github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #6321] Unable to login with Oauth2-Proxy and Google IdP #14320

New Issue
Closed
opened 2026-04-19 20:43:51 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-19 20:43:51 -05:00
Owner
Copy Link

Originally created by @derek-assurity on GitHub (Oct 22, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/6321

Bug Report

Installation Method

Running using docker compose
docker-compose.yml

# OAuth2 test 
services:
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy
    ports:
      - 8082:4180
    volumes:
      - ./config:/config
    entrypoint: ["/bin/oauth2-proxy", "--config", "/config/oauth2-proxy.cfg"]

  open-webui:
    image: 
      ghcr.io/open-webui/open-webui:0.3.30
    environment:
      ENABLE_LOGIN_FORM: 'false'
      OAUTH_MERGE_ACCOUNTS_BY_EMAIL: 'true'
      DEFAULT_USER_ROLE: 'user'
      WEBUI_AUTH_TRUSTED_EMAIL_HEADER: 'X-Auth-Request-Email'
      ENABLE_COMMUNITY_SHARING: 'false'
      ENABLE_MESSAGE_RATING: 'false'
      PORT: 8084
      ENABLE_OAUTH_SIGNUP: 'true'
      WEBUI_AUTH: 'false'

The config for OAuth2 is:

auth_logging = true
auth_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}"
client_id = "<REDACTED>.apps.googleusercontent.com"
client_secret = "<REDACTED>"
cookie_secret = "<REDACTED>"
cookie_secure = false
custom_templates_dir = "/config/web/"
email_domains = [
     "*"
]
http_address = "0.0.0.0:4180"
oidc_issuer_url = "https://oauth2.googleapis.com"
pass_access_token = true
pass_basic_auth = true
pass_user_headers = true
profile_url = "https://www.googleapis.com/oauth2/v1/userinfo"
provider = "google"
proxy_websockets = true
redirect_url = "http://localhost:8082/oauth2/callback"
request_logging = true
request_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}"
scope = "openid email profile"
set_authorization_header = true
set_xauthrequest = true
skip_jwt_bearer_tokens = true
upstreams = [
     "http://open-webui:8084"
]

Environment

  • Open WebUI Version: v0.3.30

  • Ollama (if applicable): N/A

  • Operating System: macOS Sequoia 15.0.1

  • Browser (if applicable): Chrome Version 130.0.6723.58 (Official Build) (arm64)

Confirmation:

  • I have read and followed all the instructions provided in the README.md.
  • I am on the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below.

Expected Behavior:

Should be logged into Open WebUI

Actual Behavior:

Getting the error message:

Your provider has not provided a trusted header. Please contact your administrator for assistance.

Description

Bug Summary:

Trying to run oauth2-proxy as reverse proxy in front of Open Web UI, following instructions -> https://docs.openwebui.com/tutorials/features/sso/#oauth2-proxy
Unfortunately, Open WebUI doesn't see the the e-mail that is being set in the header. I've seen others have got this working, so not sure what I've misconfigured.

Reproduction Details

Steps to Reproduce:
Run the docker-compose provided and go to http://localhost:8082

Originally created by @derek-assurity on GitHub (Oct 22, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/6321 # Bug Report ## Installation Method Running using docker compose `docker-compose.yml` ``` docker # OAuth2 test services: oauth2-proxy: image: quay.io/oauth2-proxy/oauth2-proxy ports: - 8082:4180 volumes: - ./config:/config entrypoint: ["/bin/oauth2-proxy", "--config", "/config/oauth2-proxy.cfg"] open-webui: image: ghcr.io/open-webui/open-webui:0.3.30 environment: ENABLE_LOGIN_FORM: 'false' OAUTH_MERGE_ACCOUNTS_BY_EMAIL: 'true' DEFAULT_USER_ROLE: 'user' WEBUI_AUTH_TRUSTED_EMAIL_HEADER: 'X-Auth-Request-Email' ENABLE_COMMUNITY_SHARING: 'false' ENABLE_MESSAGE_RATING: 'false' PORT: 8084 ENABLE_OAUTH_SIGNUP: 'true' WEBUI_AUTH: 'false' ``` The config for OAuth2 is: ``` toml auth_logging = true auth_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}" client_id = "<REDACTED>.apps.googleusercontent.com" client_secret = "<REDACTED>" cookie_secret = "<REDACTED>" cookie_secure = false custom_templates_dir = "/config/web/" email_domains = [ "*" ] http_address = "0.0.0.0:4180" oidc_issuer_url = "https://oauth2.googleapis.com" pass_access_token = true pass_basic_auth = true pass_user_headers = true profile_url = "https://www.googleapis.com/oauth2/v1/userinfo" provider = "google" proxy_websockets = true redirect_url = "http://localhost:8082/oauth2/callback" request_logging = true request_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}" scope = "openid email profile" set_authorization_header = true set_xauthrequest = true skip_jwt_bearer_tokens = true upstreams = [ "http://open-webui:8084" ] ``` ## Environment - **Open WebUI Version:** v0.3.30 - **Ollama (if applicable):** N/A - **Operating System:** macOS Sequoia 15.0.1 - **Browser (if applicable):** Chrome Version 130.0.6723.58 (Official Build) (arm64) **Confirmation:** - [X] I have read and followed all the instructions provided in the README.md. - [X] I am on the latest version of both Open WebUI and Ollama. - [X] I have included the browser console logs. - [X] I have included the Docker container logs. - [X] I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below. ## Expected Behavior: Should be logged into Open WebUI ## Actual Behavior: Getting the error message: ``` Your provider has not provided a trusted header. Please contact your administrator for assistance. ``` ## Description **Bug Summary:** Trying to run `oauth2-proxy` as reverse proxy in front of Open Web UI, following instructions -> https://docs.openwebui.com/tutorials/features/sso/#oauth2-proxy Unfortunately, Open WebUI doesn't see the the e-mail that is being set in the header. I've seen others have got this working, so not sure what I've misconfigured. ## Reproduction Details **Steps to Reproduce:** Run the `docker-compose` provided and go to `http://localhost:8082`
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#14320
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?