[PR #23535] [CLOSED] feat: add support for custom SSO/OAuth providers #27243

New Issue

GiteaMirror · 2026-04-20T06:57:11-05:00

GiteaMirror commented

2026-04-20 06:57:11 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23535
Author: @RoryChou-flux
Created: 4/9/2026
Status: ❌ Closed

Base: dev ← Head: feat/custom-sso-providers

📝 Commits (10+)

fe6783c Merge pull request #19030 from open-webui/dev
fc05e0a Merge pull request #19405 from open-webui/dev
e3faec6 Merge pull request #19416 from open-webui/dev
9899293 Merge pull request #19448 from open-webui/dev
140605e Merge pull request #19462 from open-webui/dev
6f1486f Merge pull request #19466 from open-webui/dev
d95f533 Merge pull request #19729 from open-webui/dev
a727153 0.6.43 (#20093)
6adde20 Merge pull request #20394 from open-webui/dev
f9b0534 Merge pull request #20522 from open-webui/dev

📊 Changes

8 files changed (+867 additions, -134 deletions)

View changed files

📝 backend/open_webui/config.py (+134 -1)
📝 backend/open_webui/main.py (+14 -1)
📝 backend/open_webui/routers/auths.py (+133 -0)
📝 backend/open_webui/utils/oauth.py (+41 -18)
📝 src/lib/apis/auths/index.ts (+100 -0)
📝 src/lib/components/admin/Settings.svelte (+4 -1)
📝 src/lib/components/admin/Settings/General.svelte (+364 -2)
📝 src/routes/auth/+page.svelte (+77 -111)

📄 Description

Pull Request Checklist

Target branch: dev
Description: Provided below.
Changelog: Included below.
Documentation: Will add docs if PR is accepted.
Dependencies: No new dependencies.
Testing: Manually tested with real Feishu OAuth — built-in provider login, custom provider login, dual-provider display, per-provider claim overrides, Admin UI CRUD, slug validation, malformed env var graceful fallback.
Agentic AI Code: Human reviewed and manually tested with real Feishu OAuth flow.
Code review: Self-reviewed, also addressed automated code review findings (non-dict entry filtering, slug format validation in loader, sub_claim backward compatibility, duplicate import removal).
Design & Architecture: Extends existing OAuth system with no new settings UI pages — adds a section in existing General settings.
Git Hygiene: Single atomic commit on feature branch, rebased on main.
Title Prefix: feat:

Changelog Entry

Description

Allow administrators to configure multiple custom OAuth/SSO providers at runtime via Admin UI or CUSTOM_OAUTH_PROVIDERS_CONFIG environment variable. This enables use cases like multiple Feishu enterprises, multiple OIDC providers, or any OAuth2-compatible provider — without code changes.

Currently, Open WebUI hardcodes 5 OAuth providers (Google, Microsoft, GitHub, OIDC, Feishu), each limited to a single instance. Users who need multiple instances of the same provider type (e.g., two Feishu apps for different enterprises) must modify source code.

Added

CUSTOM_OAUTH_PROVIDERS_CONFIG PersistentConfig for dynamic custom OAuth provider storage (supports both env var JSON array and Admin UI)
_build_custom_provider_register() helper to create Authlib OAuth clients from config dicts
Admin CRUD API endpoints at /api/v1/auths/admin/config/oauth/custom for managing custom OAuth providers
"Custom SSO Providers" management section in Admin Settings > General with full CRUD UI
Per-provider claim overrides: sub_claim, email_claim, username_claim, picture_claim, email_fallback
provider_type field on all providers to generalize type-specific logic (e.g., Feishu data unwrap)
reload_providers() method on OAuthManager for hot-reloading after config changes
Shared _is_valid_custom_slug() validator used in both env loader and admin API
Dynamic OAuth login button rendering via {#each} loop (replaces hardcoded {#if} blocks)

