github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.2k Packages Projects Releases 126 Wiki Activity

[PR #22523] [CLOSED] feat: add trusted role header #26738

New Issue
Closed
opened 2026-04-20 06:41:00 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 06:41:00 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/22523
Author: @dometto
Created: 3/10/2026
Status: Closed

Base: devHead: add_trusted_role_header

📝 Commits (10+)

📊 Changes

3 files changed (+16 additions, -0 deletions)

View changed files

📝 backend/open_webui/env.py (+3 -0)
📝 backend/open_webui/main.py (+2 -0)
📝 backend/open_webui/routers/auths.py (+11 -0)

📄 Description

Description

I've not opened a separate discussion because this feature was already requested, and I think improved, in https://github.com/open-webui/open-webui/issues/4858. In my opinion, however, that issue was wrongly closed without implementing the actually intended behavior (see here). Happy to open a new discussion if this is desired.

This PR implements the possibility to determine a user's role (admin, pending, user) at signin, using a trusted header. Open WebUI already has the possibility to handle authentication, and to set groups, using a trusted header. But a new user's role will, at present, always be equal to the DEFAULT_USER_ROLE setting. This means an identity provider cannot pass on info to Open WebUI on whether a user should be an admin or not.

Implementation is very simple: in the /signin route, after checking for the trusted email header and before checking for the trusted groups header, we check for the presence of the configured trusted role header. The user's role is set to this role for the current session, and saved.

Documentation

to be added

[ ] Add docs in Open WebUI Docs Repository. Document user-facing behavior, environment variables, public APIs/interfaces, or deployment steps.

Testing

I run open-webui locally using uv, with the following environment variables:

DEFAULT_USER_ROLE=user WEBUI_AUTH_TRUSTED_ROLE_HEADER=X-Remote-User-Role WEBUI_AUTH_TRUSTED_EMAIL_HEADER=X-Remote-User-Mail uv run open-webui serve

To test the trusted headers, I use the Chrome ModHeader extension.

See screengrab below for video.

Testing locally in Chrome:

  1. Set X-Remote-User-Mail header to testuser@localhost and X-Remote-User-Role to user in ModHeader.
  2. Navigate to http://localhost:8080
  3. Observe that you are logged in as testuser, as a normal user (despite being the first user -- trusted header trumps this).
  4. Set X-Remote-User-Mail header to testuser2@localhost and X-Remote-User-Role to admin in ModHeader.
  5. Navigate to http://localhost:8080
  6. Observe that you are logged in as testuser2, with admin rights (the trusted header trumps the default role of user).
  7. Change the X-Remote-User-Role header in ModHeader to pending.
  8. Logout -> you are redirected to the /. Observe that testuser2 is now pending.

Changelog Entry

Added

🔒 Trusted header for user roles: the WEBUI_AUTH_TRUSTED_ROLE_HEADER environment variable can be used to configure a trusted header that will determine the user's role (admin, user, or pending).

Security

  • When a trusted role header is configured, clients can set admin role using an HTTP header. This requires making sure that the headers are only set by a reverse proxy/identity provider. However, this is already the case for other trusted headers.

Additional Information

  • When the header changes, the role is updated only when a user logs in again (so if logged in as admin, then change header to user, the user will still be admin in their current session).

Screenshots or Videos

openwebui_trustedroles

Contributor License Agreement

  • Agentic AI Code: Confirm this Pull Request is not written by any AI Agent or has at least gone through additional human review AND manual testing. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR.

