github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #23668] Bug: admin-configured scopes overridden by discovered scopes_supported in static-credential OAuth flow #20040

New Issue
Closed
opened 2026-04-20 02:37:21 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-20 02:37:21 -05:00
Owner
Copy Link

Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23668

Summary

In get_oauth_client_info_with_static_credentials, the scope value is unconditionally set from the authorization server's scopes_supported metadata when available. This silently overrides any custom scope string the admin supplied when registering the tool server.

For setups that rely on scope bundling (e.g. registering multiple MCP servers backed by the same Entra AD app, so one consent grants access to all of them — Calendar + Mail + User in a typical M365 deployment), this override means the authorization request ends up with only the generic discovered scopes (e.g. openid profile offline_access) and omits the custom resource scopes. Users get prompted for consent multiple times, or the resulting access token is missing the required audiences.

Location

backend/open_webui/utils/oauth.py around lines 478–481:

scope = None
if oauth_server_metadata and oauth_server_metadata.scopes_supported:
    scope = ' '.join(oauth_server_metadata.scopes_supported)

Impact

  • Breaks the "one consent, N MCP servers" pattern for M365 / Entra ID integrations.
  • Silently drops admin-chosen scopes with no warning.

Suggested fix

Prefer the admin-provided scope if one was supplied; fall back to discovered scopes_supported only when no explicit scope exists. Log when metadata-discovered scopes are being used so the behaviour is visible.

Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23668 ### Summary In `get_oauth_client_info_with_static_credentials`, the scope value is unconditionally set from the authorization server's `scopes_supported` metadata when available. This silently overrides any custom scope string the admin supplied when registering the tool server. For setups that rely on **scope bundling** (e.g. registering multiple MCP servers backed by the same Entra AD app, so one consent grants access to all of them — Calendar + Mail + User in a typical M365 deployment), this override means the authorization request ends up with only the generic discovered scopes (e.g. `openid profile offline_access`) and omits the custom resource scopes. Users get prompted for consent multiple times, or the resulting access token is missing the required audiences. ### Location `backend/open_webui/utils/oauth.py` around lines 478–481: ```python scope = None if oauth_server_metadata and oauth_server_metadata.scopes_supported: scope = ' '.join(oauth_server_metadata.scopes_supported) ``` ### Impact - Breaks the "one consent, N MCP servers" pattern for M365 / Entra ID integrations. - Silently drops admin-chosen scopes with no warning. ### Suggested fix Prefer the admin-provided scope if one was supplied; fall back to discovered `scopes_supported` only when no explicit scope exists. Log when metadata-discovered scopes are being used so the behaviour is visible.
GiteaMirror commented 2026-04-20 02:37:23 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Apr 17, 2026):

Likely addressed with 349ea4ea9e.

Dynamic Oauth2.1 should be used in general.

<!-- gh-comment-id:4265055871 --> @tjbck commented on GitHub (Apr 17, 2026): Likely addressed with 349ea4ea9e577f2cbfb4917ef5f52e5ac53c5b70. Dynamic Oauth2.1 should be used in general.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#20040
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?