Changed

/api/config response: oauth.providers values changed from plain strings to objects {name, icon_url, is_custom, provider_type}
Login page OAuth buttons now render dynamically from provider config
Feishu data-unwrap logic generalized via provider_type == 'feishu' instead of provider == 'feishu'
Built-in providers now include name and provider_type fields
Feishu sub_claim fixed from user_id to open_id to match actual Feishu v1 userinfo API response

Deprecated

N/A

Removed

N/A

Fixed

Feishu OAuth login failure due to incorrect sub_claim: user_id — Feishu v1 userinfo endpoint returns open_id, not user_id

Security

Client secrets are redacted (***) in admin API GET responses
Slug validation prevents conflicts with built-in provider names and path-unsafe characters
GitHub email fetch restricted to built-in github provider only (prevents token leak from custom providers)
Malformed CUSTOM_OAUTH_PROVIDERS_CONFIG env var handled gracefully (falls back to empty array with warning)
Non-dict entries in provider config filtered out to prevent 500 errors

Breaking Changes

BREAKING CHANGE: /api/config oauth.providers response format changed from {key: name_string} to {key: {name, icon_url, is_custom, provider_type}}. This only affects the bundled frontend (updated in this PR) and any external consumers of this internal API.

Additional Information

Configuration via environment variable:

CUSTOM_OAUTH_PROVIDERS_CONFIG='[{
  "slug": "feishu-enterprise-b",
  "display_name": "Feishu Enterprise B",
  "provider_type": "feishu",
  "client_id": "cli_xxx",
  "client_secret": "xxx",
  "authorize_url": "https://accounts.feishu.cn/open-apis/authen/v1/authorize",
  "access_token_url": "https://open.feishu.cn/open-apis/authen/v2/oauth/token",
  "userinfo_endpoint": "https://open.feishu.cn/open-apis/authen/v1/user_info",
  "scope": "contact:user.base:readonly",
  "sub_claim": "open_id",
  "email_fallback": true,
  "enabled": true
}]'

No database migration needed — custom provider configs stored in existing config table JSON blob; User.oauth and OAuthSession.provider already support arbitrary keys.

Screenshots or Videos

Tested locally with real Feishu OAuth:

Login page showing both built-in "Feishu" and custom "飞书企业B" buttons simultaneously
Built-in Feishu OAuth login flow completed successfully (redirect → authorization → callback → user created)
Custom feishu-b OAuth flow completed successfully (redirect → authorization → callback → email conflict detected correctly since same test account)
API response verified: {"feishu": {"name": "Feishu", ...}, "feishu-b": {"name": "飞书企业B", "is_custom": true, ...}}

Testing Steps

Started Open WebUI locally with FEISHU_CLIENT_ID + CUSTOM_OAUTH_PROVIDERS_CONFIG (two Feishu providers)
Verified /api/config returns both providers in new object format
Opened login page — both "Feishu" and "飞书企业B" buttons displayed
Clicked "Feishu" → redirected to Feishu OAuth → authorized → callback → user created successfully
Clicked "飞书企业B" → redirected to Feishu OAuth → authorized → callback → correctly detected email conflict (same test account)
Verified unit tests: slug validation (11 cases all pass), malformed JSON env var graceful fallback, provider reload add/remove
Verified Svelte type check: no new errors introduced

