: dict = {}, __oauth_token__: Optional[dict] = None ) -> str: """ Return the current user's oauth token """ print(__oauth_token__["access_token"]) ``` However, after the user is logged in for some time, this parameter is no longer set. I get then the following error: `'NoneType' object is not subscriptable` So it seems after some time the session for the user is lost, but the user is then not automatically logged out or the token is not refreshed. Any idea what could be wrong here? ### Steps to Reproduce Import the following tool in your Open WebUI instance: ``` def get_oauth_token( self, __user__: dict = {}, __oauth_token__: Optional[dict] = None ) -> str: """ Return the current user's oauth token """ print(__oauth_token__["access_token"]) ``` After direct login, the variable will be set. If you try to re-execute the tool after some hours, the parameter will no longer be set (NoneType) ### Logs & Screenshots When querying the logs, I found at a different point in time (not when using the described tool) the following log messages: ``` /app/backend/open_webui/main.py:1478: RuntimeWarning: coroutine 'OAuthManager._refresh_token' was never awaited form_data, metadata, events = await process_chat_payload( RuntimeWarning: Enable tracemalloc to get the object allocation traceback ``` When a user is performing a login, the following logs are written: ``` 2025-09-23 07:52:44.420 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://sso.example.com/.well-known/openid-configuration "HTTP/1.1 200 OK" 2025-09-23 07:52:44.456 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /oauth/oidc/login HTTP/1.1" 302 2025-09-23 07:52:45.771 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: POST https://sso.example.com/as/token.oauth2 "HTTP/1.1 200 OK" 2025-09-23 07:52:45.865 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://sso.example.com/pf/JWKS "HTTP/1.1 200 OK" 2025-09-23 07:52:45.892 | INFO | open_webui.utils.oauth:handle_callback:853 - Stored OAuth session server-side for user 34a363e7-3629-4ace-aeb3-101812fc9ccc, provider oidc 2025-09-23 07:52:45.893 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /oauth/oidc/callback?code=uzKujWQgms7F1jFqdp2aS44jUtJn3Q4tW-w5DIFa&state=UPVQmqvUFExoYxmQR31KaC7eKZRU0h HTTP/1.1" 307 2025-09-23 07:52:46.021 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /manifest.json HTTP/1.1" 200 ``` ### Additional Information _No response_
GiteaMirror added the bug label 2026-05-25 09:21:20 -05:00
Author
Owner

@tjbck commented on GitHub (Sep 23, 2025):

This has been addressed in dev, please check for duplicate issues.

<!-- gh-comment-id:3325233223 --> @tjbck commented on GitHub (Sep 23, 2025): This has been addressed in dev, please check for duplicate issues.
Author
Owner

@koflerm commented on GitHub (Oct 6, 2025):

All right sorry oversaw this one thanks for the fast response as always!

<!-- gh-comment-id:3370431553 --> @koflerm commented on GitHub (Oct 6, 2025): All right sorry oversaw this one thanks for the fast response as always!
Author
Owner

@djmaze commented on GitHub (Nov 13, 2025):

Is this really fixed? Saw this just today with v0.6.36.

<!-- gh-comment-id:3530069897 --> @djmaze commented on GitHub (Nov 13, 2025): Is this really fixed? Saw this just today with v0.6.36.
Author
Owner

@koflerm commented on GitHub (Nov 19, 2025):

From our perspective it is also still a problem with v0.6.33, not sure if it was fixed in more recent versions but I guess as you see the issue with v0.6.36, it is still an open issue.

@tjbck can we re-open this issue?

<!-- gh-comment-id:3553064149 --> @koflerm commented on GitHub (Nov 19, 2025): From our perspective it is also still a problem with v0.6.33, not sure if it was fixed in more recent versions but I guess as you see the issue with v0.6.36, it is still an open issue. @tjbck can we re-open this issue?
Author
Owner

@aKardasz commented on GitHub (Jan 14, 2026):

Running into the same issue or similar using Microsoft for auth in 0.7.1

<!-- gh-comment-id:3750069495 --> @aKardasz commented on GitHub (Jan 14, 2026): Running into the same issue or similar using Microsoft for auth in 0.7.1
Author
Owner

@deepsweech commented on GitHub (Feb 17, 2026):

I have the same issue now in 0.7.2. The following day, refreshed the page, auto logged in as expected. oauth_token is None. This will only be fixed if I manually logout and login again.

<!-- gh-comment-id:3915989200 --> @deepsweech commented on GitHub (Feb 17, 2026): I have the same issue now in 0.7.2. The following day, refreshed the page, auto logged in as expected. __oauth_token__ is None. This will only be fixed if I manually logout and login again.
Author
Owner

@Classic298 commented on GitHub (Feb 17, 2026):

@deepsweech whats your oauth scope

<!-- gh-comment-id:3916149210 --> @Classic298 commented on GitHub (Feb 17, 2026): @deepsweech whats your oauth scope
Author
Owner

@deepsweech commented on GitHub (Feb 18, 2026):

@deepsweech whats your oauth scope

openid email profile i added offline_access but it is still the same.

