github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.2k Packages Projects Releases 126 Wiki Activity

[PR #21090] [CLOSED] feat(tools): optionally forward OpenWebUI user and chat headers to tool servers #25924

New Issue
Closed
opened 2026-04-20 06:12:39 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 06:12:39 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21090
Author: @notfolder
Created: 2/1/2026
Status: Closed

Base: devHead: feature/dev-add-user-info-mcp-call

📝 Commits (9)

📊 Changes

2 files changed (+18 additions, -0 deletions)

View changed files

📝 backend/open_webui/utils/middleware.py (+9 -0)
📝 backend/open_webui/utils/tools.py (+9 -0)

📄 Description

Description

This pull request adds an optional mechanism to forward Open WebUI user and chat context as HTTP headers when invoking external tool servers.

Currently, Open WebUI forwards user-related headers (e.g. user ID, chat ID) when proxying requests to OpenAI-compatible LLM endpoints, but the same contextual information is not available to external Tool / OpenAPI servers.
This makes it difficult for tool servers to implement per-user authorization, auditing, rate limiting, or request tracing.

This change introduces a strictly opt-in, backward-compatible enhancement that allows operators to forward selected Open WebUI context headers to tool servers via an environment variable.

Added
• Optional forwarding of the following HTTP headers when executing tools:
• X-OpenWebUI-User-Id
• X-OpenWebUI-Chat-Id
• New environment variable to explicitly enable this behavior:
• ENABLE_FORWARD_USER_INFO_HEADERS_TO_TOOLS

Changed
• Updated tool execution HTTP request construction in:
• backend/open_webui/utils/middleware.py
• backend/open_webui/utils/tools.py
• The tool execution flow now conditionally injects user/chat headers only when explicitly enabled.

Fixed
• N/A

Security
• This feature is disabled by default.
• User-related headers are forwarded only when the operator explicitly enables the environment variable.
• No behavior change occurs for existing installations unless the feature is enabled.
• This mirrors the existing security model used for OpenAI-compatible proxy requests.

Breaking Changes
• None.
This change is fully backward-compatible and opt-in.

Additional Information
• This implementation intentionally mirrors the existing behavior controlled by ENABLE_FORWARD_USER_INFO_HEADERS used in the OpenAI proxy path, ensuring conceptual and operational consistency.
• The change is limited to the tool execution layer and does not affect:
• Tool CRUD APIs
• Frontend behavior
• Existing tool definitions
• Manual testing was performed using a local tool server that logs incoming HTTP headers to verify correct forwarding behavior when enabled and no change when disabled.

Related context:
• Tool servers often require user/chat context for access control and observability.
• This change enables such use cases without imposing new defaults.

Screenshots or Videos
• Not applicable (backend-only change; verified via HTTP request inspection).

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the
Contributor License Agreement (CLA),
and I am providing my contributions under its terms.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21090 **Author:** [@notfolder](https://github.com/notfolder) **Created:** 2/1/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `feature/dev-add-user-info-mcp-call` --- ### 📝 Commits (9) - [`fe6783c`](https://github.com/open-webui/open-webui/commit/fe6783c16699911c7be17392596d579333fb110c) Merge pull request #19030 from open-webui/dev - [`fc05e0a`](https://github.com/open-webui/open-webui/commit/fc05e0a6c5d39da60b603b4d520f800d6e36f748) Merge pull request #19405 from open-webui/dev - [`e3faec6`](https://github.com/open-webui/open-webui/commit/e3faec62c58e3a83d89aa3df539feacefa125e0c) Merge pull request #19416 from open-webui/dev - [`9899293`](https://github.com/open-webui/open-webui/commit/9899293f050ad50ae12024cbebee7e018acd851e) Merge pull request #19448 from open-webui/dev - [`140605e`](https://github.com/open-webui/open-webui/commit/140605e660b8186a7d5c79fb3be6ffb147a2f498) Merge pull request #19462 from open-webui/dev - [`6f1486f`](https://github.com/open-webui/open-webui/commit/6f1486ffd0cb288d0e21f41845361924e0d742b3) Merge pull request #19466 from open-webui/dev - [`d95f533`](https://github.com/open-webui/open-webui/commit/d95f533214e3fe5beb5e41ec1f349940bc4c7043) Merge pull request #19729 from open-webui/dev - [`a727153`](https://github.com/open-webui/open-webui/commit/a7271532f8a38da46785afcaa7e65f9a45e7d753) 0.6.43 (#20093) - [`905caf9`](https://github.com/open-webui/open-webui/commit/905caf9ec8cc93bf39bb17d0aad228f7b6e3648b) feat: add user info headers support in mcp tool calling. ### 📊 Changes **2 files changed** (+18 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/utils/middleware.py` (+9 -0) 📝 `backend/open_webui/utils/tools.py` (+9 -0) </details> ### 📄 Description Description This pull request adds an optional mechanism to forward Open WebUI user and chat context as HTTP headers when invoking external tool servers. Currently, Open WebUI forwards user-related headers (e.g. user ID, chat ID) when proxying requests to OpenAI-compatible LLM endpoints, but the same contextual information is not available to external Tool / OpenAPI servers. This makes it difficult for tool servers to implement per-user authorization, auditing, rate limiting, or request tracing. This change introduces a strictly opt-in, backward-compatible enhancement that allows operators to forward selected Open WebUI context headers to tool servers via an environment variable. ⸻ Added • Optional forwarding of the following HTTP headers when executing tools: • X-OpenWebUI-User-Id • X-OpenWebUI-Chat-Id • New environment variable to explicitly enable this behavior: • ENABLE_FORWARD_USER_INFO_HEADERS_TO_TOOLS ⸻ Changed • Updated tool execution HTTP request construction in: • backend/open_webui/utils/middleware.py • backend/open_webui/utils/tools.py • The tool execution flow now conditionally injects user/chat headers only when explicitly enabled. ⸻ Fixed • N/A ⸻ Security • This feature is disabled by default. • User-related headers are forwarded only when the operator explicitly enables the environment variable. • No behavior change occurs for existing installations unless the feature is enabled. • This mirrors the existing security model used for OpenAI-compatible proxy requests. ⸻ Breaking Changes • None. This change is fully backward-compatible and opt-in. ⸻ Additional Information • This implementation intentionally mirrors the existing behavior controlled by ENABLE_FORWARD_USER_INFO_HEADERS used in the OpenAI proxy path, ensuring conceptual and operational consistency. • The change is limited to the tool execution layer and does not affect: • Tool CRUD APIs • Frontend behavior • Existing tool definitions • Manual testing was performed using a local tool server that logs incoming HTTP headers to verify correct forwarding behavior when enabled and no change when disabled. Related context: • Tool servers often require user/chat context for access control and observability. • This change enables such use cases without imposing new defaults. ⸻ Screenshots or Videos • Not applicable (backend-only change; verified via HTTP request inspection). ⸻ ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 06:12:39 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#25924
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?