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23535 **Author:** [@RoryChou-flux](https://github.com/RoryChou-flux) **Created:** 4/9/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `feat/custom-sso-providers` --- ### 📝 Commits (10+) - [`fe6783c`](https://github.com/open-webui/open-webui/commit/fe6783c16699911c7be17392596d579333fb110c) Merge pull request #19030 from open-webui/dev - [`fc05e0a`](https://github.com/open-webui/open-webui/commit/fc05e0a6c5d39da60b603b4d520f800d6e36f748) Merge pull request #19405 from open-webui/dev - [`e3faec6`](https://github.com/open-webui/open-webui/commit/e3faec62c58e3a83d89aa3df539feacefa125e0c) Merge pull request #19416 from open-webui/dev - [`9899293`](https://github.com/open-webui/open-webui/commit/9899293f050ad50ae12024cbebee7e018acd851e) Merge pull request #19448 from open-webui/dev - [`140605e`](https://github.com/open-webui/open-webui/commit/140605e660b8186a7d5c79fb3be6ffb147a2f498) Merge pull request #19462 from open-webui/dev - [`6f1486f`](https://github.com/open-webui/open-webui/commit/6f1486ffd0cb288d0e21f41845361924e0d742b3) Merge pull request #19466 from open-webui/dev - [`d95f533`](https://github.com/open-webui/open-webui/commit/d95f533214e3fe5beb5e41ec1f349940bc4c7043) Merge pull request #19729 from open-webui/dev - [`a727153`](https://github.com/open-webui/open-webui/commit/a7271532f8a38da46785afcaa7e65f9a45e7d753) 0.6.43 (#20093) - [`6adde20`](https://github.com/open-webui/open-webui/commit/6adde203cd292a9e3af9c64a2ae36b603fed096a) Merge pull request #20394 from open-webui/dev - [`f9b0534`](https://github.com/open-webui/open-webui/commit/f9b0534e0c442631d1cb7205169588b9b6204179) Merge pull request #20522 from open-webui/dev ### 📊 Changes **8 files changed** (+867 additions, -134 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+134 -1) 📝 `backend/open_webui/main.py` (+14 -1) 📝 `backend/open_webui/routers/auths.py` (+133 -0) 📝 `backend/open_webui/utils/oauth.py` (+41 -18) 📝 `src/lib/apis/auths/index.ts` (+100 -0) 📝 `src/lib/components/admin/Settings.svelte` (+4 -1) 📝 `src/lib/components/admin/Settings/General.svelte` (+364 -2) 📝 `src/routes/auth/+page.svelte` (+77 -111) </details> ### 📄 Description  # Pull Request Checklist - [x] **Target branch:** `dev` - [x] **Description:** Provided below. - [x] **Changelog:** Included below. - [ ] **Documentation:** Will add docs if PR is accepted. - [x] **Dependencies:** No new dependencies. - [x] **Testing:** Manually tested with real Feishu OAuth — built-in provider login, custom provider login, dual-provider display, per-provider claim overrides, Admin UI CRUD, slug validation, malformed env var graceful fallback. - [x] **Agentic AI Code:** Human reviewed and manually tested with real Feishu OAuth flow. - [x] **Code review:** Self-reviewed, also addressed automated code review findings (non-dict entry filtering, slug format validation in loader, sub_claim backward compatibility, duplicate import removal). - [x] **Design & Architecture:** Extends existing OAuth system with no new settings UI pages — adds a section in existing General settings. - [x] **Git Hygiene:** Single atomic commit on feature branch, rebased on `main`. - [x] **Title Prefix:** `feat:` # Changelog Entry ### Description Allow administrators to configure **multiple custom OAuth/SSO providers** at runtime via Admin UI or `CUSTOM_OAUTH_PROVIDERS_CONFIG` environment variable. This enables use cases like multiple Feishu enterprises, multiple OIDC providers, or any OAuth2-compatible provider — without code changes. Currently, Open WebUI hardcodes 5 OAuth providers (Google, Microsoft, GitHub, OIDC, Feishu), each limited to a single instance. Users who need multiple instances of the same provider type (e.g., two Feishu apps for different enterprises) must modify source code. ### Added - `CUSTOM_OAUTH_PROVIDERS_CONFIG` PersistentConfig for dynamic custom OAuth provider storage (supports both env var JSON array and Admin UI) - `_build_custom_provider_register()` helper to create Authlib OAuth clients from config dicts - Admin CRUD API endpoints at `/api/v1/auths/admin/config/oauth/custom` for managing custom OAuth providers - "Custom SSO