github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #16908] issue: OIDC login with ADFS fails on Open WebUI ≥0.6.25 due to missing email claim #18092

New Issue
Closed
opened 2026-04-20 00:02:56 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 00:02:56 -05:00
Owner
Copy Link

Originally created by @HaldiH on GitHub (Aug 25, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/16908

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.6.25

Ollama Version (if applicable)

No response

Operating System

Ubuntu 24.04

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Open WebUI should extract the user’s email from the id_token (claim "email") and complete the login successfully, as it did in version 0.6.22.

Actual Behavior

Login fails with an error message in the browser:

{"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."}

Logs show:

open_webui.utils.oauth:handle_callback:426 - OAuth callback failed, email is missing: {'sub': 'CXrgQw87vRhkXeke+yrjn/...'}

The ADFS /userinfo endpoint only returns sub, not email. Setting OAUTH_EMAIL_CLAIM=email does not fix the issue.

Steps to Reproduce

  1. Prerequisites

    • Docker and Docker Compose installed on the host machine.
    • An ADFS instance configured to act as an OpenID Connect provider.
    • Existing Open WebUI installation working on version 0.6.22 (optional but recommended for comparison).

  2. Prepare Docker Compose configuration
    Create a docker-compose.yml file with the following content (sensitive data anonymized):

    services:
  open-webui:
    image: ghcr.io/open-webui/open-webui:0.6.25
    restart: always
    volumes:
      - /srv/ollama/open-webui:/app/backend/data
    environment:
      WEBUI_NAME: Hactar
      WEBUI_URL: https://hactar.unige.ch
      ENV: dev
      DATABASE_URL: postgres://postgres:***REDACTED***@db:5432/postgres
      OLLAMA_BASE_URL: http://ollama:11434
      ENABLE_LOGIN_FORM: "false"
      ENABLE_SIGNUP: "false"
      ENABLE_OAUTH_SIGNUP: "true"
      OAUTH_MERGE_ACCOUNTS_BY_EMAIL: "true"
      OAUTH_CLIENT_ID: ***REDACTED***
      OAUTH_CLIENT_SECRET: ***REDACTED***
      OPENID_PROVIDER_URL: https://adfs.unige.ch/adfs/.well-known/openid-configuration
      OAUTH_PROVIDER_NAME: "UNIGE ISIs"
      OAUTH_SCOPES: "openid email profile"
      OAUTH_EMAIL_CLAIM: email

  3. Start the service

    • Run the following command to start Open WebUI:

      docker-compose up -d

    • Verify that the container is running:

      docker ps

    • Confirm that Open WebUI is accessible.

  4. Attempt to login via OIDC

    • Open a browser and navigate to https://hactar.unige.ch.
    • Click the "Login with UNIGE ISIs" button (the configured OIDC provider).
    • Authenticate with ADFS credentials.

  5. Observe the failure

    • The login fails, showing the message:

      {"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."}

    • In container logs, you will see:

      open_webui.utils.oauth:handle_callback:426 - OAuth callback failed, email is missing: {'sub': 'CXrgQw87vRhkXeke+yrjn/...'}

  6. Verify the token (optional, to demonstrate the issue)

    • Extract the id_token from the OAuth callback URL.
    • Decode the JWT; it contains the email claim but /userinfo only returns sub.

  7. Result

    • Open WebUI fails to extract the email claim from the token, even though it exists.
    • Setting OAUTH_EMAIL_CLAIM=email does not resolve the issue.
    • This reproduces the regression observed when upgrading from 0.6.22 to 0.6.25.

Logs & Screenshots

JWT decoded (sensitive data censored):

{
  "aud": "microsoft:identityserver:***REDACTED***",
  "iss": "http://adfs.example.com/adfs/services/trust",
  "iat": 1756137898,
  "nbf": 1756137898,
  "exp": 1756141498,
  "email": "user@example.com",
  "apptype": "Confidential",
  "appid": "***REDACTED***",
  "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
  "auth_time": "2025-08-25T09:22:46.581Z",
  "ver": "1.0",
  "scp": "openid allatclaims",
  "idsub": "CXrgQw87vRhkXeke+yrjn/..."
}

Additional Information

Since upgrading from Open WebUI 0.6.22 to 0.6.25, OIDC login via ADFS no longer works. The main issue is that Open WebUI expects the user’s email to be returned either in the ID token or via the /userinfo endpoint. However, ADFS only provides the sub claim in /userinfo, and although the ID token contains an email claim, Open WebUI fails to extract it. Setting OAUTH_EMAIL_CLAIM=email does not resolve the problem. The login fails with a generic "email or password incorrect" error, even though the token is valid and contains the user’s email.

