[GH-ISSUE #17917] issue: oauth user signup flow breaking due to generated password crossing 72 bytes #18436

New Issue

Closed

opened 2026-04-20 00:39:15 -05:00 by GiteaMirror · 15 comments

GiteaMirror commented 2026-04-20 00:39:15 -05:00

Owner

Copy Link

Originally created by @thenicekat on GitHub (Sep 30, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/17917

Check Existing Issues

• I have searched for any existing and/or related issues.
• I have searched for any existing and/or related discussions.
• I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.6.32

Ollama Version (if applicable)

No response

Operating System

ubuntu

Browser (if applicable)

No response

Confirmation

• I have read and followed all instructions in README.md.
• I am using the latest version of both Open WebUI and Ollama.
• I have included the browser console logs.
• I have included the Docker container logs.
• I have provided every relevant configuration, setting, and environment variable used in my setup.
• I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
• I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
• Start with the initial platform/version/OS and dependencies used,
• Specify exact install/launch/configure commands,
• List URLs visited, user input (incl. example values/emails/passwords if needed),
• Describe all options and toggles enabled or changed,
• Include any files or environmental changes,
• Identify the expected and actual result at each stage,
• Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

It should create a new account and move on. 4d7fddaf7e/backend/open_webui/utils/oauth.py (L1225)

Actual Behavior

Error during OAuth process: password cannot be longer than 72 bytes, truncate manually if necessary (e.g. my_password[:72])

This error is coming during oauth signup flow. I am not sure what changed here. All new signups are breaking because of this. I am not sure why this even hits 4d7fddaf7e/backend/open_webui/routers/auths.py (L596) that particular endpoint. I would assume oauth.py is not making an api call to /signup but i am not sure.

Steps to Reproduce

On any oauth flow, try to signup without a pre created account.

Logs & Screenshots

Error during OAuth process: password cannot be longer than 72 bytes, truncate manually if necessary (e.g. my_password[:72])

Additional Information

No response

Originally created by @thenicekat on GitHub (Sep 30, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/17917 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.6.32 ### Ollama Version (if applicable) _No response_ ### Operating System ubuntu ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior It should create a new account and move on. https://github.com/open-webui/open-webui/blob/4d7fddaf7e434bf59fdd879ef11d712a503b7863/backend/open_webui/utils/oauth.py#L1225 ### Actual Behavior Error during OAuth process: password cannot be longer than 72 bytes, truncate manually if necessary (e.g. my_password[:72]) This error is coming during oauth signup flow. I am not sure what changed here. All new signups are breaking because of this. I am not sure why this even hits https://github.com/open-webui/open-webui/blob/4d7fddaf7e434bf59fdd879ef11d712a503b7863/backend/open_webui/routers/auths.py#L596 that particular endpoint. I would assume oauth.py is not making an api call to /signup but i am not sure. ### Steps to Reproduce On any oauth flow, try to signup without a pre created account. ### Logs & Screenshots Error during OAuth process: password cannot be longer than 72 bytes, truncate manually if necessary (e.g. my_password[:72]) ### Additional Information _No response_

GiteaMirror added the bug label 2026-04-20 00:39:15 -05:00

GiteaMirror closed this issue 2026-04-20 00:39:16 -05:00

GiteaMirror commented 2026-04-20 00:39:17 -05:00

Author

Owner

Copy Link

@thenicekat commented on GitHub (Sep 30, 2025):

It's happening consistently on even without oauth:
This was me running a new openwebui image locally.

<!-- gh-comment-id:3351332943 --> @thenicekat commented on GitHub (Sep 30, 2025): It's happening consistently on even without oauth: This was me running a new openwebui image locally. <img width="1383" height="113" alt="Image" src="https://github.com/user-attachments/assets/20f8c9b4-08ff-4443-99b6-be4b19c683e1" />

GiteaMirror commented 2026-04-20 00:39:19 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Sep 30, 2025):

@silentoplayz Are you able to reproduce here? I'm currently unable.

<!-- gh-comment-id:3352805186 --> @tjbck commented on GitHub (Sep 30, 2025): @silentoplayz Are you able to reproduce here? I'm currently unable.

