github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.2k Packages Projects Releases 126 Wiki Activity

[PR #21048] [CLOSED] feat: Enable OAuth token forwarding with configurable token type for OpenAI-compatible backends #25901

New Issue
Closed
opened 2026-04-20 06:11:37 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 06:11:37 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21048
Author: @pivu-sbab
Created: 1/29/2026
Status: Closed

Base: devHead: feat/conf-oauth-token-forward

📝 Commits (10+)

📊 Changes

3 files changed (+34 additions, -15 deletions)

View changed files

📝 backend/open_webui/config.py (+8 -1)
📝 backend/open_webui/routers/openai.py (+8 -8)
📝 src/lib/components/AddConnectionModal.svelte (+18 -6)

📄 Description

Description

Enhances the OAuth integration by allowing system OAuth tokens (access_token or id_token) to be forwarded to OpenAI-compatible backend services. This enables backend services to receive the OAuth token and implement custom authorization logic based on token claims (such as user groups, roles, etc.) for /v1/models and /v1/chat/completions endpoints.

Dependencies

No new dependencies.

Testing

  • Verified backward compatibility with existing bearer token configurations
  • Tested access_token forwarding (default behavior)
  • Tested id_token forwarding with Microsoft Entra ID
  • Confirmed environment variable configuration parsing
  • Validated Admin Panel UI functionality (see the ID Token option)
admin-panel-ui

Configuration example, either as an environment variable:

OPENAI_API_CONFIGS='{"0": {"auth_type": "system_oauth", "token_type": "id_token"}}'

Or through the Admin Panel:

  • Settings » Connections » Add Connection (/admin/settings/connections)

I have confirmed that my OpenAI service receives either the access_token (by default) or the id_token (if configured like above).

Agentic AI Code and Code Review

AI has been used, but all suggestion has been rewritten and modified by me (human). Everything has also been manually tested by me, and code reviewed by two other colleagues in my team.

We have strived to have the most minimal git diff that fulfills the needs for this feature, no more, no less.

Changelog

Description

(See PR description above)

Added

  • Added token_type configuration option to the system_oauth authentication, supporting both access_token (default) and id_token
  • Added JSON parsing support for the OPENAI_API_CONFIGS environment variable, used in containerized deployments
  • Added token_type dropdown in the connection configuration modal (Settings » Connections » Add Connection (/admin/settings/connections)) with "Access Token" and "ID Token" options

Changed

  • Refactored send_get_request() to re-use get_headers_and_cookies(), instead of using the hardcoded Bearer key.
  • Updated system_oauth authentication to support configurable token type selection, allowing backend OpenAI services to receive OAuth Access tokens or ID tokens

Breaking Changes

  • None: All changes maintain full backward compatibility. Existing configurations continue to work without modification, token_type defaults to access_token when not specified, and OPENAI_API_CONFIGS parsing gracefully falls back to empty configuration on errors

