mirror of
https://github.com/open-webui/open-webui.git
synced 2026-05-06 10:58:17 -05:00
enh: Default Role Assignment set by Trusted Headers (like the EMAIL & NAME) for eduPersonEntitlement #1867
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/open-webui#1867
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @atnjqt on GitHub (Aug 23, 2024).
Is your feature request related to a problem? Please describe.
This feature request is related to closed issue Support SAML for auth https://github.com/open-webui/open-webui/issues/2535, which elegantly describes the usage of trusted headers for passing an email & name for a user login, and aims to improve on this solution for Shibboleth integrations.
Describe the solution you'd like
It would be fantastic to also pass a trusted custom header for the roles env var
DEFAULT_USER_ROLE(i.e. https://docs.openwebui.com/getting-started/env-configuration/#default_user_role). This solution would effectively allow Apache + Shibboleth SAML setups to pass an industry standard attribute foreduPersonEntitlementused for Authorization (see here: https://spaces.at.internet2.edu/display/federation/user-attr-edupersonentitlement)Our IDP is optionally able to release this SAML attribute, and we use this to accomplish custom Authorization mappings. i.e. on the IDP we would configure three groups for the valid group offerings, namely pending, user, admin. If an SSO user in one of those groups accesses the openui app, that custom header could be used to auto-provision the default role. This is also significant in that if a user leaves they would get immediate lockout since the custom authz header is no longer present.
Describe alternatives you've considered
Manually setting roles for new users who land as pending.
Additional context
Really just looking to manage user role mappings dynamically using the eduPersonEntitlement SAML attribute, to further improve the manageability and simplicity of Apache + Shibboleth for hosting this application. The document references some other auth services but this doesn't cleanly map to legacy setups.
@tjbck commented on GitHub (Aug 23, 2024):
PR Welcome!
@atnjqt commented on GitHub (Aug 24, 2024):
Thanks for the reply and yes I did think through this a bit and opened a discussion here: https://github.com/open-webui/open-webui/discussions/4883
I have a simple SAML group assignment implementation in a fork here: https://github.com/open-webui/open-webui/compare/main...atnjqt:open-webui:feature/saml-group-assignment
@Gabgobie commented on GitHub (Aug 31, 2024):
Hi,
would it be feasible to expand this functionality to the already present OIDC provider?
The callback code could be changed in a similar way to your suggestion in the fork except that it would compare group names with an additional scope in the
OAUTH_SCOPES. I think besides the code I linked, there may be logic needed for updating group membership on login at another position but I am not sure about that.Best,
Gab
@atnjqt commented on GitHub (Aug 31, 2024):
Thanks for the note and I hadn't yet explored the
OAUTH_SCOPESflag but likely yes the accomplish similar goals of implementing authorization and not just authentication. And yes my fork only was a proof of concept to set default role on initial login but a more thorough implementation would of course check on each subsequent login!@Gabgobie commented on GitHub (Aug 31, 2024):
Nice to hear! I'd like to try and help implementing this.
Would it be sensible to expand the issue into a more general
enh: Federated Role Assignment?Where should I work on the code? Would it be better if I made my own fork and PR against this repo or if I make a PR against your's?
@justinh-rahb commented on GitHub (Sep 2, 2024):
@Gabgobie as Tim said, we'd be glad to see a PR for this as long as it follows our conventions
@Gabgobie commented on GitHub (Nov 7, 2024):
Hi,
my apologies for the long silence. I still intend on working on this feature but unfortunately life has thrown a lot of work at me so this will have to wait for some more time.
Just wanted to leave this here so you are aware that I didn't forget the commitment I made.
Best,
Gab
@Gabgobie commented on GitHub (Nov 15, 2024):
I just updated my local branch to the latest main to continue from the last bit I did. It seems like
OAUTH_ROLE_MANAGEMENTis a thing now. Is this issue even needed anymore? I don't think there is anything for me to do.@linuxrrze commented on GitHub (May 10, 2025):
I just noticed that support for "Enhanced OAuth Group Handling as String or List" was merged in the latest versions.
As a WEBUI_AUTH_TRUSTED_..._HEADER user I'd like use group support for that authentication, too.
Doesn't it make sense to also use the new OAuth group handling code for other authentications (like "Trusted Header")?
@tjbck commented on GitHub (May 24, 2025):
WEBUI_AUTH_TRUSTED_GROUPS_HEADERadded to dev.@JTGRC-public commented on GitHub (Aug 30, 2025):
This is a great feature, and thanks for the update! However this uses a given trusted header to ONLY updates user's group assignment but NOT for the role assignment. Group assignment did change certain permissions but even if the user is not in any of the group, he/she can still using the LLM chat with default permissions.
The intent here is to use a given trusted header to update user's role assignment such as pending, user, or admin. So that if a specific tag name is not in the list of group names, the user should have pending role and cannot get into the website at all.