GiteaMirror commented 2026-04-20 00:39:19 -05:00

Author

Owner

Copy Link

@thenicekat commented on GitHub (Sep 30, 2025):

huh? weird, um, should openwebui image require anything else out of the box? I have always used it this way and it always worked before.

<!-- gh-comment-id:3352816152 --> @thenicekat commented on GitHub (Sep 30, 2025): huh? weird, um, should openwebui image require anything else out of the box? I have always used it this way and it always worked before. <img width="506" height="369" alt="Image" src="https://github.com/user-attachments/assets/7827a0e5-00b6-4980-9e11-23ee1f417c25" />

GiteaMirror commented 2026-04-20 00:39:21 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Sep 30, 2025):

We have not changed anything here for our latest release, something else might be playing a role here.

<!-- gh-comment-id:3352871252 --> @tjbck commented on GitHub (Sep 30, 2025): We have not changed anything here for our latest release, something else might be playing a role here.

GiteaMirror commented 2026-04-20 00:39:21 -05:00

Author

Owner

Copy Link

@silentoplayz commented on GitHub (Sep 30, 2025):

@tjbck I am able to reproduce with a long password being used on signup within the UI. Below is the password I attempted to create an account/sign up with:

ThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytes

The following notification toast is displayed on-click of Create Account:

Error on backend:

2025-09-30 11:58:48.135 | ERROR    | open_webui.routers.auths:signup:672 - Signup error: 400: Uh-oh! The password you entered is too long. Please make sure your password is less than 72 bytes long.

<!-- gh-comment-id:3352871997 --> @silentoplayz commented on GitHub (Sep 30, 2025): @tjbck I am able to reproduce with a long password being used on signup within the UI. Below is the password I attempted to create an account/sign up with: ``` ThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytesThispasswordisactuallytoolongofrOpenWebUItoacceptandthereisnothingthatIcoulddoaboutitifthepasswordislongerthan72bytes ``` The following notification toast is displayed on-click of `Create Account`: <img width="2560" height="1273" alt="Image" src="https://github.com/user-attachments/assets/76282f01-08c9-4027-9c55-e84036f35bd1" /> Error on backend: ``` 2025-09-30 11:58:48.135 | ERROR | open_webui.routers.auths:signup:672 - Signup error: 400: Uh-oh! The password you entered is too long. Please make sure your password is less than 72 bytes long. ```

GiteaMirror commented 2026-04-20 00:39:22 -05:00

Author

Owner

Copy Link

@thenicekat commented on GitHub (Sep 30, 2025):

I just used abc as password

<!-- gh-comment-id:3352878893 --> @thenicekat commented on GitHub (Sep 30, 2025): I just used `abc` as password

GiteaMirror commented 2026-04-20 00:39:23 -05:00

Author

Owner

Copy Link

@silentoplayz commented on GitHub (Sep 30, 2025):

I just used abc as password

@thenicekat I can't reproduce with just abc as the password.

<!-- gh-comment-id:3352886710 --> @silentoplayz commented on GitHub (Sep 30, 2025): > I just used `abc` as password @thenicekat I can't reproduce with just `abc` as the password. <img width="2560" height="982" alt="Image" src="https://github.com/user-attachments/assets/a3c69d17-8b6e-4307-b062-53a9c2e15017" />

GiteaMirror commented 2026-04-20 00:39:24 -05:00

Author

Owner

Copy Link

@thenicekat commented on GitHub (Sep 30, 2025):

https://github.com/user-attachments/assets/c1f7b26a-f0b8-4347-a537-828349d945d1

<!-- gh-comment-id:3352911501 --> @thenicekat commented on GitHub (Sep 30, 2025): https://github.com/user-attachments/assets/c1f7b26a-f0b8-4347-a537-828349d945d1

GiteaMirror commented 2026-04-20 00:39:25 -05:00

Author

Owner

Copy Link

@thenicekat commented on GitHub (Sep 30, 2025):

When I run backend locally (code on main), I could create an account, I am not sure what changed or what is going wrong in the docker image but, if I hit the server when I am running the docker image, it still fails.

<!-- gh-comment-id:3352962505 --> @thenicekat commented on GitHub (Sep 30, 2025): When I run backend locally (code on main), I could create an account, I am not sure what changed or what is going wrong in the docker image but, if I hit the server when I am running the docker image, it still fails.

