[GH-ISSUE #12325] issue: Microsoft SSO Profile Pictures Causing Severe Performance Degradation in Admin Panels #16556

New Issue

Closed

opened 2026-04-19 22:27:10 -05:00 by GiteaMirror · 5 comments

GiteaMirror commented 2026-04-19 22:27:10 -05:00

Owner

Copy Link

Originally created by @MushroomLamp-COB on GitHub (Apr 2, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/12325

Check Existing Issues

• I have searched the existing issues and discussions.
• I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

v0.6.0

Ollama Version (if applicable)

NA

Operating System

Amazon Linux (EC2, Docker container)

Browser (if applicable)

NA

Confirmation

• I have read and followed all instructions in README.md.
• I am using the latest version of both Open WebUI and Ollama.
• I have included the browser console logs.
• I have included the Docker container logs.
• I have listed steps to reproduce the bug in detail.

Expected Behavior

Microsoft SSO authentication should work efficiently without causing significant performance degradation.
There should be an option to use default profile images instead of loading images from the OAuth provider.
When setting a non-existent claim in OAUTH_PICTURE_CLAIM, it should fall back to the default user image rather than the provider's picture URL

Actual Behavior

Microsoft SSO authentication works, but it causes extreme performance issues when loading user data.
The Knowledgebase section and Users section in the admin panel for us took approximately 30 seconds to load just 5 users, pulling large base64 strings. (there are some large images in our tenancy)

Setting OAUTH_PICTURE_CLAIM to a non-existent claim (e.g., "no-claim") doesn't work as expected because the code falls back to the provider's picture URL rather than using the default image.
The application retrieves full-size profile pictures (1-10MB) rather than thumbnails, causing significant load times.

Steps to Reproduce

1. Set up Open WebUI v0.6.0 with Docker on EC2 (Amazon Linux)
2. Use external postgres database
3. Configure Microsoft Entra SSO integration with the proper environment variables
4. Have users authenticate with Microsoft SSO
5. Attempt to access the Knowledgebase section or Users section in the admin panel
6. Observe longer than expected load times for the knowledgebase, and users section in admin panel
7. Attempt to resolve by setting OAUTH_PICTURE_CLAIM="no-claim" in your environment variables
8. Notice that this doesn't resolve the issue as the code falls back to the OAuth provider's hardcoded picture URL (OAUTH_PROVIDERS)

Logs & Screenshots

NA

Additional Information

Root Cause:
The issue is in backend/open_webui/utils/oauth.py at line 330, where the code is designed to fall back to the OAuth provider's picture URL rather than an empty string when the specified claim doesn't exist:

picture_url = user_data.get( picture_claim, OAUTH_PROVIDERS[provider].get("picture_url", "")

This means that when OAUTH_PICTURE_CLAIM is set to a non-existent claim, instead of using an empty string (which would trigger the default user image), it falls back to whatever is defined in
OAUTH_PROVIDERS[provider].get("picture_url", "").

Solution:
Change line 330 in backend/open_webui/utils/oauth.py from:

picture_url = user_data.get( picture_claim, OAUTH_PROVIDERS[provider].get("picture_url", "")

To:

picture_url = user_data.get(picture_claim, "")

This change ensures that when a claim doesn't exist, it falls back to an empty string, which causes the application to use the default user image (user.png) instead of attempting to load the images from Microsoft Entra.

I think that a better solution would be to create an environment variable for OAUTH_USE_PICTURE_CLAIM (bool) to toggle between using the picture claim, or the user.png

