github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 19:08:59 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

Add environment variable to specify OAuth Email Claim #1713

New Issue
Closed
opened 2025-11-11 14:50:39 -06:00 by GiteaMirror · 3 comments
GiteaMirror commented 2025-11-11 14:50:39 -06:00
Owner
Copy Link

Originally created by @cdgco on GitHub (Aug 7, 2024).

Is your feature request related to a problem? Please describe.

I'm currently using Microsoft Entra ID as my OAuth provider but Entra does not reliably return user emails in the email claim of the OAuth ID token. Some users in my environment do not have the email field set but instead have the email returned in the preferred_username or username claims.

As a result, when a user who does not have the email claim tries to login, the logs show OAuth callback failed, email is missing and the user is redirected to an API page listing The email or password provided is incorrect. Please check for typos and try logging in again.

Describe the solution you'd like

To more widely support different OAuth configurations, environment variables should be added similar to OAUTH_USERNAME_CLAIM allowing users to specify an alternative email claim, such as OAUTH_EMAIL_CLAIM and/or MICROSOFT_EMAIL_CLAIM.

This should be pretty straightforward, only need to define the variable(s) in backend/config.py and change line 2161 of main.py to something like this:

email_claim = webui_app.state.config.OAUTH_EMAIL_CLAIM
email = user_data.get(email_claim, "")

I'm happy to open a PR as well.

Describe alternatives you've considered

Alternatively, for the Microsoft auth provider, it could check for the preferred_username claim and fall back to that value if the email claim doesn't exist.

Originally created by @cdgco on GitHub (Aug 7, 2024). **Is your feature request related to a problem? Please describe.** I'm currently using Microsoft Entra ID as my OAuth provider but Entra does not reliably return user emails in the `email` claim of the OAuth ID token. Some users in my environment do not have the email field set but instead have the email returned in the `preferred_username` or `username` claims. As a result, when a user who does not have the email claim tries to login, the logs show `OAuth callback failed, email is missing` and the user is redirected to an API page listing `The email or password provided is incorrect. Please check for typos and try logging in again.` **Describe the solution you'd like** To more widely support different OAuth configurations, environment variables should be added similar to `OAUTH_USERNAME_CLAIM` allowing users to specify an alternative email claim, such as `OAUTH_EMAIL_CLAIM` and/or `MICROSOFT_EMAIL_CLAIM`. This should be pretty straightforward, only need to define the variable(s) in [backend/config.py](https://github.com/open-webui/open-webui/tree/99d10d1189452ad49fcace219e9c90ae65906cd1/backend/config.py) and change [line 2161 of main.py](https://github.com/open-webui/open-webui/blob/99d10d1189452ad49fcace219e9c90ae65906cd1/backend/main.py#L2161) to something like this: ``` email_claim = webui_app.state.config.OAUTH_EMAIL_CLAIM email = user_data.get(email_claim, "") ``` I'm happy to open a PR as well. **Describe alternatives you've considered** Alternatively, for the Microsoft auth provider, it could check for the `preferred_username` claim and fall back to that value if the `email` claim doesn't exist.
GiteaMirror commented 2025-11-11 14:50:40 -06:00
Author
Owner
Copy Link

@justinh-rahb commented on GitHub (Aug 7, 2024):

That would be a valuable PR, I think the approach you outline should work. If this primarily only affects microsoft, perhaps the variable should be named accordingly, otherwise this may make things difficult if you use both Google and Microsoft (as I do). FWIW, it seems all my users return a valid email claim 😅

@justinh-rahb commented on GitHub (Aug 7, 2024): That would be a valuable PR, I think the approach you outline should work. If this primarily only affects microsoft, perhaps the variable should be named accordingly, otherwise this may make things difficult if you use both Google and Microsoft (as I do). FWIW, it seems all my users return a valid `email` claim 😅
GiteaMirror commented 2025-11-11 14:50:40 -06:00
Author
Owner
Copy Link

@cdgco commented on GitHub (Aug 7, 2024):

I ended following the same implementation as the picture claim that seems to be provider agnostic and I think it would be good to have this support OIDC as well, so using just the OAUTH_EMAIL_CLAIM should cover all the bases.

I think the missing claim is something to do with aliases in Azure but not totally sure. My primary account has an email but my org has some permissions only / alias accounts that don't seem to have emails assigned.

@cdgco commented on GitHub (Aug 7, 2024): I ended following the same implementation as the picture claim that seems to be provider agnostic and I think it would be good to have this support OIDC as well, so using just the `OAUTH_EMAIL_CLAIM` should cover all the bases. I think the missing claim is something to do with aliases in Azure but not totally sure. My primary account has an email but my org has some permissions only / alias accounts that don't seem to have emails assigned.
GiteaMirror commented 2025-11-11 14:50:40 -06:00
Author
Owner
Copy Link

@someonewating commented on GitHub (May 24, 2025):

I believe the root cause is indeed Microsoft Entra ID.

Not sure why @justinh-rahb 's Entra ID is able to return email claim. In my tenant, the account does not have email claim unless it is configured.

Image

After adding the email address to the 'Contact Information'. The error is resolved.

@someonewating commented on GitHub (May 24, 2025): I believe the root cause is indeed Microsoft Entra ID. Not sure why @justinh-rahb 's Entra ID is able to return `email` claim. In my tenant, the account does not have `email` claim unless it is configured. ![Image](https://github.com/user-attachments/assets/1809c327-fe75-4c6d-8699-30866fe533e7) After adding the email address to the 'Contact Information'. The error is resolved.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#1713
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?