[PR #16651] [CLOSED] Feat: MCP Client Framework with Dynamic oAuth 2.1 #24197

Closed
opened 2026-04-20 05:16:56 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/16651
Author: @elabbarw
Created: 8/15/2025
Status: Closed

Base: devHead: mcp_feature


📝 Commits (10+)

  • aa63646 feat: implement MCP (Model Context Protocol) integration with server management, OAuth handling, and UI components
  • 06e1b7c chore: update CHANGELOG for MCP Framework features and add mcp dependency in pyproject.toml
  • e726db4 Removed mention of going to settings as MCP is now in Workspace.
  • cdd6760 Remove references to private fork
  • 8b69414 fix versioning
  • 54f3898 removed another reference
  • 56da884 fix MCP server access control and validation logic, update UI to default access control for non-admins
  • 613b51d fix for public selection for admin: refactor MCP server access control logic to preserve explicit None for admins and remove default visibility sync in UI
  • e69849d update OAuth flow to create permanent server directly and remove the complexity of managing temporary servers in Redis.
  • e047d24 post redis removal: enhance OAuth flow to immediately start authorization process and handle errors by cleaning up created servers

📊 Changes

62 files changed (+11632 additions, -34 deletions)

View changed files

📝 .gitignore (+1 -0)
📝 CHANGELOG.md (+7 -0)
MCP_IMPLEMENTATION.md (+164 -0)
📝 README.md (+3 -1)
📝 backend/open_webui/config.py (+14 -0)
📝 backend/open_webui/main.py (+19 -1)
backend/open_webui/migrations/versions/5b1a2c3d4e5f_add_mcp_servers.py (+61 -0)
backend/open_webui/models/mcp_servers.py (+542 -0)
📝 backend/open_webui/routers/configs.py (+39 -0)
backend/open_webui/routers/mcp_oauth.py (+665 -0)
backend/open_webui/routers/mcp_oauth_modules/__init__.py (+8 -0)
backend/open_webui/routers/mcp_oauth_modules/discovery_endpoints.py (+178 -0)
backend/open_webui/routers/mcp_oauth_modules/flow_endpoints.py (+259 -0)
backend/open_webui/routers/mcp_oauth_modules/management_endpoints.py (+304 -0)
backend/open_webui/routers/mcp_servers.py (+734 -0)
backend/open_webui/routers/mcp_tools.py (+245 -0)
📝 backend/open_webui/routers/tools.py (+78 -4)
📝 backend/open_webui/utils/access_control.py (+4 -2)
📝 backend/open_webui/utils/auth.py (+32 -0)
backend/open_webui/utils/mcp/__init__.py (+34 -0)

...and 42 more files

📄 Description

Please accept my humble contribution @tjbck . I appreciate everything that you've done for this community. It might not be 100% perfect but i think it's a good start!

Please let me know what's missing. I can start working on documentation and tests.

I'll submit this as a draft PR

Wanis

Pull Request Checklist

Target branch: Using Dev branch

  • Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources? Not yet
  • Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation? Yes, mcp==1.12.3
  • Testing: Have you written and run sufficient tests to validate the changes? Not yet
  • Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? As much as i could but i would appreciate support to make sure it is OWUI-friendly

Changelog Entry

Description

The MCP framework lets Open WebUI connect to external MCP servers and use their tools inside chats.

  • Server management: Add, edit, test, toggle, and delete MCP servers (HTTP Stream). Visibility uses OWUI ACLs: public (access_control: null), private ({}), or group‑shared.
  • OAuth 2.1: Discovery/DCR/manual config, encrypted tokens, auto refresh on calls, and structured auth challenges (401) that open an in‑app modal with retry.
  • Tool integration: Server tools are synced into the native Tools registry as OpenAI‑style functions, auto‑refreshed on create/update/toggle or on demand per server.
  • Chat/runtime: Middleware injects MCP tools at request time; errors become “elicitation” events so the UI can prompt for authentication and then retry seamlessly.
  • Security controls: Admin domain allowlist enforces which MCP server URLs can be added; headers and OAuth data are encrypted at rest.
  • UI components: Workspace server manager and modal (with ACL “Visibility & Permissions”), Dynamic OAuth configurator, Auth Challenge modal, and chat server selector.

