github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-11 00:13:40 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #8817] User's groups are not sync after OIDC login #15277

New Issue
Closed
opened 2026-04-19 21:32:42 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-19 21:32:42 -05:00
Owner
Copy Link

Originally created by @ohmer1 on GitHub (Jan 23, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/8817

Bug Report

Installation Method

uvx

Environment

  • Open WebUI Version: 0.5.6

  • Ollama (if applicable):

  • Operating System: ubuntu 22.04

  • Browser (if applicable):

Confirmation:

  • I have read and followed all the instructions provided in the README.md.
  • I am on the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below.

Expected Behavior:

User's groups should be sync after OIDC login.

Actual Behavior:

User is not added to any groups.

Description

Bug Summary:
User's groups are not sync after OIDC login

Reproduction Details

Steps to Reproduce:

Launch script extract:

export ENABLE_SIGNUP=False
export ENABLE_OAUTH_SIGNUP=True
export ENABLE_LOGIN_FORM=False
export ENABLE_OAUTH_GROUP_MANAGEMENT=True
export OAUTH_MERGE_ACCOUNTS_BY_EMAIL=True
export OAUTH_CLIENT_ID="xxxx"
export OAUTH_CLIENT_SECRET="xxxx"
export OPENID_PROVIDER_URL="https://auth.xxxxxx.xxx/.well-known/openid-configuration"
export OAUTH_PROVIDER_NAME="SSO"
export OAUTH_SCOPES="openid email profile"
export OAUTH_GROUP_CLAIM="groups"

uvx --python 3.11 open-webui@latest serve

Additional Information

I edited utils/oauth.py to add oauth debug informations at line 220:

log.warning(f"duff test: {user_data}")

This log the following, we can see the groups claim is there as expected

Jan 23 10:50:10 openwebui start.sh[354627]: WARNI [open_webui.utils.oauth] duff test: {'acr': 'loa-2', 'iat': 1737647410, 'preferred_username': 'ohmer', 'email': 'ohmer@xxxx', 'auth_time': 1737647407, 'azp': 'xxxx', 'aud': ['xxxx'], 'groups': ['group1', 'group2', 'group3', 'group4'], 'iss': 'https://auth.xxxx.xx', 'nonce': 'xxxx', 'exp': 1737651010, 'sid': 'xxxx', 'sub': 'ohmer', 'at_hash': 'xxx', 'name': 'ohmer'}

Note

If the bug report is incomplete or does not follow the provided instructions, it may not be addressed. Please ensure that you have followed the steps outlined in the README.md and troubleshooting.md documents, and provide all necessary information for us to reproduce and address the issue. Thank you!

Originally created by @ohmer1 on GitHub (Jan 23, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/8817 # Bug Report ## Installation Method uvx ## Environment - **Open WebUI Version:** 0.5.6 - **Ollama (if applicable):** - **Operating System:** ubuntu 22.04 - **Browser (if applicable):** **Confirmation:** - [x] I have read and followed all the instructions provided in the README.md. - [x] I am on the latest version of both Open WebUI and Ollama. - [ ] I have included the browser console logs. - [ ] I have included the Docker container logs. - [x] I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below. ## Expected Behavior: User's groups should be sync after OIDC login. ## Actual Behavior: User is not added to any groups. ## Description **Bug Summary:** User's groups are not sync after OIDC login ## Reproduction Details **Steps to Reproduce:** Launch script extract: ```bash export ENABLE_SIGNUP=False export ENABLE_OAUTH_SIGNUP=True export ENABLE_LOGIN_FORM=False export ENABLE_OAUTH_GROUP_MANAGEMENT=True export OAUTH_MERGE_ACCOUNTS_BY_EMAIL=True export OAUTH_CLIENT_ID="xxxx" export OAUTH_CLIENT_SECRET="xxxx" export OPENID_PROVIDER_URL="https://auth.xxxxxx.xxx/.well-known/openid-configuration" export OAUTH_PROVIDER_NAME="SSO" export OAUTH_SCOPES="openid email profile" export OAUTH_GROUP_CLAIM="groups" uvx --python 3.11 open-webui@latest serve ``` ## Additional Information I edited `utils/oauth.py` to add oauth debug informations at line 220: ```python log.warning(f"duff test: {user_data}") ``` This log the following, we can see the `groups` claim is there as expected ``` Jan 23 10:50:10 openwebui start.sh[354627]: WARNI [open_webui.utils.oauth] duff test: {'acr': 'loa-2', 'iat': 1737647410, 'preferred_username': 'ohmer', 'email': 'ohmer@xxxx', 'auth_time': 1737647407, 'azp': 'xxxx', 'aud': ['xxxx'], 'groups': ['group1', 'group2', 'group3', 'group4'], 'iss': 'https://auth.xxxx.xx', 'nonce': 'xxxx', 'exp': 1737651010, 'sid': 'xxxx', 'sub': 'ohmer', 'at_hash': 'xxx', 'name': 'ohmer'} ``` ## Note If the bug report is incomplete or does not follow the provided instructions, it may not be addressed. Please ensure that you have followed the steps outlined in the README.md and troubleshooting.md documents, and provide all necessary information for us to reproduce and address the issue. Thank you!
GiteaMirror commented 2026-04-19 21:32:43 -05:00
Author
Owner
Copy Link

@ohmer1 commented on GitHub (Jan 23, 2025):

Hum, so it appears it works fine for non-admins users.

<!-- gh-comment-id:2610305852 --> @ohmer1 commented on GitHub (Jan 23, 2025): Hum, so it appears it works fine for non-admins users.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#15277
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?