[GH-ISSUE #10225] Bearer token being injected into calls to /api/models and /api/v1/users/user/settings breaking reverse proxy #15816

Closed
opened 2026-04-19 21:55:43 -05:00 by GiteaMirror · 0 comments
Owner

Originally created by @blevz on GitHub (Feb 18, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/10225

Bug Report

Installation Method

Deploying to k8s using the official image v0.5.11

Environment

  • Open WebUI Version: v0.5.11

Confirmation:

  • I have read and followed all the instructions provided in the README.md.
  • I am on the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below.

Expected Behavior:

Bearer tokens are not injected when trusted headers are in use. Or maybe some other method exists to tell the ui not to inject its own auth when auth is being handled by a reverse proxy.

Actual Behavior:

The jwt injected into the bearer auth header is invalid and nested by my reverse proxy, breaking the ui

Description

Bug Summary:
[Provide a brief but clear summary of the bug]

Reproduction Details

Steps to Reproduce:
[Outline the steps to reproduce the bug. Be as detailed as possible.]

Logs and Screenshots

Browser Console Logs:
[Include relevant browser console logs, if applicable]

Docker Container Logs:
[Include relevant Docker container logs, if applicable]

Screenshots/Screen Recordings (if applicable):
[Attach any relevant screenshots to help illustrate the issue]

Additional Information

[Include any additional details that may help in understanding and reproducing the issue. This could include specific configurations, error messages, or anything else relevant to the bug.]

Originally created by @blevz on GitHub (Feb 18, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/10225 # Bug Report ## Installation Method Deploying to k8s using the official image v0.5.11 ## Environment - **Open WebUI Version:** v0.5.11 **Confirmation:** - [x] I have read and followed all the instructions provided in the README.md. - [x] I am on the latest version of both Open WebUI and Ollama. - [ ] I have included the browser console logs. - [ ] I have included the Docker container logs. - [ ] I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below. ## Expected Behavior: Bearer tokens are not injected when trusted headers are in use. Or maybe some other method exists to tell the ui not to inject its own auth when auth is being handled by a reverse proxy. ## Actual Behavior: The jwt injected into the bearer auth header is invalid and nested by my reverse proxy, breaking the ui ## Description **Bug Summary:** [Provide a brief but clear summary of the bug] ## Reproduction Details **Steps to Reproduce:** [Outline the steps to reproduce the bug. Be as detailed as possible.] ## Logs and Screenshots **Browser Console Logs:** [Include relevant browser console logs, if applicable] **Docker Container Logs:** [Include relevant Docker container logs, if applicable] **Screenshots/Screen Recordings (if applicable):** [Attach any relevant screenshots to help illustrate the issue] ## Additional Information [Include any additional details that may help in understanding and reproducing the issue. This could include specific configurations, error messages, or anything else relevant to the bug.]
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#15816