[GH-ISSUE #17113] feat: Adjust OAUTH_BLOCKED_GROUPS to allow regex patterns #18170

New Issue

Closed

opened 2026-04-20 00:23:20 -05:00 by GiteaMirror · 1 comment

GiteaMirror commented 2026-04-20 00:23:20 -05:00

Owner

Copy Link

Originally created by @wggcch on GitHub (Sep 1, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/17113

Check Existing Issues

• I have searched the existing issues and discussions.

Problem Description

Current Bahavior:

When I use an oauth provider for Login and Group management, I can also set a List of local Groups, that will not be updated by oauth with the ENV: OAUTH_BLOCKED_GROUPS
This can be a List of Names like ['my-group', 'another-group'] and so on.

But what if I have already created multiple groups in OpenWebui and do not want to exclude every single group?

Desired Solution you'd like

Support Regex Matching to partly allow more or even all groups to be blocked from OAuth overwriting

within oauth.py

import re
# ...existing code...

def is_blocked_group(group_name, blocked_groups):
    for blocked in blocked_groups:
        try:
            # try to interprete regex
            if re.fullmatch(blocked, group_name):
                return True
        except re.error:
            if blocked == group_name:
                return True
    return False

That than would allow us to use the ENV like this:

OAUTH_BLOCKED_GROUPS = ['local-.*'] -> block all groups to be overwritten from oauth provider starting with `local-'

Alternatives Considered

No response

Additional Context

We are currently using keycloak as our oauth provider and we have had some Groups managed within Openwebui. We wanted to sync our keycloak Groups into open webui but than we saw, that this would overwrite our open webui managed Groups.

For every open webui managed group we now need to

• add it to the OAUTH_BLOCKED_GROUPS List
• restart the open webui docker container so that the env is updated

Originally created by @wggcch on GitHub (Sep 1, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/17113 ### Check Existing Issues - [x] I have searched the existing issues and discussions. ### Problem Description Current Bahavior: When I use an oauth provider for Login and Group management, I can also set a List of local Groups, that will not be updated by oauth with the ENV: OAUTH_BLOCKED_GROUPS This can be a List of Names like ['my-group', 'another-group'] and so on. But what if I have already created multiple groups in OpenWebui and do not want to exclude every single group? ### Desired Solution you'd like Support Regex Matching to partly allow more or even all groups to be blocked from OAuth overwriting within oauth.py ```python import re # ...existing code... def is_blocked_group(group_name, blocked_groups): for blocked in blocked_groups: try: # try to interprete regex if re.fullmatch(blocked, group_name): return True except re.error: if blocked == group_name: return True return False ``` That than would allow us to use the ENV like this: OAUTH_BLOCKED_GROUPS = ['local-.*'] -> block all groups to be overwritten from oauth provider starting with `local-' ### Alternatives Considered _No response_ ### Additional Context We are currently using keycloak as our oauth provider and we have had some Groups managed within Openwebui. We wanted to sync our keycloak Groups into open webui but than we saw, that this would overwrite our open webui managed Groups. For every open webui managed group we now need to - add it to the OAUTH_BLOCKED_GROUPS List - restart the open webui docker container so that the env is updated

GiteaMirror closed this issue 2026-04-20 00:23:21 -05:00

GiteaMirror commented 2026-04-20 00:23:22 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Sep 1, 2025):

PR welcome!

<!-- gh-comment-id:3241773583 --> @tjbck commented on GitHub (Sep 1, 2025): PR welcome!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#18170