Providers" management section in Admin Settings > General with full CRUD UI - Per-provider claim overrides: `sub_claim`, `email_claim`, `username_claim`, `picture_claim`, `email_fallback` - `provider_type` field on all providers to generalize type-specific logic (e.g., Feishu data unwrap) - `reload_providers()` method on OAuthManager for hot-reloading after config changes - Shared `_is_valid_custom_slug()` validator used in both env loader and admin API - Dynamic OAuth login button rendering via `{#each}` loop (replaces hardcoded `{#if}` blocks) ### Changed - `/api/config` response: `oauth.providers` values changed from plain strings to objects `{name, icon_url, is_custom, provider_type}` - Login page OAuth buttons now render dynamically from provider config - Feishu data-unwrap logic generalized via `provider_type == 'feishu'` instead of `provider == 'feishu'` - Built-in providers now include `name` and `provider_type` fields - Feishu `sub_claim` fixed from `user_id` to `open_id` to match actual Feishu v1 userinfo API response ### Deprecated - N/A ### Removed - N/A ### Fixed - Feishu OAuth login failure due to incorrect `sub_claim: user_id` — Feishu v1 userinfo endpoint returns `open_id`, not `user_id` ### Security - Client secrets are redacted (`***`) in admin API GET responses - Slug validation prevents conflicts with built-in provider names and path-unsafe characters - GitHub email fetch restricted to built-in `github` provider only (prevents token leak from custom providers) - Malformed `CUSTOM_OAUTH_PROVIDERS_CONFIG` env var handled gracefully (falls back to empty array with warning) - Non-dict entries in provider config filtered out to prevent 500 errors ### Breaking Changes - **BREAKING CHANGE**: `/api/config` `oauth.providers` response format changed from `{key: name_string}` to `{key: {name, icon_url, is_custom, provider_type}}`. This only affects the bundled frontend (updated in this PR) and any external consumers of this internal API. --- ### Additional Information **Configuration via environment variable:** ```bash CUSTOM_OAUTH_PROVIDERS_CONFIG='[{ "slug": "feishu-enterprise-b", "display_name": "Feishu Enterprise B", "provider_type": "feishu", "client_id": "cli_xxx", "client_secret": "xxx", "authorize_url": "https://accounts.feishu.cn/open-apis/authen/v1/authorize", "access_token_url": "https://open.feishu.cn/open-apis/authen/v2/oauth/token", "userinfo_endpoint": "https://open.feishu.cn/open-apis/authen/v1/user_info", "scope": "contact:user.base:readonly", "sub_claim": "open_id", "email_fallback": true, "enabled": true }]' ``` **No database migration needed** — custom provider configs stored in existing `config` table JSON blob; `User.oauth` and `OAuthSession.provider` already support arbitrary keys. ### Screenshots or Videos Tested locally with real Feishu OAuth: - Login page showing both built-in "Feishu" and custom "飞书企业B" buttons simultaneously - Built-in Feishu OAuth login flow completed successfully (redirect → authorization → callback → user created) - Custom feishu-b OAuth flow completed successfully (redirect → authorization → callback → email conflict detected correctly since same test account) - API response verified: `{"feishu": {"name": "Feishu", ...}, "feishu-b": {"name": "飞书企业B", "is_custom": true, ...}}` ### Testing Steps 1. Started Open WebUI locally with `FEISHU_CLIENT_ID` + `CUSTOM_OAUTH_PROVIDERS_CONFIG` (two Feishu providers) 2. Verified `/api/config` returns both providers in new object format 3. Opened login page — both "Feishu" and "飞书企业B" buttons displayed 4. Clicked "Feishu" → redirected to Feishu OAuth → authorized → callback → user created successfully 5. Clicked "飞书企业B" → redirected to Feishu OAuth → authorized → callback → correctly detected email conflict (same test account) 6. Verified unit tests: slug validation (11 cases all pass), malformed JSON env var graceful fallback, provider reload add/remove 7. Verified Svelte type check: no new errors introduced ### Contributor License Agreement - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-20 06:57:11 -05:00

GiteaMirror closed this issue

2026-04-20 06:57:12 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#27243