github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #23696] [CLOSED] fix(oauth): prefer admin-provided scope over discovered scopes_supported in static-credential flow #27319

New Issue
Closed
opened 2026-04-20 07:00:00 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 07:00:00 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23696
Author: @Anai-Guo
Created: 4/14/2026
Status: Closed

Base: mainHead: fix-oauth-static-scope-override

📝 Commits (3)

  • 52f78a9 fix(oauth): prefer admin-provided scope over discovered scopes_supported in static-credential flow
  • 045e604 fix(oauth): accept explicit scope in OAuthClientRegistrationForm for static credentials
  • ef91db2 fix(oauth): preserve stored scope when re-authenticating static OAuth clients

📊 Changes

3 files changed (+9 additions, -3 deletions)

View changed files

📝 backend/open_webui/main.py (+1 -0)
📝 backend/open_webui/routers/configs.py (+2 -0)
📝 backend/open_webui/utils/oauth.py (+6 -3)

📄 Description

Fixes #23668

Problem

get_oauth_client_info_with_static_credentials unconditionally overwrites the OAuth scope with the authorization server's scopes_supported metadata:

scope = None
if oauth_server_metadata and oauth_server_metadata.scopes_supported:
    scope = ' '.join(oauth_server_metadata.scopes_supported)   # silently drops admin scope

This breaks setups that rely on scope bundling — e.g. registering multiple MCP servers backed by the same Entra AD/Azure app where a single consent should cover Calendar + Mail + User resource scopes. The metadata endpoint returns only generic OpenID scopes (openid profile offline_access), so the actual resource scopes are lost, causing repeated consent prompts or missing token audiences.

Fix

Three-part change:

  1. utils/oauth.py — add an optional scope parameter to get_oauth_client_info_with_static_credentials. The discovered scopes_supported is used only when no explicit scope was provided (and a debug log makes this visible).

  2. routers/configs.py — add scope: Optional[str] = None to OAuthClientRegistrationForm and forward it to the function, so admins can supply a custom scope string when registering a tool server with static credentials.

  3. main.py — when re-authenticating an existing static-credential client (refreshing endpoints), read the scope that was persisted in the encrypted client-info blob and pass it back, so the scope is preserved across re-auth cycles.

Behaviour

Situation Before After
Admin provides explicit scope Silently replaced by scopes_supported Honoured as-is
No scope provided, server advertises scopes_supported Used (unchanged) Used, with a debug log
No scope, no scopes_supported None None (unchanged)
Re-auth of existing static client Scope re-discovered, may differ Stored scope preserved

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23696 **Author:** [@Anai-Guo](https://github.com/Anai-Guo) **Created:** 4/14/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix-oauth-static-scope-override` --- ### 📝 Commits (3) - [`52f78a9`](https://github.com/open-webui/open-webui/commit/52f78a9e5cdbf70e3df3a5f75c361ecc4d11760c) fix(oauth): prefer admin-provided scope over discovered scopes_supported in static-credential flow - [`045e604`](https://github.com/open-webui/open-webui/commit/045e6044ae3a2aee1f7ffcd67fd78e6426004a58) fix(oauth): accept explicit scope in OAuthClientRegistrationForm for static credentials - [`ef91db2`](https://github.com/open-webui/open-webui/commit/ef91db25499a3932341df9c6a0214a6039964140) fix(oauth): preserve stored scope when re-authenticating static OAuth clients ### 📊 Changes **3 files changed** (+9 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/main.py` (+1 -0) 📝 `backend/open_webui/routers/configs.py` (+2 -0) 📝 `backend/open_webui/utils/oauth.py` (+6 -3) </details> ### 📄 Description Fixes #23668 ## Problem `get_oauth_client_info_with_static_credentials` unconditionally overwrites the OAuth scope with the authorization server's `scopes_supported` metadata: ```python scope = None if oauth_server_metadata and oauth_server_metadata.scopes_supported: scope = ' '.join(oauth_server_metadata.scopes_supported) # silently drops admin scope ``` This breaks setups that rely on **scope bundling** — e.g. registering multiple MCP servers backed by the same Entra AD/Azure app where a single consent should cover Calendar + Mail + User resource scopes. The metadata endpoint returns only generic OpenID scopes (`openid profile offline_access`), so the actual resource scopes are lost, causing repeated consent prompts or missing token audiences. ## Fix Three-part change: 1. **`utils/oauth.py`** — add an optional `scope` parameter to `get_oauth_client_info_with_static_credentials`. The discovered `scopes_supported` is used **only** when no explicit scope was provided (and a debug log makes this visible). 2. **`routers/configs.py`** — add `scope: Optional[str] = None` to `OAuthClientRegistrationForm` and forward it to the function, so admins can supply a custom scope string when registering a tool server with static credentials. 3. **`main.py`** — when re-authenticating an existing static-credential client (refreshing endpoints), read the scope that was persisted in the encrypted client-info blob and pass it back, so the scope is preserved across re-auth cycles. ## Behaviour | Situation | Before | After | |-----------|--------|-------| | Admin provides explicit scope | Silently replaced by `scopes_supported` | Honoured as-is | | No scope provided, server advertises `scopes_supported` | Used (unchanged) | Used, with a debug log | | No scope, no `scopes_supported` | `None` | `None` (unchanged) | | Re-auth of existing static client | Scope re-discovered, may differ | Stored scope preserved | --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 07:00:00 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#27319
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?