github-starred/open-webui

Fork 0

You've already forked open-webui

mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00

Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #23671] [CLOSED] fix: send admin-entered client_id (not tool server id) during oauth_2.1_static registration #27308

New Issue

Closed

opened 2026-04-20 06:59:35 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented

2026-04-20 06:59:35 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23671
Author: @dhruvalgupta2003
Created: 4/13/2026
Status: ❌ Closed

Base: dev ← Head: fix/oauth-2.1-static-wiring

📝 Commits (1)

0c11370 fix: wire oauth_2.1_static through MCP auth code paths

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 src/lib/components/AddToolServerModal.svelte (+1 -1)

📄 Description

Pull Request Checklist

Before submitting, make sure you've checked the following:

Target branch: Verify that the pull request targets the dev branch.
Description: Provide a concise description of the changes made in this pull request down below.
Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: No user-facing docs changes needed — purely a bug fix in the admin-only MCP registration form.
Dependencies: No new or upgraded dependencies.
Testing: See testing notes in the description; the submitter will confirm manual verification before marking ready for review.
Agentic AI Code: Submitter will confirm human review + manual testing before marking ready for review.
Code review: Self-reviewed; single-line fix.
Design & Architecture: No new settings, no architectural changes.
Git Hygiene: Single atomic commit targeting dev.
Title Prefix: fix:

Changelog Entry

Description

When registering an MCP tool server with auth_type: oauth_2.1_static, the frontend incorrectly POSTs the tool server's internal id as client_id instead of the admin-entered OAuth Client ID (oauthClientId). The client_secret is sent correctly; only the client_id is wrong. As a result, registration against the IdP is attempted with an invalid client and fails (or succeeds with an unusable record), even though the admin entered valid credentials.

The correct value is already held in component state — it is used elsewhere in the same file when building the info object for the save payload (see info.oauth_client_id: oauthClientId). The registration POST is the only call site still binding to the wrong variable.

Net diff: 1 line in 1 file.

Fixed

Fixed AddToolServerModal.svelte sending the tool server's internal id as client_id during the oauth_2.1_static registration POST. It now sends the admin-entered OAuth Client ID, matching what the backend (configs.py OAuthClientRegistrationForm) expects and what the rest of the frontend already stores in info.oauth_client_id. Closes #23670.

Related (already fixed in `dev`, pointing out for future reference)

Two other oauth_2.1_static wiring gaps were filed as issues — both turned out to already be fixed on dev, so they are not addressed by this PR:

#23665 — middleware Authorization header for static MCP — already fixed on dev (backend/open_webui/utils/middleware.py:2520).
#23666 — authenticated flag in tool listing — already fixed on dev (backend/open_webui/routers/tools.py:123,151).

The issues can be closed once this PR lands.

Additional Information

Repro (before fix):

As admin, open Admin → Settings → Tools → Add Tool Server.
Choose type MCP, set an ID (e.g. calendar), URL, auth type OAuth 2.1 (Static).
Enter a valid OAuth Client ID (e.g. your Entra app client id) and Client Secret.
Click Register. Network inspector shows POST /configs/oauth/clients/register with client_id = "calendar" instead of the Entra app client id. Registration against the IdP fails.

Expected (after fix): the POST carries the admin-entered OAuth Client ID, registration succeeds.

Screenshots or Videos

To be attached by the submitter after manual verification against a real Entra AD / M365 MCP setup.

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23671 **Author:** [@dhruvalgupta2003](https://github.com/dhruvalgupta2003) **Created:** 4/13/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/oauth-2.1-static-wiring` --- ### 📝 Commits (1) - [`0c11370`](https://github.com/open-webui/open-webui/commit/0c113707169a9fc0d8f4f62010c80295a2f157dd) fix: wire oauth_2.1_static through MCP auth code paths ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `src/lib/components/AddToolServerModal.svelte` (+1 -1) </details> ### 📄 Description  # Pull Request Checklist **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request down below. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** No user-facing docs changes needed — purely a bug fix in the admin-only MCP registration form. - [x] **Dependencies:** No new or upgraded dependencies. - [ ] **Testing:** See testing notes in the description; the submitter will confirm manual verification before marking ready for review. - [ ] **Agentic AI Code:** Submitter will confirm human review + manual testing before marking ready for review. - [x] **Code review:** Self-reviewed; single-line fix. - [x] **Design & Architecture:** No new settings, no architectural changes. - [x] **Git Hygiene:** Single atomic commit targeting `dev`. - [x] **Title Prefix:** `fix:` # Changelog Entry ### Description When registering an MCP tool server with `auth_type: oauth_2.1_static`, the frontend incorrectly POSTs the tool server's **internal id** as `client_id` instead of the admin-entered OAuth Client ID (`oauthClientId`). The `client_secret` is sent correctly; only the `client_id` is wrong. As a result, registration against the IdP is attempted with an invalid client and fails (or succeeds with an unusable record), even though the admin entered valid credentials. The correct value is already held in component state — it is used elsewhere in the same file when building the `info` object for the save payload (see `info.oauth_client_id: oauthClientId`). The registration POST is the only call site still binding to the wrong variable. Net diff: 1 line in 1 file. ### Fixed - Fixed `AddToolServerModal.svelte` sending the tool server's internal id as `client_id` during the `oauth_2.1_static` registration POST. It now sends the admin-entered OAuth Client ID, matching what the backend (`configs.py` `OAuthClientRegistrationForm`) expects and what the rest of the frontend already stores in `info.oauth_client_id`. Closes #23670. ### Related (already fixed in `dev`, pointing out for future reference) Two other `oauth_2.1_static` wiring gaps were filed as issues — both turned out to already be fixed on `dev`, so they are **not** addressed by this PR: - #23665 — middleware `Authorization` header for static MCP — already fixed on `dev` (`backend/open_webui/utils/middleware.py:2520`). - #23666 — `authenticated` flag in tool listing — already fixed on `dev` (`backend/open_webui/routers/tools.py:123,151`). The issues can be closed once this PR lands. --- ### Additional Information **Repro (before fix):** 1. As admin, open Admin → Settings → Tools → Add Tool Server. 2. Choose type `MCP`, set an ID (e.g. `calendar`), URL, auth type `OAuth 2.1 (Static)`. 3. Enter a valid OAuth Client ID (e.g. your Entra app client id) and Client Secret. 4. Click Register. Network inspector shows `POST /configs/oauth/clients/register` with `client_id = "calendar"` instead of the Entra app client id. Registration against the IdP fails. **Expected (after fix):** the POST carries the admin-entered OAuth Client ID, registration succeeds. ### Screenshots or Videos - To be attached by the submitter after manual verification against a real Entra AD / M365 MCP setup. ### Contributor License Agreement  - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-20 06:59:35 -05:00

GiteaMirror closed this issue

2026-04-20 06:59:35 -05:00

No Branch/Tag Specified

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror

ninjasurge

No Assignees

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#27308

Reference in New Issue

Repository

github-starred/open-webui

Title

Body

Block a user

Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.

User to block:

Optional note:

The note is not visible to the blocked user.

Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?