[GH-ISSUE #23463] issue: v0.8.11/12, connection OAuth Authorization header no longer sent to model backend. undeclared cookie_expires var #19989

New Issue

GiteaMirror · 2026-04-20T02:34:03-05:00

GiteaMirror commented

2026-04-20 02:34:03 -05:00

Originally created by @bitsofinfo on GitHub (Apr 6, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23463

Check Existing Issues

I have searched for any existing and/or related issues.
I have searched for any existing and/or related discussions.
I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.8.11 and v0.8.12

Ollama Version (if applicable)

No response

Operating System

osx

Browser (if applicable)

chrome latest

Confirmation

I have read and followed all instructions in README.md.
I am using the latest version of both Open WebUI and Ollama.
I have included the browser console logs.
I have included the Docker container logs.
I have provided every relevant configuration, setting, and environment variable used in my setup.
I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
Start with the initial platform/version/OS and dependencies used,
Specify exact install/launch/configure commands,
List URLs visited, user input (incl. example values/emails/passwords if needed),
Describe all options and toggles enabled or changed,
Include any files or environmental changes,
Identify the expected and actual result at each stage,
Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Here is my configuration in v0.8.10. Works fine.

User logs into my oauth provider, redirects back to UI ok
My connections are configured to for "OAuth" authentication
I send a chat message for a model available on the connection and I see an proper Authorization header with the JWT bearer token from the OAuth exchange

When I simply upgrade to 0.8.11, this breaks. The Authorization header is not longer sent over the connection to the model's chat completions endpoint.

  open-webui:
    image: ghcr.io/open-webui/open-webui:0.8.10
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
    ports:
      - '9999:8080'
    volumes:
      - ./open-webui-data:/app/backend/data

    environment:
      ENABLE_FOLLOW_UP_GENERATION: false
      ENABLE_TAGS_GENERATION: false
      ENABLE_TITLE_GENERATION: false
      OPENAI_LOG_LEVEL: DEBUG
      GLOBAL_LOG_LEVEL: DEBUG
      ENABLE_FORWARD_USER_INFO_HEADERS: true
      OAUTH_CLIENT_ID: ${OPEN_WEBUI__OAUTH_CLIENT_ID}
      OAUTH_CLIENT_SECRET: ${OPEN_WEBUI__OAUTH_CLIENT_SECRET}
      OPENID_PROVIDER_URL: ${OPEN_WEBUI__OPENID_PROVIDER_URL}
      OAUTH_PROVIDER_NAME: My Auth0
      OAUTH_SCOPES: "openid email profile groups my:scope"
      ENABLE_OAUTH_SIGNUP: true
      ENABLE_OLLAMA_API: false
      OPENAI_API_BASE_URL: http://host.docker.internal:9090/v1
      DATA_DIR: /app/backend/data
      DATABASE_URL: postgresql://myuser:XXXXX@postgres:5432/myuser
      OAUTH_AUDIENCE: https://my.audience.test.com

Actual Behavior

see above

Steps to Reproduce

see above. Just take a working OAUTH configured open-webui instance running v0.8.10 or below, and upgrade it to v0.8.11 (or v0.8.12)

Logs & Screenshots

The only thing I see in the logs post upgrade related to/during the oauth redirect flow is this:

open-webui-1           | 2026-04-06 22:44:05.792 | ERROR    | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined

This variable doesn't even appear defined (cookie_expires) 9bd84258d0/backend/open_webui/utils/oauth.py (L1686)

Looks like it was introduced here: bb3526f4e4 (r181648930) @tjbck

Additional Information

none

Originally created by @bitsofinfo on GitHub (Apr 6, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23463 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.8.11 and v0.8.12 ### Ollama Version (if applicable) _No response_ ### Operating System osx ### Browser (if applicable) chrome latest ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Here is my configuration in v0.8.10. Works fine. - User logs into my oauth provider, redirects back to UI ok - My connections are configured to for "OAuth" authentication - I send a chat message for a model available on the connection and I see an proper `Authorization` header with the JWT bearer token from the OAuth exchange When I simply upgrade to 0.8.11, this breaks. The `Authorization` header is not longer sent over the connection to the model's chat completions endpoint. ``` open-webui: image: ghcr.io/open-webui/open-webui:0.8.10 restart: unless-stopped depends_on: postgres: condition: service_healthy ports: - '9999:8080' volumes: - ./open-webui-data:/app/backend/data environment: ENABLE_FOLLOW_UP_GENERATION: false ENABLE_TAGS_GENERATION: false ENABLE_TITLE_GENERATION: false OPENAI_LOG_LEVEL: DEBUG GLOBAL_LOG_LEVEL: DEBUG ENABLE_FORWARD_USER_INFO_HEADERS: true OAUTH_CLIENT_ID: ${OPEN_WEBUI__OAUTH_CLIENT_ID} OAUTH_CLIENT_SECRET: ${OPEN_WEBUI__OAUTH_CLIENT_SECRET} OPENID_PROVIDER_URL: ${OPEN_WEBUI__OPENID_PROVIDER_URL} OAUTH_PROVIDER_NAME: My Auth0 OAUTH_SCOPES: "openid email profile groups my:scope" ENABLE_OAUTH_SIGNUP: true ENABLE_OLLAMA_API: false OPENAI_API_BASE_URL: http://host.docker.internal:9090/v1 DATA_DIR: /app/backend/data DATABASE_URL: postgresql://myuser:XXXXX@postgres:5432/myuser OAUTH_AUDIENCE: https://my.audience.test.com ``` ### Actual Behavior see above ### Steps to Reproduce see above. Just take a working OAUTH configured open-webui instance running v0.8.10 or below, and upgrade it to v0.8.11 (or v0.8.12) ### Logs & Screenshots The only thing I see in the logs post upgrade related to/during the oauth redirect flow is this: ``` open-webui-1 | 2026-04-06 22:44:05.792 | ERROR | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined ``` This variable doesn't even appear defined (`cookie_expires`) https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/backend/open_webui/utils/oauth.py#L1686 Looks like it was introduced here: https://github.com/open-webui/open-webui/commit/bb3526f4e4d36e4e9d99c5f8c57f34c68ce76397#r181648930 @tjbck ### Additional Information none

