github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #7713] Handle reauthentication prompts/redirects from authenticating reverse proxies like Entra App Proxy gracefully (without a background CORS error only to be fixed by shift+F5) #30384

New Issue
Closed
opened 2026-04-25 04:36:20 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-25 04:36:20 -05:00
Owner
Copy Link

Originally created by @JasperE84 on GitHub (Dec 9, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/7713

I have made open-webui available for my organisation using Entra Application Proxy. This is more or less Microsofts version of a cloudflared tunnel: WAN facing web requests are terminated at the microsoft cloud, which prompts the user with an Entra authentication request. This setup allows me to safely expose the app to WAN, by inserting an Entra auth gateway in front of it, allowing full conditional access (incl. device based access restrictions), and it allows me to realize SSO, seamless sign on, and role based access control to the web app.

Header based auth is realized by configuring the env var WEBUI_AUTH_TRUSTED_EMAIL_HEADER and then providing that header through the Entra App Proxy.

In effect opening https://openwebui.mydomain.com will result in an entra authentication dialog (which is handled automatically if seamless sign on is configured in intune), and will then reverse-proxy to the internally hosted web app. The user will then be instantly logged in in open-webui.

This all works perfectly except for one little aspect: If the web app makes an API call, and the entra proxy requires a reauth, the api call to openwebui.mydomain.com, gets redirected to the login.microsoftonline.com domain. This will then result in a CORS error in the browser console. This initially happened each time I restarted my browser and a new sessions is made, making entra ask for reauth. What I think happens, is the open-webui app is cached in the browser, and it immediately makes the API call, resulting in an error because openwebui.mydomain.com is not in the microsoft CORS list, and an authentication page is returned instead of API data. A shift-f5 in the browser will then promptly fix that, but that requires user knowledge. To improve this I have set the entra reverse proxy cookie to persistent, stopping Entra from redirecting to login.microsoftonline.com, making it work almost perfectly. Yet I still occasionally get a 500 error (gray background in the open-webui app with a lightgray 500 error). Before I made the entra cookie persistent, I also sometimes got an error screen in with a message saying something like 'Oops. You're using a non supported method, host the webui from the backend' (translated to english), with a "Check again" button. (This check-again button however wouldnt initiate a shift-f5 like action, so the reload didn't work)

This would be fixed if Open-WebUI can handle/detect such redirections (to login.microsoftonline.com in this case) and force-reload the entire app if this happens. Or make a button on the 500 error page which will do this.

I have tried playing with the JWT token expiry but that caused similar errors (having to manually refresh the browser once expired)

Here's my .env config:

WEBUI_URL=https://openwebui.mydomain.com
OPEN_WEBUI_PORT=3031
WEBUI_AUTH=true
WEBUI_AUTH_TRUSTED_EMAIL_HEADER=X-User-OpenWebUi-Email
ENABLE_SIGNUP=true
DEFAULT_USER_ROLE=user
JWT_EXPIRES_IN=-1

And Entra settings:
image
image
image

Originally created by @JasperE84 on GitHub (Dec 9, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/7713 I have made open-webui available for my organisation using Entra Application Proxy. This is more or less Microsofts version of a cloudflared tunnel: WAN facing web requests are terminated at the microsoft cloud, which prompts the user with an Entra authentication request. This setup allows me to safely expose the app to WAN, by inserting an Entra auth gateway in front of it, allowing full conditional access (incl. device based access restrictions), and it allows me to realize SSO, seamless sign on, and role based access control to the web app. Header based auth is realized by configuring the env var `WEBUI_AUTH_TRUSTED_EMAIL_HEADER` and then providing that header through the Entra App Proxy. In effect opening https://openwebui.mydomain.com will result in an entra authentication dialog (which is handled automatically if seamless sign on is configured in intune), and will then reverse-proxy to the internally hosted web app. The user will then be instantly logged in in open-webui. This all works perfectly except for one little aspect: If the web app makes an API call, and the entra proxy requires a reauth, the api call to openwebui.mydomain.com, gets redirected to the login.microsoftonline.com domain. This will then result in a CORS error in the browser console. This initially happened each time I restarted my browser and a new sessions is made, making entra ask for reauth. What I think happens, is the open-webui app is cached in the browser, and it immediately makes the API call, resulting in an error because openwebui.mydomain.com is not in the microsoft CORS list, and an authentication page is returned instead of API data. A shift-f5 in the browser will then promptly fix that, but that requires user knowledge. To improve this I have set the entra reverse proxy cookie to persistent, stopping Entra from redirecting to login.microsoftonline.com, making it work almost perfectly. Yet I still occasionally get a 500 error (gray background in the open-webui app with a lightgray 500 error). Before I made the entra cookie persistent, I also sometimes got an error screen in with a message saying something like 'Oops. You're using a non supported method, host the webui from the backend' (translated to english), with a "Check again" button. (This check-again button however wouldnt initiate a shift-f5 like action, so the reload didn't work) This would be fixed if Open-WebUI can handle/detect such redirections (to login.microsoftonline.com in this case) and force-reload the entire app if this happens. Or make a button on the 500 error page which will do this. I have tried playing with the JWT token expiry but that caused similar errors (having to manually refresh the browser once expired) Here's my `.env` config: ``` WEBUI_URL=https://openwebui.mydomain.com OPEN_WEBUI_PORT=3031 WEBUI_AUTH=true WEBUI_AUTH_TRUSTED_EMAIL_HEADER=X-User-OpenWebUi-Email ENABLE_SIGNUP=true DEFAULT_USER_ROLE=user JWT_EXPIRES_IN=-1 ``` And Entra settings: ![image](https://github.com/user-attachments/assets/9553ed38-a972-4492-bc4f-1f8b3ab01cc6) ![image](https://github.com/user-attachments/assets/1d10ca84-4454-47c2-8780-7fd358a1bc83) ![image](https://github.com/user-attachments/assets/e418caf7-e49d-4103-9a14-51a22e11f404)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#30384
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?