Originally created by @MushroomLamp-COB on GitHub (Apr 2, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/12325 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version v0.6.0 ### Ollama Version (if applicable) NA ### Operating System Amazon Linux (EC2, Docker container) ### Browser (if applicable) NA ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have listed steps to reproduce the bug in detail. ### Expected Behavior Microsoft SSO authentication should work efficiently without causing significant performance degradation. There should be an option to use default profile images instead of loading images from the OAuth provider. When setting a non-existent claim in OAUTH_PICTURE_CLAIM, it should fall back to the default user image rather than the provider's picture URL ### Actual Behavior Microsoft SSO authentication works, but it causes extreme performance issues when loading user data. The Knowledgebase section and Users section in the admin panel for us took approximately 30 seconds to load just 5 users, pulling large base64 strings. (there are some large images in our tenancy) Setting OAUTH_PICTURE_CLAIM to a non-existent claim (e.g., "no-claim") doesn't work as expected because the code falls back to the provider's picture URL rather than using the default image. The application retrieves full-size profile pictures (1-10MB) rather than thumbnails, causing significant load times. ### Steps to Reproduce 1. Set up Open WebUI v0.6.0 with Docker on EC2 (Amazon Linux) 2. Use external postgres database 3. Configure Microsoft Entra SSO integration with the proper environment variables 4. Have users authenticate with Microsoft SSO 5. Attempt to access the Knowledgebase section or Users section in the admin panel 6. Observe longer than expected load times for the knowledgebase, and users section in admin panel 7. Attempt to resolve by setting OAUTH_PICTURE_CLAIM="no-claim" in your environment variables 8. Notice that this doesn't resolve the issue as the code falls back to the OAuth provider's hardcoded picture URL (OAUTH_PROVIDERS) ### Logs & Screenshots NA ### Additional Information Root Cause: The issue is in backend/open_webui/utils/oauth.py at line 330, where the code is designed to fall back to the OAuth provider's picture URL rather than an empty string when the specified claim doesn't exist: `picture_url = user_data.get( picture_claim, OAUTH_PROVIDERS[provider].get("picture_url", "")` This means that when OAUTH_PICTURE_CLAIM is set to a non-existent claim, instead of using an empty string (which would trigger the default user image), it falls back to whatever is defined in `OAUTH_PROVIDERS[provider].get("picture_url", "").` Solution: Change line 330 in backend/open_webui/utils/oauth.py from: `picture_url = user_data.get( picture_claim, OAUTH_PROVIDERS[provider].get("picture_url", "")` To: `picture_url = user_data.get(picture_claim, "")` This change ensures that when a claim doesn't exist, it falls back to an empty string, which causes the application to use the default user image (user.png) instead of attempting to load the images from Microsoft Entra. I think that a better solution would be to create an environment variable for OAUTH_USE_PICTURE_CLAIM (bool) to toggle between using the picture claim, or the user.png

GiteaMirror added the bug label 2026-04-19 22:27:10 -05:00

GiteaMirror closed this issue 2026-04-19 22:27:11 -05:00

GiteaMirror commented 2026-04-19 22:27:12 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Apr 2, 2025):

PR Welcome.

<!-- gh-comment-id:2772302290 --> @tjbck commented on GitHub (Apr 2, 2025): PR Welcome.

GiteaMirror commented 2026-04-19 22:27:12 -05:00

Author

Owner

Copy Link

@MushroomLamp-COB commented on GitHub (Apr 3, 2025):

PR Welcome.

Thanks, PR raised
#12376

This is my first PR, hopefully all is ok!

<!-- gh-comment-id:2774133458 --> @MushroomLamp-COB commented on GitHub (Apr 3, 2025): > PR Welcome. Thanks, PR raised #12376 This is my first PR, hopefully all is ok!

GiteaMirror commented 2026-04-19 22:27:13 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Apr 3, 2025):

7a1e10f3a7

Removed OAUTH_USE_PICTURE_CLAIM in favour of setting OAUTH_PICTURE_CLAIM to empty string. Thanks!

<!-- gh-comment-id:2774200829 --> @tjbck commented on GitHub (Apr 3, 2025): 7a1e10f3a79912088b55edd9bd892500da163d7d Removed `OAUTH_USE_PICTURE_CLAIM` in favour of setting `OAUTH_PICTURE_CLAIM` to empty string. Thanks!

GiteaMirror commented 2026-04-19 22:27:13 -05:00

Author

Owner

Copy Link

@MushroomLamp-COB commented on GitHub (Apr 3, 2025):

7a1e10f

Removed OAUTH_USE_PICTURE_CLAIM in favour of setting OAUTH_PICTURE_CLAIM to empty string. Thanks!

Thanks @tjbck

Does this mean we will set OAUTH_PICTURE_CLAIM rather than use a OAUTH_USE_PICTURE_CLAIM env going forward?

<!-- gh-comment-id:2774309753 --> @MushroomLamp-COB commented on GitHub (Apr 3, 2025): > [7a1e10f](https://github.com/open-webui/open-webui/commit/7a1e10f3a79912088b55edd9bd892500da163d7d) > > Removed `OAUTH_USE_PICTURE_CLAIM` in favour of setting `OAUTH_PICTURE_CLAIM` to empty string. Thanks! Thanks @tjbck Does this mean we will set OAUTH_PICTURE_CLAIM rather than use a OAUTH_USE_PICTURE_CLAIM env going forward?

GiteaMirror commented 2026-04-19 22:27:13 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Apr 3, 2025):

Yep! (e.g. OAUTH_PICTURE_CLAIM="")

<!-- gh-comment-id:2774328084 --> @tjbck commented on GitHub (Apr 3, 2025): Yep! (e.g. `OAUTH_PICTURE_CLAIM=""`)

GiteaMirror referenced this issue 2026-04-19 23:51:29 -05:00

[GH-ISSUE #16556] issue: Dependency conflict with @tiptap/core prevents clean installation without --force #17957

GiteaMirror referenced this issue 2026-04-25 07:24:25 -05:00

[GH-ISSUE #16556] issue: Dependency conflict with @tiptap/core prevents clean installation without --force #33486

GiteaMirror referenced this issue 2026-05-05 19:49:37 -05:00

[GH-ISSUE #16556] issue: Dependency conflict with @tiptap/core prevents clean installation without --force #56623

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#16556