[GH-ISSUE #14653] feat: Access to OIDC Access Token for Tools #17325

Closed
opened 2026-04-19 23:03:35 -05:00 by GiteaMirror · 4 comments
Owner

Originally created by @Natoandro on GitHub (Jun 4, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/14653

Check Existing Issues

  • I have searched the existing issues and discussions.

Problem Description

I am currently integrating Open WebUI with an OpenID Connect (OIDC) provider for user authentication. While the authentication process works as expected, I have encountered a challenge in accessing the OIDC access token within custom tools. The standard tool environment does not provide direct access to this token, which is essential for making authorized requests to external services on behalf of the authenticated user.

What would be your recommended way of doing it?

Desired Solution you'd like

I propose that Open WebUI provides a built-in mechanism to access the OIDC access token within tools. This could be achieved by exposing the token through the __user__ object or by implementing a dedicated function that retrieves the token from the session or cookies. Such a feature would enhance the flexibility and security of integrating external services within tools, aligning with best practices for handling authentication tokens.

Alternatives Considered

To work around this limitation, I modified the Open WebUI source code to store the OIDC access token in a cookie. This allows me to retrieve the token within tools using the following code:

oidc_access_token = __request__.cookies.get("oauth_access_token")

While this solution is functional, it requires altering the core codebase, which is not ideal for maintainability and future updates. I am uncertain if this is the best approach to address this issue.

If this approach aligns with the project's direction, I am willing to submit a pull request to implement this feature.

Additional Context

  • Discussion on accessing OIDC token inside tools: #6200

  • Commit implementing a workaround to store OIDC access token in cookies: d180e50

Originally created by @Natoandro on GitHub (Jun 4, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/14653 ### Check Existing Issues - [x] I have searched the existing issues and discussions. ### Problem Description I am currently integrating Open WebUI with an OpenID Connect (OIDC) provider for user authentication. While the authentication process works as expected, I have encountered a challenge in accessing the OIDC access token within custom tools. The standard tool environment does not provide direct access to this token, which is essential for making authorized requests to external services on behalf of the authenticated user. What would be your recommended way of doing it? ### Desired Solution you'd like I propose that Open WebUI provides a built-in mechanism to access the OIDC access token within tools. This could be achieved by exposing the token through the `__user__` object or by implementing a dedicated function that retrieves the token from the session or cookies. Such a feature would enhance the flexibility and security of integrating external services within tools, aligning with best practices for handling authentication tokens. ### Alternatives Considered To work around this limitation, I modified the Open WebUI source code to store the OIDC access token in a cookie. This allows me to retrieve the token within tools using the following code: ```python oidc_access_token = __request__.cookies.get("oauth_access_token") ``` While this solution is functional, it requires altering the core codebase, which is not ideal for maintainability and future updates. I am uncertain if this is the best approach to address this issue. If this approach aligns with the project's direction, I am willing to submit a pull request to implement this feature. ### Additional Context - Discussion on accessing OIDC token inside tools: [#6200](https://github.com/open-webui/open-webui/discussions/6200) - Commit implementing a workaround to store OIDC access token in cookies: [d180e50](https://github.com/Natoandro/open-webui/commit/d180e50b2b6084d5979ebb78462b528231d77c31)
Author
Owner

@imranq2 commented on GitHub (Aug 11, 2025):

Makes sense to me

<!-- gh-comment-id:3173033161 --> @imranq2 commented on GitHub (Aug 11, 2025): Makes sense to me
Author
Owner

@koflerm commented on GitHub (Sep 16, 2025):

This feature should be in the newest version available via the commit 217f4daef0

As with the existing injectable parameters like __request__, there is now an __oauth_token__ parameter which can be added to tool functions.

<!-- gh-comment-id:3298225078 --> @koflerm commented on GitHub (Sep 16, 2025): This feature should be in the newest version available via the commit https://github.com/open-webui/open-webui/commit/217f4daef09b36d3d4cc4681e11d3ebd9984a1a5 As with the existing injectable parameters like `__request__`, there is now an `__oauth_token__` parameter which can be added to tool functions.
Author
Owner

@brainboutique commented on GitHub (Sep 29, 2025):

@koflerm @tjbck @Classic298 , thx a lot, appreciated! Works like charm on first try!

PS: Not sure yet how to reproduce: From time to time I see
open_webui.utils.oauth:get_oauth_token:654 - No OAuth session found for user 0aafefb1-xxxx, session 14xxxxx
in the log and the function does not receive a token but "None". Will keep an eye on this, maybe token expiry? Docker restart? Not sure yet...

<!-- gh-comment-id:3348677664 --> @brainboutique commented on GitHub (Sep 29, 2025): @koflerm @tjbck @Classic298 , thx a lot, appreciated! Works like charm on first try! PS: Not sure yet how to reproduce: From time to time I see `open_webui.utils.oauth:get_oauth_token:654 - No OAuth session found for user 0aafefb1-xxxx, session 14xxxxx` in the log and the function does not receive a token but "None". Will keep an eye on this, maybe token expiry? Docker restart? Not sure yet...
Author
Owner

@gneuli commented on GitHub (Nov 7, 2025):

@brainboutique We’re running into the same inconsistent behavior as described.

With the config
ENABLE_OAUTH_ID_TOKEN_COOKIE=true
ENABLE_STAR_SESSIONS_MIDDLEWARE=false
the browser cookie is set correctly and the token gets passed on to the tools, but only for a limited period. We’ve noticed that this issue isn’t tied to token expiration. The token refresh happens as expected initially but after an irregular and inconsistent interval (often several days), the token management breaks down and None ends up being passed as the oauth_token to the tools.

Restarting the container (in a single-replica Kubernetes setup) doesn’t seem to be the root cause, the issue still appears intermittently.

@tjbck Do you have any ideas or updates on what could be causing this inconsistent loss of the OAuth token? Any suggestions for further troubleshooting would be appreciated!

<!-- gh-comment-id:3501372619 --> @gneuli commented on GitHub (Nov 7, 2025): @brainboutique We’re running into the same inconsistent behavior as described. With the config ENABLE_OAUTH_ID_TOKEN_COOKIE=true ENABLE_STAR_SESSIONS_MIDDLEWARE=false the browser cookie is set correctly and the token gets passed on to the tools, but only for a limited period. We’ve noticed that this issue isn’t tied to token expiration. The token refresh happens as expected initially but after an irregular and inconsistent interval (often several days), the token management breaks down and None ends up being passed as the __oauth_token__ to the tools. Restarting the container (in a single-replica Kubernetes setup) doesn’t seem to be the root cause, the issue still appears intermittently. @tjbck Do you have any ideas or updates on what could be causing this inconsistent loss of the OAuth token? Any suggestions for further troubleshooting would be appreciated!
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#17325