<!-- gh-comment-id:3921740972 --> @deepsweech commented on GitHub (Feb 18, 2026): > [@deepsweech](https://github.com/deepsweech) whats your oauth scope `openid email profile` i added `offline_access` but it is still the same.
Author
Owner

@Classic298 commented on GitHub (Feb 18, 2026):

Did you log out and delete all cookies and local storage and everything after adding offline access

<!-- gh-comment-id:3921817452 --> @Classic298 commented on GitHub (Feb 18, 2026): Did you log out and delete all cookies and local storage and everything after adding offline access
Author
Owner

@deepsweech commented on GitHub (Feb 18, 2026):

Did you log out and delete all cookies and local storage and everything after adding offline access

Is this a tested solution? I did not logout/delete cookies storage. I opened a new browser(edge) that i'm not using and logged in. will try again later and see if it's just old cache.

<!-- gh-comment-id:3922311732 --> @deepsweech commented on GitHub (Feb 18, 2026): > Did you log out and delete all cookies and local storage and everything after adding offline access Is this a tested solution? I did not logout/delete cookies storage. I opened a new browser(edge) that i'm not using and logged in. will try again later and see if it's just old cache.
Author
Owner

@Classic298 commented on GitHub (Feb 18, 2026):

It's just to ensure you get a new token

<!-- gh-comment-id:3922575196 --> @Classic298 commented on GitHub (Feb 18, 2026): It's just to ensure you get a new token
Author
Owner

@deepsweech commented on GitHub (Feb 19, 2026):

It's just to ensure you get a new token

Update: Issue still persists.

<!-- gh-comment-id:3927590123 --> @deepsweech commented on GitHub (Feb 19, 2026): > It's just to ensure you get a new token Update: Issue still persists.
Author
Owner

@deepsweech commented on GitHub (Feb 19, 2026):

@tjbck can we re-open this issue?

<!-- gh-comment-id:3928660712 --> @deepsweech commented on GitHub (Feb 19, 2026): @tjbck can we re-open this issue?
Author
Owner

@deepsweech commented on GitHub (Feb 20, 2026):

This solutions works: Use request instead of __oauth_token__. __request__.cookies.get("oauth_id_token") also contains the access_token.

<!-- gh-comment-id:3934917022 --> @deepsweech commented on GitHub (Feb 20, 2026): This solutions works: Use __request__ instead of `__oauth_token__`. `__request__.cookies.get("oauth_id_token")` also contains the access_token.
Author
Owner

@Classic298 commented on GitHub (Feb 20, 2026):

feel free to PR

<!-- gh-comment-id:3935458548 --> @Classic298 commented on GitHub (Feb 20, 2026): feel free to PR
Author
Owner

@deepsweech commented on GitHub (Feb 20, 2026):

feel free to PR

This is not an actual code fix. This is just a solution to avoid the bug and this issue still is present in version 0.7.2

<!-- gh-comment-id:3936588491 --> @deepsweech commented on GitHub (Feb 20, 2026): > feel free to PR This is not an actual code fix. This is just a solution to avoid the bug and this issue still is present in version 0.7.2
Author
Owner

@Classic298 commented on GitHub (Feb 20, 2026):

@deepsweech https://github.com/open-webui/open-webui/pull/21666

<!-- gh-comment-id:3936661523 --> @Classic298 commented on GitHub (Feb 20, 2026): @deepsweech https://github.com/open-webui/open-webui/pull/21666
Author
Owner

@Classic298 commented on GitHub (Feb 21, 2026):

@deepsweech feel free to test and also comment under the PR
functionally it should work, but please do test and report under PR and vouch for it FWIW

<!-- gh-comment-id:3939206885 --> @Classic298 commented on GitHub (Feb 21, 2026): @deepsweech feel free to test and also comment under the PR functionally it should work, but please do test and report under PR and vouch for it FWIW
Author
Owner

@Classic298 commented on GitHub (Mar 15, 2026):

@koflerm testing wanted

<!-- gh-comment-id:4062740908 --> @Classic298 commented on GitHub (Mar 15, 2026): @koflerm testing wanted
Author
Owner

@Classic298 commented on GitHub (Mar 28, 2026):

nobody was willing to test the PR - so i will not rebase and keep working on it.

But besides, if there's no demand for getting this fully fixed (see lack of interaction), i'll move this to discussions for now.

<!-- gh-comment-id:4148837318 --> @Classic298 commented on GitHub (Mar 28, 2026): nobody was willing to test the PR - so i will not rebase and keep working on it. But besides, if there's no demand for getting this fully fixed (see lack of interaction), i'll move this to discussions for now.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#138092