github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 04:16:03 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #23234] feat: Configurable maximum lifespan for OAuth sessions #19926

New Issue
Closed
opened 2026-04-20 02:29:03 -05:00 by GiteaMirror · 2 comments
GiteaMirror commented 2026-04-20 02:29:03 -05:00
Owner
Copy Link

Originally created by @lorenzophys on GitHub (Mar 30, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23234

Check Existing Issues

  • I have searched for all existing open AND closed issues and discussions for similar requests. I have found none that is comparable to my request.

Verify Feature Scope

  • I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions.

Problem Description

We are using OpenID Connect OAuth for our Open WebUI deployment. Our corporate identity provider enforces short-lived access tokens, so we rely on the refresh token mechanism (offline_access scope + OAUTH_REFRESH_TOKEN_INCLUDE_SCOPE=true) to maintain user sessions.

This works well for keeping users logged in, but it creates a new problem: sessions effectively never expire. This doesn't align with our corporate security requirements, which mandate that user sessions have a finite maximum duration regardless of activity.

Desired Solution you'd like

A new configuration option (e.g. OAUTH_SESSION_MAX_LIFETIME) that defines the absolute maximum lifespan of an OAuth session from the moment of initial login.

I'm not familiar enough with the codebase to try to implement it myself

Alternatives Considered

No response

Additional Context

No response

Originally created by @lorenzophys on GitHub (Mar 30, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23234 ### Check Existing Issues - [x] I have searched for all existing **open AND closed** issues and discussions for similar requests. I have found none that is comparable to my request. ### Verify Feature Scope - [x] I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions. ### Problem Description We are using OpenID Connect OAuth for our Open WebUI deployment. Our corporate identity provider enforces short-lived access tokens, so we rely on the refresh token mechanism (`offline_access` scope + `OAUTH_REFRESH_TOKEN_INCLUDE_SCOPE=true`) to maintain user sessions. This works well for keeping users logged in, but it creates a new problem: sessions effectively never expire. This doesn't align with our corporate security requirements, which mandate that user sessions have a finite maximum duration regardless of activity. ### Desired Solution you'd like A new configuration option (e.g. `OAUTH_SESSION_MAX_LIFETIME`) that defines the absolute maximum lifespan of an OAuth session from the moment of initial login. I'm not familiar enough with the codebase to try to implement it myself ### Alternatives Considered _No response_ ### Additional Context _No response_
GiteaMirror commented 2026-04-20 02:29:05 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Apr 3, 2026):

Thanks for the detailed write-up! I wanted to check: have you tried configuring JWT_EXPIRES_IN (environment variable or admin panel) to your desired max session duration (e.g., 8h, 1d)?

This controls how long the Open WebUI session token lasts regardless of OAuth token state. Once the JWT expires, the user would need to re-authenticate through the OAuth flow. The default is 4w (4 weeks), which may be why sessions feel like they never expire.

If you've already tried this and are still seeing sessions persist beyond the configured duration, it would be helpful to know the specific behavior that would point to a genuine gap that a new OAUTH_SESSION_MAX_LIFETIME setting would need to address.

<!-- gh-comment-id:4183678041 --> @Classic298 commented on GitHub (Apr 3, 2026): Thanks for the detailed write-up! I wanted to check: have you tried configuring JWT_EXPIRES_IN (environment variable or admin panel) to your desired max session duration (e.g., 8h, 1d)? This controls how long the Open WebUI session token lasts **regardless of OAuth token state**. Once the JWT expires, the user would need to re-authenticate through the OAuth flow. The default is 4w (4 weeks), which may be why sessions feel like they never expire. If you've already tried this and are still seeing sessions persist beyond the configured duration, it would be helpful to know the specific behavior that would point to a genuine gap that a new OAUTH_SESSION_MAX_LIFETIME setting would need to address.
GiteaMirror commented 2026-04-20 02:29:06 -05:00
Author
Owner
Copy Link

@garrettashcroft1231-max commented on GitHub (Apr 3, 2026):

Thanks for the suggestion! I haven’t tried adjusting JWT_EXPIRES_IN
yet—this might actually cover our use case.

On Fri, Apr 3, 2026, 3:20 PM Classic298 @.***> wrote:

Classic298 left a comment (open-webui/open-webui#23234)
https://github.com/open-webui/open-webui/issues/23234#issuecomment-4183678041

Thanks for the detailed write-up! I wanted to check: have you tried
configuring JWT_EXPIRES_IN (environment variable or admin panel) to your
desired max session duration (e.g., 8h, 1d)?

This controls how long the Open WebUI session token lasts regardless of
OAuth token state. Once the JWT expires, the user would need to
re-authenticate through the OAuth flow. The default is 4w (4 weeks), which
may be why sessions feel like they never expire.

If you've already tried this and are still seeing sessions persist beyond
the configured duration, it would be helpful to know the specific behavior
that would point to a genuine gap that a new OAUTH_SESSION_MAX_LIFETIME
setting would need to address.


Reply to this email directly, view it on GitHub
https://github.com/open-webui/open-webui/issues/23234?email_source=notifications&email_token=CAXKSQNNFIJPX3NS2ZKOKZT4T7CDJA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJYGM3DOOBQGQY2M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4183678041,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/CAXKSQJSMWRWNFNXFE42DZ34T7CDJAVCNFSM6AAAAACXGJQICSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCOBTGY3TQMBUGE
.
You are receiving this because you are subscribed to this thread.Message
ID: @.***>

<!-- gh-comment-id:4183797358 --> @garrettashcroft1231-max commented on GitHub (Apr 3, 2026): Thanks for the suggestion! I haven’t tried adjusting JWT_EXPIRES_IN yet—this might actually cover our use case. On Fri, Apr 3, 2026, 3:20 PM Classic298 ***@***.***> wrote: > *Classic298* left a comment (open-webui/open-webui#23234) > <https://github.com/open-webui/open-webui/issues/23234#issuecomment-4183678041> > > Thanks for the detailed write-up! I wanted to check: have you tried > configuring JWT_EXPIRES_IN (environment variable or admin panel) to your > desired max session duration (e.g., 8h, 1d)? > > This controls how long the Open WebUI session token lasts *regardless of > OAuth token state*. Once the JWT expires, the user would need to > re-authenticate through the OAuth flow. The default is 4w (4 weeks), which > may be why sessions feel like they never expire. > > If you've already tried this and are still seeing sessions persist beyond > the configured duration, it would be helpful to know the specific behavior > that would point to a genuine gap that a new OAUTH_SESSION_MAX_LIFETIME > setting would need to address. > > — > Reply to this email directly, view it on GitHub > <https://github.com/open-webui/open-webui/issues/23234?email_source=notifications&email_token=CAXKSQNNFIJPX3NS2ZKOKZT4T7CDJA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJYGM3DOOBQGQY2M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4183678041>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/CAXKSQJSMWRWNFNXFE42DZ34T7CDJAVCNFSM6AAAAACXGJQICSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCOBTGY3TQMBUGE> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.***> >
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#19926
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?