github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.2k Packages Projects Releases 126 Wiki Activity

[PR #14943] [MERGED] Fix double‐slash (//auth) in OAuth callback redirect #23654

New Issue
Closed
opened 2026-04-20 04:56:47 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 04:56:47 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/14943
Author: @jk-f5
Created: 6/12/2025
Status: Merged
Merged: 6/13/2025
Merged by: @tjbck

Base: devHead: fix/oauth

📝 Commits (1)

  • fced3ef fix: Trailing slash was never removed from request.base_url because it's not a string but rather a starlette.datastructures.URL

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 backend/open_webui/utils/oauth.py (+1 -1)

📄 Description

Summary

Convert the value used to build the OAuth callback redirect URL to a plain string so that a trailing slash can be trimmed correctly. This prevents the generated redirect from containing two slashes (e.g. https://host//auth) which breaks login when Azure AD / Microsoft OAuth is used.

Background

backend/open_webui/utils/oauth.py constructs the post-login redirect like this:

redirect_base_url = request.app.state.config.WEBUI_URL or request.base_url
if isinstance(redirect_base_url, str) and redirect_base_url.endswith('/'):
    redirect_base_url = redirect_base_url[:-1]
redirect_url = f"{redirect_base_url}/auth#token={jwt_token}"

request.base_url is a starlette.datastructures.URL object, not a str. When WEBUI_URL is unset and the code falls back to request.base_url, the isinstance(..., str) check fails, so the trailing slash is not removed. After implicit string conversion we end up with ...//auth.

Changelog Entry

  • fix: double‐slash (//auth) in OAuth callback redirect

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/14943 **Author:** [@jk-f5](https://github.com/jk-f5) **Created:** 6/12/2025 **Status:** ✅ Merged **Merged:** 6/13/2025 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `fix/oauth` --- ### 📝 Commits (1) - [`fced3ef`](https://github.com/open-webui/open-webui/commit/fced3efd9840990c7afdb81d434e72f08d2d38c2) fix: Trailing slash was never removed from request.base_url because it's not a string but rather a starlette.datastructures.URL ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/utils/oauth.py` (+1 -1) </details> ### 📄 Description #### Summary Convert the value used to build the OAuth callback redirect URL to a plain string so that a trailing slash can be trimmed correctly. This prevents the generated redirect from containing two slashes (e.g. `https://host//auth`) which breaks login when Azure AD / Microsoft OAuth is used. #### Background `backend/open_webui/utils/oauth.py` constructs the post-login redirect like this: ```python redirect_base_url = request.app.state.config.WEBUI_URL or request.base_url if isinstance(redirect_base_url, str) and redirect_base_url.endswith('/'): redirect_base_url = redirect_base_url[:-1] redirect_url = f"{redirect_base_url}/auth#token={jwt_token}" ``` `request.base_url` is a `starlette.datastructures.URL` object, not a `str`. When `WEBUI_URL` is unset and the code falls back to `request.base_url`, the `isinstance(..., str)` check fails, so the trailing slash is **not** removed. After implicit string conversion we end up with `...//auth`. # Changelog Entry - fix: double‐slash (//auth) in OAuth callback redirect ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 04:56:47 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#23654
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?