[GH-ISSUE #12392] feat: Allow some way of manual group assignments when using OAUTH_GROUP_MANAGEMENT #16580

New Issue

Open

opened 2026-04-19 22:28:25 -05:00 by GiteaMirror · 8 comments

GiteaMirror commented 2026-04-19 22:28:25 -05:00

Owner

Copy Link

Originally created by @Ithanil on GitHub (Apr 3, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/12392

Check Existing Issues

• I have searched the existing issues and discussions.

Problem Description

When using OAUTH_GROUP_MANAGEMENT , any manual assignment of users to groups will be overriden upon next login of that user. This makes it impossible to manage user groups without relying on oauth claims.

Originally, I have interpreted the behavior as a completely different issue: https://github.com/open-webui/open-webui/issues/12306 and I'm sorry for my stupidity.

Desired Solution you'd like

In the envs for oauth group management, there should be a whitelist of groups to be managed or a blacklist of groups not to be managed.

Alternatives Considered

No response

Additional Context

No response

Originally created by @Ithanil on GitHub (Apr 3, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/12392 ### Check Existing Issues - [x] I have searched the existing issues and discussions. ### Problem Description When using OAUTH_GROUP_MANAGEMENT , any manual assignment of users to groups will be overriden upon next login of that user. This makes it impossible to manage user groups without relying on oauth claims. Originally, I have interpreted the behavior as a completely different issue: https://github.com/open-webui/open-webui/issues/12306 and I'm sorry for my stupidity. ### Desired Solution you'd like In the envs for oauth group management, there should be a whitelist of groups to be managed or a blacklist of groups not to be managed. ### Alternatives Considered _No response_ ### Additional Context _No response_

GiteaMirror commented 2026-04-19 22:28:27 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Apr 3, 2025):

PR Welcome here!

<!-- gh-comment-id:2776417604 --> @tjbck commented on GitHub (Apr 3, 2025): PR Welcome here!

GiteaMirror commented 2026-04-19 22:28:29 -05:00

Author

Owner

Copy Link

@dotmobo commented on GitHub (Apr 16, 2025):

+1

I have to managed extra groups with extra permissions and models. It would be a nice feature.

<!-- gh-comment-id:2809299877 --> @dotmobo commented on GitHub (Apr 16, 2025): +1 I have to managed extra groups with extra permissions and models. It would be a nice feature.

GiteaMirror commented 2026-04-19 22:28:31 -05:00

Author

Owner

Copy Link

@dotmobo commented on GitHub (Apr 17, 2025):

Well, i made a little PR here with a blacklist env variables : https://github.com/open-webui/open-webui/pull/12957

<!-- gh-comment-id:2812330002 --> @dotmobo commented on GitHub (Apr 17, 2025): Well, i made a little PR here with a blacklist env variables : https://github.com/open-webui/open-webui/pull/12957

GiteaMirror commented 2026-04-19 22:28:32 -05:00

Author

Owner

Copy Link

@taylorwilsdon commented on GitHub (Apr 20, 2025):

Well, i made a little PR here with a blacklist env variables : #12957

I was just about to start something with a different approach but I actually think this might be the better way. If we expose the "don't sync" list as an input in the admin panel in the same way as the other oauth settings like this https://github.com/open-webui/open-webui/pull/12945 it would be a sensible way to manage local sync groups. Anything else is going to require a more complicated approach that creates a linkage between IDP mastery and specific groups, and this is basically just the inverse with less scaffolding which imo is a sensible approach. @dotmobo let me know if I can help with anything there!

<!-- gh-comment-id:2817201263 --> @taylorwilsdon commented on GitHub (Apr 20, 2025): > Well, i made a little PR here with a blacklist env variables : [#12957](https://github.com/open-webui/open-webui/pull/12957) I was just about to start something with a different approach but I actually think this might be the better way. If we expose the "don't sync" list as an input in the admin panel in the same way as the other oauth settings like this https://github.com/open-webui/open-webui/pull/12945 it would be a sensible way to manage local sync groups. Anything else is going to require a more complicated approach that creates a linkage between IDP mastery and specific groups, and this is basically just the inverse with less scaffolding which imo is a sensible approach. @dotmobo let me know if I can help with anything there!

GiteaMirror commented 2026-04-19 22:28:33 -05:00

Author

Owner

Copy Link

@dotmobo commented on GitHub (Apr 20, 2025):

Thanks for your comment! I'm still waiting for approval from a maintainer, but of course, after that, it could be a great idea to add the feature to the #12945 admin management. Basically, I used a blacklist approach to minimize the impact on the current source code and avoid breaking changes.

<!-- gh-comment-id:2817315707 --> @dotmobo commented on GitHub (Apr 20, 2025): Thanks for your comment! I'm still waiting for approval from a maintainer, but of course, after that, it could be a great idea to add the feature to the #12945 admin management. Basically, I used a blacklist approach to minimize the impact on the current source code and avoid breaking changes.

GiteaMirror commented 2026-04-19 22:28:35 -05:00

Author

Owner

Copy Link

@wggcch commented on GitHub (Sep 4, 2025):

i created an PR #17196 would this also help?

<!-- gh-comment-id:3252608799 --> @wggcch commented on GitHub (Sep 4, 2025): i created an PR #17196 would this also help?

GiteaMirror commented 2026-04-19 22:28:36 -05:00

Author

Owner

Copy Link

@wggcch commented on GitHub (Sep 4, 2025):

also there is a new code block for regex oauth sync block list mentioned here df66e21472

<!-- gh-comment-id:3252644718 --> @wggcch commented on GitHub (Sep 4, 2025): also there is a new code block for regex oauth sync block list mentioned here https://github.com/open-webui/open-webui/commit/df66e21472646648d008ebb22b0e8d5424d491df

GiteaMirror commented 2026-04-19 22:28:37 -05:00

Author

Owner

Copy Link

@rndmcnlly commented on GitHub (Nov 7, 2025):

I'm looking for this functionality also, but I don't think I could maintain an allow/block list over time as groups churn.

Instead, I'm imagining some kind of OAUTH_GROUP_PREFIX var (initially empty string) so that I can make sure all of the managed groups have names like oauth:staff@example.com.

Alternatively, a regex could work for identifying the auto-managed groups. I'd configure it to only manage groups containing @.

The big thing is that whether a group is managed automatically is an obvious function of the group's current name. (This lets you adjust whether a group is managed or not by renaming it.)

<!-- gh-comment-id:3503608733 --> @rndmcnlly commented on GitHub (Nov 7, 2025): I'm looking for this functionality also, but I don't think I could maintain an allow/block list over time as groups churn. Instead, I'm imagining some kind of `OAUTH_GROUP_PREFIX` var (initially empty string) so that I can make sure all of the managed groups have names like `oauth:staff@example.com`. Alternatively, a regex could work for identifying the auto-managed groups. I'd configure it to only manage groups containing `@`. The big thing is that whether a group is managed automatically is an obvious function of the group's *current* name. (This lets you adjust whether a group is managed or not by renaming it.)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#16580