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/22523 **Author:** [@dometto](https://github.com/dometto) **Created:** 3/10/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `add_trusted_role_header` --- ### 📝 Commits (10+) - [`fe6783c`](https://github.com/open-webui/open-webui/commit/fe6783c16699911c7be17392596d579333fb110c) Merge pull request #19030 from open-webui/dev - [`fc05e0a`](https://github.com/open-webui/open-webui/commit/fc05e0a6c5d39da60b603b4d520f800d6e36f748) Merge pull request #19405 from open-webui/dev - [`e3faec6`](https://github.com/open-webui/open-webui/commit/e3faec62c58e3a83d89aa3df539feacefa125e0c) Merge pull request #19416 from open-webui/dev - [`9899293`](https://github.com/open-webui/open-webui/commit/9899293f050ad50ae12024cbebee7e018acd851e) Merge pull request #19448 from open-webui/dev - [`140605e`](https://github.com/open-webui/open-webui/commit/140605e660b8186a7d5c79fb3be6ffb147a2f498) Merge pull request #19462 from open-webui/dev - [`6f1486f`](https://github.com/open-webui/open-webui/commit/6f1486ffd0cb288d0e21f41845361924e0d742b3) Merge pull request #19466 from open-webui/dev - [`d95f533`](https://github.com/open-webui/open-webui/commit/d95f533214e3fe5beb5e41ec1f349940bc4c7043) Merge pull request #19729 from open-webui/dev - [`a727153`](https://github.com/open-webui/open-webui/commit/a7271532f8a38da46785afcaa7e65f9a45e7d753) 0.6.43 (#20093) - [`6adde20`](https://github.com/open-webui/open-webui/commit/6adde203cd292a9e3af9c64a2ae36b603fed096a) Merge pull request #20394 from open-webui/dev - [`f9b0534`](https://github.com/open-webui/open-webui/commit/f9b0534e0c442631d1cb7205169588b9b6204179) Merge pull request #20522 from open-webui/dev ### 📊 Changes **3 files changed** (+16 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/env.py` (+3 -0) 📝 `backend/open_webui/main.py` (+2 -0) 📝 `backend/open_webui/routers/auths.py` (+11 -0) </details> ### 📄 Description ## Description I've not opened a separate discussion because this feature was already requested, and I think improved, in https://github.com/open-webui/open-webui/issues/4858. In my opinion, however, that issue was wrongly closed without implementing the actually intended behavior (see [here](#issuecomment-3951497432)). Happy to open a new discussion if this is desired. This PR implements the possibility to determine a user's role (admin, pending, user) at signin, using a trusted header. Open WebUI already has the possibility to handle authentication, and to set *groups*, using a trusted header. But a new user's role will, at present, always be equal to the `DEFAULT_USER_ROLE` setting. This means an identity provider cannot pass on info to Open WebUI on whether a user should be an admin or not. Implementation is very simple: in the `/signin` route, after checking for the trusted email header and before checking for the trusted groups header, we check for the presence of the configured trusted role header. The user's role is set to this role for the current session, and saved. ## Documentation *to be added* [ ] Add docs in [Open WebUI Docs Repository](https://github.com/open-webui/docs). Document user-facing behavior, environment variables, public APIs/interfaces, or deployment steps. ## Testing I run `open-webui` locally using `uv`, with the following environment variables: `DEFAULT_USER_ROLE=user WEBUI_AUTH_TRUSTED_ROLE_HEADER=X-Remote-User-Role WEBUI_AUTH_TRUSTED_EMAIL_HEADER=X-Remote-User-Mail uv run open-webui serve` To test the trusted headers, I use the Chrome [ModHeader](https://modheader.com/docs/modheader) extension. See screengrab below for video. **Testing locally in Chrome**: 1. Set X-Remote-User-Mail header to `testuser@localhost` and `X-Remote-User-Role` to `user` in ModHeader. 2. Navigate to `http://localhost:8080` 3. Observe that you are logged in as `testuser`, as a normal user (despite being the first user -- trusted header trumps this). 1. Set X-Remote-User-Mail header to `testuser2@localhost` and `X-Remote-User-Role` to `admin` in ModHeader. 2. Navigate to `http://localhost:8080` 3. Observe that you are logged in as `testuser2`, with admin rights (the trusted header trumps the default role of `user`). 4. Change the `X-Remote-User-Role` header in ModHeader to `pending`. 5. Logout -> you are redirected to the `/`. Observe that `testuser2` is now pending. # Changelog Entry ### Added 🔒 **Trusted header for user roles**: the `WEBUI_AUTH_TRUSTED_ROLE_HEADER` environment variable can be used to configure a trusted header that will determine the user's role (admin, user, or pending). ## Security - When a trusted role header is configured, clients can set admin role using an HTTP header. This requires making sure that the headers are only set by a reverse proxy/identity provider. However, this is already the case for other trusted headers. ### Additional Information - When the header changes, the role is updated only when a user logs in again (so if logged in as admin, then change header to user, the user will still be admin in their current session). ### Screenshots or Videos ![openwebui_trustedroles](https://github.com/user-attachments/assets/f41af0c1-4c81-4fa9-9a58-5733f3b72999) ### Contributor License Agreement - [x] **Agentic AI Code:** Confirm this Pull Request is **not written by any AI Agent** or has at least **gone through additional human review AND manual testing**. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR. <!-- 🚨 DO NOT DELETE THE TEXT BELOW 🚨 Keep the "Contributor License Agreement" confirmation text intact. Deleting it will trigger the CLA-Bot to INVALIDATE your PR. Your PR will NOT be reviewed or merged until you check the box below confirming that you have read and agree to the terms of the CLA. --> - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 06:41:00 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#26738
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?