GiteaMirror commented 2026-04-20 00:39:25 -05:00

Author

Owner

Copy Link

@thenicekat commented on GitHub (Sep 30, 2025):

Looks like it's coming from inside bcrypt.
So, openwebui backend passes it through but bcrypt fails it which is leading to different errors from me and @silentoplayz's side.

https://github.com/pyca/bcrypt/issues/1082
Possibly related.

<!-- gh-comment-id:3353060731 --> @thenicekat commented on GitHub (Sep 30, 2025): Looks like it's coming from inside [bcrypt](https://github.com/pyca/bcrypt/blob/8067b600835b3782b85b2f92e2d90461cb7873bf/src/_bcrypt/src/lib.rs#L87). So, openwebui backend passes it through but bcrypt fails it which is leading to different errors from me and @silentoplayz's side. https://github.com/pyca/bcrypt/issues/1082 Possibly related.

GiteaMirror commented 2026-04-20 00:39:26 -05:00

Author

Owner

Copy Link

@thenicekat commented on GitHub (Sep 30, 2025):

Confirmed: Downgrading bcrypt fixes it. I had unpinned versions of some of the libraries to remove vulnerabilities but maybe unpinning bcrypt was a bad idea. We can close this issue. Sorry for the trouble.

<!-- gh-comment-id:3353098279 --> @thenicekat commented on GitHub (Sep 30, 2025): Confirmed: Downgrading bcrypt fixes it. I had unpinned versions of some of the libraries to remove vulnerabilities but maybe unpinning bcrypt was a bad idea. We can close this issue. Sorry for the trouble.

GiteaMirror commented 2026-04-20 00:39:27 -05:00

Author

Owner

Copy Link

@thenicekat commented on GitHub (Oct 1, 2025):

https://github.com/pyca/bcrypt/issues/1079
Looks like they are encouraging us to stop using passlib. Is it okay if I make a PR removing passlib and using bcrypt directly? @tjbck @silentoplayz

<!-- gh-comment-id:3357406868 --> @thenicekat commented on GitHub (Oct 1, 2025): https://github.com/pyca/bcrypt/issues/1079 Looks like they are encouraging us to stop using passlib. Is it okay if I make a PR removing passlib and using bcrypt directly? @tjbck @silentoplayz

GiteaMirror commented 2026-04-20 00:39:28 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Oct 2, 2025):

Should be addressed with ebce0578e6 in dev!

<!-- gh-comment-id:3358596903 --> @tjbck commented on GitHub (Oct 2, 2025): Should be addressed with ebce0578e6bf8f04073a4c1674bcc16548e8ba42 in dev!

GiteaMirror commented 2026-04-20 00:39:28 -05:00

Author

Owner

Copy Link

@silentoplayz commented on GitHub (Oct 8, 2025):

@thenicekat Has ebce0578e6 addressed the issue for you?

<!-- gh-comment-id:3382258272 --> @silentoplayz commented on GitHub (Oct 8, 2025): @thenicekat Has https://github.com/open-webui/open-webui/commit/ebce0578e6bf8f04073a4c1674bcc16548e8ba42 addressed the issue for you?

GiteaMirror commented 2026-04-20 00:39:29 -05:00

Author

Owner

Copy Link

@thenicekat commented on GitHub (Oct 8, 2025):

I downgraded it, that definitely worked. I did not check any latest release yet.

<!-- gh-comment-id:3382300225 --> @thenicekat commented on GitHub (Oct 8, 2025): I downgraded it, that definitely worked. I did not check any latest release yet.

GiteaMirror referenced this issue 2026-04-20 05:35:40 -05:00

[PR #18436] [CLOSED] fix: update max_tokens input minimum from -2 to 1 #24794

GiteaMirror referenced this issue 2026-04-25 12:54:41 -05:00

[PR #18436] [CLOSED] fix: update max_tokens input minimum from -2 to 1 #40424

GiteaMirror referenced this issue 2026-04-29 23:14:24 -05:00

[PR #18436] [CLOSED] fix: update max_tokens input minimum from -2 to 1 #47842

GiteaMirror referenced this issue 2026-05-06 08:33:49 -05:00

[PR #18436] [CLOSED] fix: update max_tokens input minimum from -2 to 1 #63650

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#18436