This appears to be a regression compared to 0.6.22, where login with the same ADFS setup worked without issues.

Originally created by @HaldiH on GitHub (Aug 25, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/16908 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.6.25 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 24.04 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Open WebUI should extract the user’s email from the id_token (claim "email") and complete the login successfully, as it did in version 0.6.22. ### Actual Behavior Login fails with an error message in the browser: ```json {"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."} ``` Logs show: ``` open_webui.utils.oauth:handle_callback:426 - OAuth callback failed, email is missing: {'sub': 'CXrgQw87vRhkXeke+yrjn/...'} ``` The ADFS `/userinfo` endpoint only returns `sub`, not `email`. Setting `OAUTH_EMAIL_CLAIM=email` does not fix the issue. ### Steps to Reproduce 1. **Prerequisites** * Docker and Docker Compose installed on the host machine. * An ADFS instance configured to act as an OpenID Connect provider. * Existing Open WebUI installation working on version 0.6.22 (optional but recommended for comparison). 2. **Prepare Docker Compose configuration** Create a `docker-compose.yml` file with the following content (sensitive data anonymized): ```yaml services: open-webui: image: ghcr.io/open-webui/open-webui:0.6.25 restart: always volumes: - /srv/ollama/open-webui:/app/backend/data environment: WEBUI_NAME: Hactar WEBUI_URL: https://hactar.unige.ch ENV: dev DATABASE_URL: postgres://postgres:***REDACTED***@db:5432/postgres OLLAMA_BASE_URL: http://ollama:11434 ENABLE_LOGIN_FORM: "false" ENABLE_SIGNUP: "false" ENABLE_OAUTH_SIGNUP: "true" OAUTH_MERGE_ACCOUNTS_BY_EMAIL: "true" OAUTH_CLIENT_ID: ***REDACTED*** OAUTH_CLIENT_SECRET: ***REDACTED*** OPENID_PROVIDER_URL: https://adfs.unige.ch/adfs/.well-known/openid-configuration OAUTH_PROVIDER_NAME: "UNIGE ISIs" OAUTH_SCOPES: "openid email profile" OAUTH_EMAIL_CLAIM: email ``` 3. **Start the service** * Run the following command to start Open WebUI: ```bash docker-compose up -d ``` * Verify that the container is running: ```bash docker ps ``` * Confirm that Open WebUI is accessible. 4. **Attempt to login via OIDC** * Open a browser and navigate to `https://hactar.unige.ch`. * Click the "Login with UNIGE ISIs" button (the configured OIDC provider). * Authenticate with ADFS credentials. 5. **Observe the failure** * The login fails, showing the message: ```json {"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."} ``` * In container logs, you will see: ``` open_webui.utils.oauth:handle_callback:426 - OAuth callback failed, email is missing: {'sub': 'CXrgQw87vRhkXeke+yrjn/...'} ``` 6. **Verify the token** (optional, to demonstrate the issue) * Extract the `id_token` from the OAuth callback URL. * Decode the JWT; it contains the `email` claim but `/userinfo` only returns `sub`. 7. **Result** * Open WebUI fails to extract the email claim from the token, even though it exists. * Setting `OAUTH_EMAIL_CLAIM=email` does not resolve the issue. * This reproduces the regression observed when upgrading from 0.6.22 to 0.6.25. ### Logs & Screenshots JWT decoded (sensitive data censored): ```json { "aud": "microsoft:identityserver:***REDACTED***", "iss": "http://adfs.example.com/adfs/services/trust", "iat": 1756137898, "nbf": 1756137898, "exp": 1756141498, "email": "user@example.com", "apptype": "Confidential", "appid": "***REDACTED***", "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "auth_time": "2025-08-25T09:22:46.581Z", "ver": "1.0", "scp": "openid allatclaims", "idsub": "CXrgQw87vRhkXeke+yrjn/..." } ``` ### Additional Information Since upgrading from Open WebUI 0.6.22 to 0.6.25, OIDC login via ADFS no longer works. The main issue is that Open WebUI expects the user’s email to be returned either in the ID token or via the `/userinfo` endpoint. However, ADFS only provides the `sub` claim in `/userinfo`, and although the ID token contains an `email` claim, Open WebUI fails to extract it. Setting `OAUTH_EMAIL_CLAIM=email` does not resolve the problem. The login fails with a generic "email or password incorrect" error, even though the token is valid and contains the user’s email. This appears to be a regression compared to 0.6.22, where login with the same ADFS setup worked without issues.
GiteaMirror added the bug label 2026-04-20 00:02:56 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#18092
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?