[PR #8978] [MERGED] fix: Separate cookie configuration between session & auth cookies to prevent oauth flow from breaking #22299

New Issue

GiteaMirror · 2026-04-20T04:03:37-05:00

GiteaMirror commented

2026-04-20 04:03:37 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/8978
Author: @antpyykk-kone
Created: 1/27/2025
Status: ✅ Merged
Merged: 1/27/2025
Merged by: @tjbck

Base: dev ← Head: feature/separate-auth-cookie-config

📝 Commits (1)

412923d feat: separate cookie settings between session & auth cookies

📊 Changes

3 files changed (+22 additions, -21 deletions)

View changed files

📝 backend/open_webui/env.py (+9 -8)
📝 backend/open_webui/routers/auths.py (+8 -8)
📝 backend/open_webui/utils/oauth.py (+5 -5)

📄 Description

This PR introduces two new env variables to enable more granular control over cookie security setting. This is to fix an issue with the WEBUI_SESSION_COOKIE_SAME_SITE, which could break the oauth flow when the value was set as strict

Setting the original SameSite config option as strict increases security by preventing cookies being accessed via cross-site requests. This is especially useful for authentication related cookies.

However, the strict mode would also prevent oauth flow from working, since the session cookie (oui-session) is required after a successful callback (see for example discussion https://github.com/open-webui/open-webui/discussions/4604)

The underlying authlib would throw an error regarding MismatchingStateError as it could not access the oui-session cookie set by the SessionMiddleware.

To still be able to use the strict mode for auth cookies, while also enabling the session cookie being accessed after oauth callback, we introduce two new config options to control them in a more granular fashion.

Pull Request Checklist

Target branch: Please verify that the pull request targets the dev branch.
Description: Provide a concise description of the changes made in this pull request.
Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
Testing: Have you written and run sufficient tests for validating the changes?
Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
Prefix: To cleary categorize this pull request, prefix the pull request title, using one of the following:
- BREAKING CHANGE: Significant changes that may affect compatibility
- build: Changes that affect the build system or external dependencies
- ci: Changes to our continuous integration processes or workflows
- chore: Refactor, cleanup, or other non-functional code changes
- docs: Documentation update or addition
- feat: Introduces a new feature or enhancement to the codebase
- fix: Bug fix or error correction
- i18n: Internationalization or localization changes
- perf: Performance improvement
- refactor: Code restructuring for better maintainability, readability, or scalability
- style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)
- test: Adding missing tests or correcting existing tests
- WIP: Work in progress, a temporary label for incomplete or ongoing work

Changelog Entry

Description

Add more granular controls over authentication related cookie security

Added

Add new env variables WEBUI_AUTH_COOKIE_SAME_SITE & WEBUI_AUTH_COOKIE_SECURE to control auth related cookie security
If not set, use the values from WEBUI_SESSION_COOKIE_SAME_SITE & WEBUI_SESSION_COOKIE_SECURE as fallbacks to maintain backwards compatibility

Changed

Use WEBUI_AUTH_COOKIE_SAME_SITE & WEBUI_AUTH_COOKIE_SECURE configuration to control oauth_id_token & token cookie security options

Additional Information

The original configuration options were most likely never intended to be used for all cookies.

The original env variables were added in #2574 (see commit af4f8aa). The config variable was clearly named with the intention to only control the session cookie's security.
Later the configuration options was extended to also control auth cookies in #6054
Setting the auth tokens SameSite configuration options as "strict" helps with securing the application better than "lax"
- However, setting the original session cookie as "strict" causes issues with SSO callbacks as the session cookie is not available for use once the callback is hit. This results in "CSRF mismatch" error
- See for example discussions https://github.com/open-webui/open-webui/discussions/4604 & https://github.com/open-webui/open-webui/discussions/4233