Additional Information

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21048 **Author:** [@pivu-sbab](https://github.com/pivu-sbab) **Created:** 1/29/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `feat/conf-oauth-token-forward` --- ### 📝 Commits (10+) - [`fe6783c`](https://github.com/open-webui/open-webui/commit/fe6783c16699911c7be17392596d579333fb110c) Merge pull request #19030 from open-webui/dev - [`fc05e0a`](https://github.com/open-webui/open-webui/commit/fc05e0a6c5d39da60b603b4d520f800d6e36f748) Merge pull request #19405 from open-webui/dev - [`e3faec6`](https://github.com/open-webui/open-webui/commit/e3faec62c58e3a83d89aa3df539feacefa125e0c) Merge pull request #19416 from open-webui/dev - [`9899293`](https://github.com/open-webui/open-webui/commit/9899293f050ad50ae12024cbebee7e018acd851e) Merge pull request #19448 from open-webui/dev - [`140605e`](https://github.com/open-webui/open-webui/commit/140605e660b8186a7d5c79fb3be6ffb147a2f498) Merge pull request #19462 from open-webui/dev - [`6f1486f`](https://github.com/open-webui/open-webui/commit/6f1486ffd0cb288d0e21f41845361924e0d742b3) Merge pull request #19466 from open-webui/dev - [`d95f533`](https://github.com/open-webui/open-webui/commit/d95f533214e3fe5beb5e41ec1f349940bc4c7043) Merge pull request #19729 from open-webui/dev - [`a727153`](https://github.com/open-webui/open-webui/commit/a7271532f8a38da46785afcaa7e65f9a45e7d753) 0.6.43 (#20093) - [`6adde20`](https://github.com/open-webui/open-webui/commit/6adde203cd292a9e3af9c64a2ae36b603fed096a) Merge pull request #20394 from open-webui/dev - [`f9b0534`](https://github.com/open-webui/open-webui/commit/f9b0534e0c442631d1cb7205169588b9b6204179) Merge pull request #20522 from open-webui/dev ### 📊 Changes **3 files changed** (+34 additions, -15 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+8 -1) 📝 `backend/open_webui/routers/openai.py` (+8 -8) 📝 `src/lib/components/AddConnectionModal.svelte` (+18 -6) </details> ### 📄 Description ## ✅ Description Enhances the OAuth integration by allowing system OAuth tokens (`access_token` or `id_token`) to be forwarded to OpenAI-compatible backend services. This enables backend services to receive the OAuth token and implement custom authorization logic based on token claims (such as user groups, roles, etc.) for `/v1/models` and `/v1/chat/completions` endpoints. ## ✅ Dependencies No new dependencies. ## ✅ Testing - Verified backward compatibility with existing bearer token configurations - Tested access_token forwarding (default behavior) - Tested id_token forwarding with Microsoft Entra ID - Confirmed environment variable configuration parsing - Validated Admin Panel UI functionality (see the `ID Token` option) <img width="1708" height="659" alt="admin-panel-ui" src="https://github.com/user-attachments/assets/a85402f6-068a-4e73-8572-7bef531155e1" /> Configuration example, either as an environment variable: ```bash OPENAI_API_CONFIGS='{"0": {"auth_type": "system_oauth", "token_type": "id_token"}}' ``` Or through the Admin Panel: - Settings » Connections » Add Connection (/admin/settings/connections) I have confirmed that my OpenAI service receives either the access_token (by default) or the id_token (if configured like above). ## ✅ Agentic AI Code and Code Review AI has been used, but all suggestion has been rewritten and modified by me (human). Everything has also been manually tested by me, and code reviewed by two other colleagues in my team. We have strived to have the most minimal git diff that fulfills the needs for this feature, no more, no less. ## ✅ Changelog ### Description (See PR description above) ### Added - Added `token_type` configuration option to the `system_oauth` authentication, supporting both `access_token` (default) and `id_token` - Added JSON parsing support for the `OPENAI_API_CONFIGS` environment variable, used in containerized deployments - Added token_type dropdown in the connection configuration modal (Settings » Connections » Add Connection (/admin/settings/connections)) with "Access Token" and "ID Token" options ### Changed - Refactored `send_get_request()` to re-use `get_headers_and_cookies()`, instead of using the hardcoded Bearer key. - Updated `system_oauth` authentication to support configurable token type selection, allowing backend OpenAI services to receive OAuth Access tokens or ID tokens ### Breaking Changes - **None**: All changes maintain full backward compatibility. Existing configurations continue to work without modification, `token_type` defaults to `access_token` when not specified, and `OPENAI_API_CONFIGS` parsing gracefully falls back to empty configuration on errors ## ✅ Additional Information - Related PR/discussions - https://github.com/open-webui/open-webui/pull/9673 - https://github.com/open-webui/open-webui/discussions/8957 ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 06:11:37 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#25901
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?