[GH-ISSUE #15254] issue:WEBUI_AUTH=False doesn't fully disable login; frontend still attempts signin #17509

New Issue

GiteaMirror · 2026-04-19T23:17:17-05:00

GiteaMirror commented

2026-04-19 23:17:17 -05:00

Originally created by @anilrajrimal1 on GitHub (Jun 24, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/15254

Check Existing Issues

I have searched the existing issues and discussions.
I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

main

Ollama Version (if applicable)

latest

Operating System

Ubuntu 22.04

Browser (if applicable)

Brave

Confirmation

I have read and followed all instructions in README.md.
I am using the latest version of both Open WebUI and Ollama.
I have included the browser console logs.
I have included the Docker container logs.
I have provided every relevant configuration, setting, and environment variable used in my setup.
I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
Start with the initial platform/version/OS and dependencies used,
Specify exact install/launch/configure commands,
List URLs visited, user input (incl. example values/emails/passwords if needed),
Describe all options and toggles enabled or changed,
Include any files or environmental changes,
Identify the expected and actual result at each stage,
Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When the environment variable WEBUI_AUTH is set to False, the application should completely disable all authentication mechanisms. This means:

The frontend does not prompt for login.
No authentication-related API calls (e.g., POST requests to /api/v1/auths/signin) are made.
Users can access the interface and features directly without entering credentials.
The user experience is seamless, with no login errors or interruptions.

Actual Behavior

Despite setting WEBUI_AUTH=False, the login screen is hidden, but the frontend still attempts to authenticate by automatically sending a POST request to /api/v1/auths/signin. Because no valid credentials are provided, the server returns a 400 Bad Request error. This results in:

Confusing error messages in the UI.
Users being unable to use the application without credentials.
The frontend ignoring or not properly handling the disabled authentication flag at runtime.

Steps to Reproduce

Set WEBUI_AUTH=False in the environment variables.
Run the Open WebUI in Docker compose stack.
Open the app in a browser.
Observe the frontend sending a POST /api/v1/auths/signin request which fails.

Logs & Screenshots

Web Image:

Browser Console:

Additional Information

This behavior suggests the frontend does not fully respect the WEBUI_AUTH setting at runtime. It seems like this flag disables backend auth but not frontend login attempts, which causes confusion and broken usage without credentials.

Originally created by @anilrajrimal1 on GitHub (Jun 24, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/15254 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version main ### Ollama Version (if applicable) latest ### Operating System Ubuntu 22.04 ### Browser (if applicable) Brave ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior When the environment variable `WEBUI_AUTH` is set to `False`, the application should completely disable all authentication mechanisms. This means: - The frontend does **not** prompt for login. - No authentication-related API calls (e.g., POST requests to `/api/v1/auths/signin`) are made. - Users can access the interface and features directly without entering credentials. - The user experience is seamless, with no login errors or interruptions. ### Actual Behavior Despite setting `WEBUI_AUTH=False`, the login screen is hidden, but the frontend still attempts to authenticate by automatically sending a `POST` request to `/api/v1/auths/signin`. Because no valid credentials are provided, the server returns a `400 Bad Request` error. This results in: - Confusing error messages in the UI. - Users being unable to use the application without credentials. - The frontend ignoring or not properly handling the disabled authentication flag at runtime. ### Steps to Reproduce 1. Set `WEBUI_AUTH=False` in the environment variables. 2. Run the Open WebUI in Docker compose stack. 3. Open the app in a browser. 4. Observe the frontend sending a `POST /api/v1/auths/signin` request which fails. ### Logs & Screenshots Web Image: ![Image](https://github.com/user-attachments/assets/72f5903b-8eee-498b-9c2c-b2de4233634b) Browser Console: ![Image](https://github.com/user-attachments/assets/33dd727e-b214-4d0b-b051-90088d5b1306) ### Additional Information This behavior suggests the frontend does not fully respect the `WEBUI_AUTH` setting at runtime. It seems like this flag disables backend auth but not frontend login attempts, which causes confusion and broken usage without credentials.

GiteaMirror added the bug label 2026-04-19 23:17:17 -05:00

GiteaMirror closed this issue

2026-04-19 23:17:18 -05:00

GiteaMirror commented

2026-04-19 23:17:19 -05:00

@rgaricano commented on GitHub (Jun 24, 2025):

did you set any other auth method?

@rgaricano commented on GitHub (Jun 24, 2025): did you set any other auth method?

GiteaMirror commented

2026-04-19 23:17:19 -05:00

@anilrajrimal1 commented on GitHub (Jun 24, 2025):

No, I didn’t set any other authentication method. Just WEBUI_AUTH=False to disable auth completely.

@anilrajrimal1 commented on GitHub (Jun 24, 2025): No, I didn’t set any other authentication method. Just WEBUI_AUTH=False to disable auth completely.

GiteaMirror commented

2026-04-19 23:17:19 -05:00

@tjbck commented on GitHub (Jun 25, 2025):

Unable to reproduce, @ayanahye @jackthgu double check wanted here.

@tjbck commented on GitHub (Jun 25, 2025): Unable to reproduce, @ayanahye @jackthgu double check wanted here.

GiteaMirror referenced this issue

2026-04-20 05:24:40 -05:00

[PR #17509] [CLOSED] feat: Allow Azure OpenAI to authenticate using DefaultAzureCredential #24452

GiteaMirror referenced this issue

2026-04-25 12:30:22 -05:00

[PR #17509] [CLOSED] feat: Allow Azure OpenAI to authenticate using DefaultAzureCredential #40082

GiteaMirror referenced this issue