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/8978 **Author:** [@antpyykk-kone](https://github.com/antpyykk-kone) **Created:** 1/27/2025 **Status:** ✅ Merged **Merged:** 1/27/2025 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `feature/separate-auth-cookie-config` --- ### 📝 Commits (1) - [`412923d`](https://github.com/open-webui/open-webui/commit/412923dc915065fd264228ad18db7991db88b7dd) feat: separate cookie settings between session & auth cookies ### 📊 Changes **3 files changed** (+22 additions, -21 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/env.py` (+9 -8) 📝 `backend/open_webui/routers/auths.py` (+8 -8) 📝 `backend/open_webui/utils/oauth.py` (+5 -5) </details> ### 📄 Description This PR introduces two new env variables to enable more granular control over cookie security setting. This is to fix an issue with the `WEBUI_SESSION_COOKIE_SAME_SITE`, which could break the oauth flow when the value was set as `strict` Setting the original SameSite config option as `strict` increases security by preventing cookies being accessed via cross-site requests. This is especially useful for authentication related cookies. However, the `strict` mode would also prevent oauth flow from working, since the session cookie (`oui-session`) is required after a successful callback (see for example discussion https://github.com/open-webui/open-webui/discussions/4604) The underlying authlib would throw an error regarding `MismatchingStateError` as it could not access the `oui-session` cookie set by the [SessionMiddleware](https://github.com/open-webui/open-webui/blob/b72150c881955721a63ae7f4ea1b9ea293816fc1/backend/open_webui/main.py#L1097-L1105). To still be able to use the `strict` mode for auth cookies, while also enabling the session cookie being accessed after oauth callback, we introduce two new config options to control them in a more granular fashion. --- # Pull Request Checklist - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [ ] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [ ] **Testing:** Have you written and run sufficient tests for validating the changes? - [ ] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Prefix:** To cleary categorize this pull request, prefix the pull request title, using one of the following: - **BREAKING CHANGE**: Significant changes that may affect compatibility - **build**: Changes that affect the build system or external dependencies - **ci**: Changes to our continuous integration processes or workflows - **chore**: Refactor, cleanup, or other non-functional code changes - **docs**: Documentation update or addition - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction - **i18n**: Internationalization or localization changes - **perf**: Performance improvement - **refactor**: Code restructuring for better maintainability, readability, or scalability - **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.) - **test**: Adding missing tests or correcting existing tests - **WIP**: Work in progress, a temporary label for incomplete or ongoing work # Changelog Entry ### Description - Add more granular controls over authentication related cookie security ### Added - Add new env variables `WEBUI_AUTH_COOKIE_SAME_SITE` & `WEBUI_AUTH_COOKIE_SECURE` to control auth related cookie security - If not set, use the values from `WEBUI_SESSION_COOKIE_SAME_SITE` & `WEBUI_SESSION_COOKIE_SECURE` as fallbacks to maintain backwards compatibility ### Changed - Use `WEBUI_AUTH_COOKIE_SAME_SITE` & `WEBUI_AUTH_COOKIE_SECURE` configuration to control `oauth_id_token` & `token` cookie security options --- ### Additional Information The original configuration options were most likely never intended to be used for all cookies. - The original env variables were added in #2574 (see commit af4f8aa). The config variable was clearly named with the intention to only control the session cookie's security. - Later the configuration options was extended to also control auth cookies in #6054 - Setting the auth tokens SameSite configuration options as "strict" helps with securing the application better than "lax" - However, setting the original session cookie as "strict" causes issues with SSO callbacks as the session cookie is not available for use once the callback is hit. This results in "CSRF mismatch" error - See for example discussions https://github.com/open-webui/open-webui/discussions/4604 & https://github.com/open-webui/open-webui/discussions/4233 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-20 04:03:37 -05:00

GiteaMirror closed this issue

2026-04-20 04:03:38 -05:00

GiteaMirror referenced this issue

2026-04-20 06:35:42 -05:00

[PR #22299] [CLOSED] perf: replace O(n*m) custom model matching with O(n+m) dict lookups #26598

GiteaMirror referenced this issue

2026-04-25 14:12:56 -05:00

[PR #22299] [CLOSED] perf: replace O(n*m) custom model matching with O(n+m) dict lookups #42228

GiteaMirror referenced this issue

2026-04-30 01:57:18 -05:00

[PR #22299] [CLOSED] perf: replace O(n*m) custom model matching with O(n+m) dict lookups #49646