github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 02:48:13 -05:00
Code Issues 1.1k Packages Projects Releases 126 Wiki Activity

[PR #22619] [CLOSED] fix(oauth): sync group membership for admin users #26784

New Issue
Closed
opened 2026-04-20 06:42:35 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 06:42:35 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/22619
Author: @gambletan
Created: 3/12/2026
Status: Closed

Base: mainHead: fix/oauth-admin-group-sync

📝 Commits (1)

  • 63713f7 fix(oauth): sync group membership for admin users

📊 Changes

1 file changed (+1 additions, -4 deletions)

View changed files

📝 backend/open_webui/utils/oauth.py (+1 -4)

📄 Description

Summary

  • Removes the user.role != "admin" guard in oauth.py that prevented update_user_groups from being called for admin users
  • When ENABLE_OAUTH_GROUP_MANAGEMENT=true, group membership is now synced from the OAuth provider for all users including admins, on every login
  • No change in behavior for non-admin users

Fixes #22527

Root cause

In OAuthManager.handle_callback, after the JWT token is created, group sync was conditionally skipped for admin users:

# before
if (
    auth_manager_config.ENABLE_OAUTH_GROUP_MANAGEMENT
    and user.role != "admin"
):
    self.update_user_groups(...)

# after
if auth_manager_config.ENABLE_OAUTH_GROUP_MANAGEMENT:
    self.update_user_groups(...)

The user.role != "admin" condition has no documented rationale and directly contradicts the expected behavior: admins should also have their OAuth group memberships reflected in Open WebUI.

Test plan

  • Login as a non-admin user with ENABLE_OAUTH_GROUP_MANAGEMENT=true — groups still sync correctly
  • Login as an admin user — groups now sync from the OAuth provider
  • With ENABLE_OAUTH_GROUP_MANAGEMENT=false — no group sync for any user (unchanged)
  • Add admin user to a new group in the OAuth provider, log out and back in — group appears in Open WebUI

🤖 Generated with Claude Code

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/22619 **Author:** [@gambletan](https://github.com/gambletan) **Created:** 3/12/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/oauth-admin-group-sync` --- ### 📝 Commits (1) - [`63713f7`](https://github.com/open-webui/open-webui/commit/63713f748d68c4f0d78fe393a04e675fd43d836d) fix(oauth): sync group membership for admin users ### 📊 Changes **1 file changed** (+1 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/utils/oauth.py` (+1 -4) </details> ### 📄 Description ## Summary - Removes the `user.role != "admin"` guard in `oauth.py` that prevented `update_user_groups` from being called for admin users - When `ENABLE_OAUTH_GROUP_MANAGEMENT=true`, group membership is now synced from the OAuth provider for **all** users including admins, on every login - No change in behavior for non-admin users Fixes #22527 ## Root cause In `OAuthManager.handle_callback`, after the JWT token is created, group sync was conditionally skipped for admin users: ```python # before if ( auth_manager_config.ENABLE_OAUTH_GROUP_MANAGEMENT and user.role != "admin" ): self.update_user_groups(...) # after if auth_manager_config.ENABLE_OAUTH_GROUP_MANAGEMENT: self.update_user_groups(...) ``` The `user.role != "admin"` condition has no documented rationale and directly contradicts the expected behavior: admins should also have their OAuth group memberships reflected in Open WebUI. ## Test plan - [ ] Login as a non-admin user with `ENABLE_OAUTH_GROUP_MANAGEMENT=true` — groups still sync correctly - [ ] Login as an admin user — groups now sync from the OAuth provider - [ ] With `ENABLE_OAUTH_GROUP_MANAGEMENT=false` — no group sync for any user (unchanged) - [ ] Add admin user to a new group in the OAuth provider, log out and back in — group appears in Open WebUI 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 06:42:35 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#26784
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?