Added

  • MCP Framework (opt-in through Admin -> General):
    • MCP server CRUD operations, manual headers, testing, and tool synchronization
    • OAuth integration with discovery (WWW-Authenticate, OIDC), manual/direct configuration, Dynamic Client Registration (DCR)
    • Mid-chat authentication handling with token auto-refresh and reauthentication prompts
    • Tools synchronization to database with conversion to function-calling and runtime execution
    • Admin-only MCP allowlist panel in Admin → Settings → MCP Servers

Additional Information

Screenshots or Videos

image image image image image

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/16651 **Author:** [@elabbarw](https://github.com/elabbarw) **Created:** 8/15/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `mcp_feature` --- ### 📝 Commits (10+) - [`aa63646`](https://github.com/open-webui/open-webui/commit/aa63646acb2028e7a69de8a55de0d173c46f76d4) feat: implement MCP (Model Context Protocol) integration with server management, OAuth handling, and UI components - [`06e1b7c`](https://github.com/open-webui/open-webui/commit/06e1b7cc488c730d5b92cd15b79b27d8e1f21cf6) chore: update CHANGELOG for MCP Framework features and add mcp dependency in pyproject.toml - [`e726db4`](https://github.com/open-webui/open-webui/commit/e726db41bdf91dc5911f5e2f28f0fe32d989a085) Removed mention of going to settings as MCP is now in Workspace. - [`cdd6760`](https://github.com/open-webui/open-webui/commit/cdd67602c9117ffd6e22fbe14f9f7f69d1230e2d) Remove references to private fork - [`8b69414`](https://github.com/open-webui/open-webui/commit/8b6941478d8b7056bafd8163754573bda0dab13f) fix versioning - [`54f3898`](https://github.com/open-webui/open-webui/commit/54f3898c1610e46f13ba440d5896fb9c98286dbe) removed another reference - [`56da884`](https://github.com/open-webui/open-webui/commit/56da884a072da250983340ef8666c46b0d971ca7) fix MCP server access control and validation logic, update UI to default access control for non-admins - [`613b51d`](https://github.com/open-webui/open-webui/commit/613b51dbc6dee609fd41bbd69e748f3946f804f9) fix for public selection for admin: refactor MCP server access control logic to preserve explicit None for admins and remove default visibility sync in UI - [`e69849d`](https://github.com/open-webui/open-webui/commit/e69849d4646bdf3ac989a9297ef09b369f0426c2) update OAuth flow to create permanent server directly and remove the complexity of managing temporary servers in Redis. - [`e047d24`](https://github.com/open-webui/open-webui/commit/e047d24dbc3f92e9bd50614184b35909343c8dec) post redis removal: enhance OAuth flow to immediately start authorization process and handle errors by cleaning up created servers ### 📊 Changes **62 files changed** (+11632 additions, -34 deletions) <details> <summary>View changed files</summary> 📝 `.gitignore` (+1 -0) 📝 `CHANGELOG.md` (+7 -0) ➕ `MCP_IMPLEMENTATION.md` (+164 -0) 📝 `README.md` (+3 -1) 📝 `backend/open_webui/config.py` (+14 -0) 📝 `backend/open_webui/main.py` (+19 -1) ➕ `backend/open_webui/migrations/versions/5b1a2c3d4e5f_add_mcp_servers.py` (+61 -0) ➕ `backend/open_webui/models/mcp_servers.py` (+542 -0) 📝 `backend/open_webui/routers/configs.py` (+39 -0) ➕ `backend/open_webui/routers/mcp_oauth.py` (+665 -0) ➕ `backend/open_webui/routers/mcp_oauth_modules/__init__.py` (+8 -0) ➕ `backend/open_webui/routers/mcp_oauth_modules/discovery_endpoints.py` (+178 -0) ➕ `backend/open_webui/routers/mcp_oauth_modules/flow_endpoints.py` (+259 -0) ➕ `backend/open_webui/routers/mcp_oauth_modules/management_endpoints.py` (+304 -0) ➕ `backend/open_webui/routers/mcp_servers.py` (+734 -0) ➕ `backend/open_webui/routers/mcp_tools.py` (+245 -0) 📝 `backend/open_webui/routers/tools.py` (+78 -4) 📝 `backend/open_webui/utils/access_control.py` (+4 -2) 📝 `backend/open_webui/utils/auth.py` (+32 -0) ➕ `backend/open_webui/utils/mcp/__init__.py` (+34 -0) _...and 42 more files_ </details> ### 📄 Description Please accept my humble contribution @tjbck . I appreciate everything that you've done for this community. It might not be 100% perfect but i think it's a good start! Please let me know what's missing. I can start working on documentation and tests. I'll submit this as a draft PR Wanis # Pull Request Checklist **Target branch:** Using Dev branch - [ ] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? Not yet - [ ] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? Yes, mcp==1.12.3 - [ ] **Testing:** Have you written and run sufficient tests to validate the changes? Not yet - [ ] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? As much as i could but i would appreciate support to make sure it is OWUI-friendly # Changelog Entry ### Description The MCP framework lets Open WebUI connect to external MCP servers and use their tools inside chats. - **Server management**: Add, edit, test, toggle, and delete MCP servers (HTTP Stream). Visibility uses OWUI ACLs: public (`access_control: null`), private (`{}`), or group‑shared. - **OAuth 2.1**: Discovery/DCR/manual config, encrypted tokens, auto refresh on calls, and structured auth challenges (401) that open an in‑app modal with retry. - **Tool integration**: Server tools are synced into the native Tools registry as OpenAI‑style functions, auto‑refreshed on create/update/toggle or on demand per server. - **Chat/runtime**: Middleware injects MCP tools at request time; errors become “elicitation” events so the UI can prompt for authentication and then retry seamlessly. - **Security controls**: Admin **domain allowlist** enforces which MCP server URLs can be added; headers and OAuth data are encrypted at rest. - **UI components**: Workspace server manager and modal (with ACL “Visibility & Permissions”), Dynamic OAuth configurator, Auth Challenge modal, and chat server selector. ### Added - **MCP Framework** (opt-in through Admin -> General): - MCP server CRUD operations, manual headers, testing, and tool synchronization - OAuth integration with discovery (WWW-Authenticate, OIDC), manual/direct configuration, Dynamic Client Registration (DCR) - Mid-chat authentication handling with token auto-refresh and reauthentication prompts - Tools synchronization to database with conversion to function-calling and runtime execution - Admin-only MCP allowlist panel in Admin → Settings → MCP Servers ### Additional Information - Discussion: https://github.com/open-webui/open-webui/discussions/16238 ### Screenshots or Videos <img width="1389" height="228" alt="image" src="https://github.com/user-attachments/assets/3bf04b33-c4d6-4a1f-bf6f-9525c748315e" /> <img width="1718" height="522" alt="image" src="https://github.com/user-attachments/assets/e61b0ee2-e4dd-420d-a615-5fc8004487f2" /> <img width="955" height="416" alt="image" src="https://github.com/user-attachments/assets/c7e3b681-33cd-4416-855a-8f6b873b92e4" /> <img width="542" height="861" alt="image" src="https://github.com/user-attachments/assets/2e0be0bb-c923-4567-a3eb-59478317dfae" /> <img width="904" height="710" alt="image" src="https://github.com/user-attachments/assets/9e697309-9e2f-405a-9528-30e62281ed8b" /> ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 05:16:56 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#24197