mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-11 10:34:13 -05:00
[GH-ISSUE #14653] feat: Access to OIDC Access Token for Tools #17325
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Natoandro on GitHub (Jun 4, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/14653
Check Existing Issues
Problem Description
I am currently integrating Open WebUI with an OpenID Connect (OIDC) provider for user authentication. While the authentication process works as expected, I have encountered a challenge in accessing the OIDC access token within custom tools. The standard tool environment does not provide direct access to this token, which is essential for making authorized requests to external services on behalf of the authenticated user.
What would be your recommended way of doing it?
Desired Solution you'd like
I propose that Open WebUI provides a built-in mechanism to access the OIDC access token within tools. This could be achieved by exposing the token through the
__user__object or by implementing a dedicated function that retrieves the token from the session or cookies. Such a feature would enhance the flexibility and security of integrating external services within tools, aligning with best practices for handling authentication tokens.Alternatives Considered
To work around this limitation, I modified the Open WebUI source code to store the OIDC access token in a cookie. This allows me to retrieve the token within tools using the following code:
While this solution is functional, it requires altering the core codebase, which is not ideal for maintainability and future updates. I am uncertain if this is the best approach to address this issue.
If this approach aligns with the project's direction, I am willing to submit a pull request to implement this feature.
Additional Context
Discussion on accessing OIDC token inside tools: #6200
Commit implementing a workaround to store OIDC access token in cookies: d180e50
@imranq2 commented on GitHub (Aug 11, 2025):
Makes sense to me
@koflerm commented on GitHub (Sep 16, 2025):
This feature should be in the newest version available via the commit
217f4daef0As with the existing injectable parameters like
__request__, there is now an__oauth_token__parameter which can be added to tool functions.@brainboutique commented on GitHub (Sep 29, 2025):
@koflerm @tjbck @Classic298 , thx a lot, appreciated! Works like charm on first try!
PS: Not sure yet how to reproduce: From time to time I see
open_webui.utils.oauth:get_oauth_token:654 - No OAuth session found for user 0aafefb1-xxxx, session 14xxxxxin the log and the function does not receive a token but "None". Will keep an eye on this, maybe token expiry? Docker restart? Not sure yet...
@gneuli commented on GitHub (Nov 7, 2025):
@brainboutique We’re running into the same inconsistent behavior as described.
With the config
ENABLE_OAUTH_ID_TOKEN_COOKIE=true
ENABLE_STAR_SESSIONS_MIDDLEWARE=false
the browser cookie is set correctly and the token gets passed on to the tools, but only for a limited period. We’ve noticed that this issue isn’t tied to token expiration. The token refresh happens as expected initially but after an irregular and inconsistent interval (often several days), the token management breaks down and None ends up being passed as the oauth_token to the tools.
Restarting the container (in a single-replica Kubernetes setup) doesn’t seem to be the root cause, the issue still appears intermittently.
@tjbck Do you have any ideas or updates on what could be causing this inconsistent loss of the OAuth token? Any suggestions for further troubleshooting would be appreciated!