GiteaMirror added the bug label 2026-04-20 02:34:03 -05:00

GiteaMirror closed this issue

2026-04-20 02:34:03 -05:00

GiteaMirror commented

2026-04-20 02:34:05 -05:00

@bitsofinfo commented on GitHub (Apr 6, 2026):

@bitsofinfo commented on GitHub (Apr 6, 2026): <img width="1118" height="1142" alt="Image" src="https://github.com/user-attachments/assets/495beaaf-1af4-4d16-9362-d010ae963d5a" /> <img width="1146" height="1172" alt="Image" src="https://github.com/user-attachments/assets/ff2991ec-2245-48c1-8c23-afbf60d10977" />

GiteaMirror commented

2026-04-20 02:34:05 -05:00

@HenriqueMendesCoelho commented on GitHub (Apr 7, 2026):

I'm experiencing the same issue. Downgrading to v0.8.10 fixed it for me.

@HenriqueMendesCoelho commented on GitHub (Apr 7, 2026): I'm experiencing the same issue. Downgrading to v0.8.10 fixed it for me.

GiteaMirror commented

2026-04-20 02:34:06 -05:00

@pedro-inf-custodio commented on GitHub (Apr 7, 2026):

I'm experiencing the same issue. Downgrading to v0.8.10 fixed it for me.

Me too, also downgrading to v0.8.10.
Note: I'm using Microsoft Entra ID.

@pedro-inf-custodio commented on GitHub (Apr 7, 2026): > I'm experiencing the same issue. Downgrading to v0.8.10 fixed it for me. Me too, also downgrading to v0.8.10. Note: I'm using Microsoft Entra ID.

GiteaMirror commented

2026-04-20 02:34:06 -05:00

@tjbck commented on GitHub (Apr 12, 2026):

Duplicate. Addressed in dev.

@tjbck commented on GitHub (Apr 12, 2026): Duplicate. Addressed in dev.

GiteaMirror commented

2026-04-20 02:34:07 -05:00

@roller100 commented on GitHub (Apr 18, 2026):

Thanks to the Open WebUI team and to everyone who raised and narrowed this issue.

These threads were very helpful in tracking down and resolving our own authentication problems around oauth_session_id / system_oauth.

For anyone who is temporarily stuck on v0.8.11 / v0.8.12 while the fix works its way through the normal release cycle, we wrote up the minimal interim hotfix we used here:
https://github.com/BearingNode/bn-open-webui/issues/7

That note keeps the details public-safe and shows the smallest callback-path patch / Docker overlay we found useful in the interim.

Appreciate the issue reports and the fact that the fix is already tracked upstream.

@roller100 commented on GitHub (Apr 18, 2026): Thanks to the Open WebUI team and to everyone who raised and narrowed this issue. These threads were very helpful in tracking down and resolving our own authentication problems around `oauth_session_id` / `system_oauth`. For anyone who is temporarily stuck on `v0.8.11` / `v0.8.12` while the fix works its way through the normal release cycle, we wrote up the minimal interim hotfix we used here: https://github.com/BearingNode/bn-open-webui/issues/7 That note keeps the details public-safe and shows the smallest callback-path patch / Docker overlay we found useful in the interim. Appreciate the issue reports and the fact that the fix is already tracked upstream.

GiteaMirror referenced this issue

2026-04-20 05:55:51 -05:00

[PR #19989] [CLOSED] Chore: Langchain 1.2.0 #25420

GiteaMirror referenced this issue

2026-04-25 13:22:32 -05:00

[PR #19989] [CLOSED] Chore: Langchain 1.2.0 #41050

GiteaMirror referenced this issue

2026-04-30 00:23:13 -05:00

[PR #19989] [CLOSED] Chore: Langchain 1.2.0 #48468

GiteaMirror referenced this issue

2026-05-06 09:43:58 -05:00

[PR #19989] [CLOSED] Chore: Langchain 1.2.0 #64276