github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-10 07:43:10 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

oauth2/OIDC users forced into 'pending' state after each login #3256

New Issue
Closed
opened 2025-11-11 15:27:05 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-11 15:27:05 -06:00
Owner
Copy Link

Originally created by @NetValue-noc on GitHub (Jan 13, 2025).

Bug Report

Installation Method

Podman container pulled from ghcr.io/open-webui/open-webui:cuda

Nginx providing HTTPS proxy in front

Environment

  • Open WebUI Version: v0.5.4

  • Operating System: Ubuntu 22.04

  • Browser (if applicable): Firefox,chrome

Confirmation:

  • I have read and followed all the instructions provided in the README.md.
  • I am on the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below.

Expected Behavior:

User authenticates via oauth2/oidc and is placed into 'pending' state.
open-webui admin changes user to 'user' (or 'admin') state
User logs out
User re-authenticates via oauth2/oidc
User is logged in and retains previous state

Actual Behavior:

Each time the user authenticates via oauth2/oidc, they are reverted to 'pending' state

Description

Bug Summary:

Users are set to 'pending' state on each oauth2/oidc authentication.

Reproduction Details

Steps to Reproduce:

See expected behaviour

Logs and Screenshots

No relevant logs are emitted by the container, having more debug log info around the open webui oauth traffic would be great...

Additional Information

Container is started via:

ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon --replace -d --name open-webui --label io.containers.autoupdate=registry --network=slirp4netns:allow_host_loopback=true --http-proxy=false -p 3000:8080 --gpus all -e OLLAMA_BASE_URL=http://ollama:11434 -v open-webui:/app/backend/data -e HF_HUB_OFFLINE=1 -e ENABLE_OAUTH_SIGNUP='True' -e OAUTH_CLIENT_ID='redacted' -e OAUTH_CLIENT_SECRET='redacted' -e OPENID_PROVIDER_URL='https://oauth.id.jumpcloud.com/.well-known/openid-configuration' -e OAUTH_PROVIDER_NAME='Jumpcloud ollama SSO' -e OAUTH_SCOPES='openid email' -e ENABLE_OAUTH_ROLE_MANAGEMENT='True' -e OAUTH_ALLOWED_ROLES='user,admin' -e OAUTH_ADMIN_ROLES='admin' -e OAUTH_ROLES_CLAIM='roles' -e ENABLE_SIGNUP='False' -e ENABLE_LOGIN_FORM='True' -e DEFAULT_USER_ROLE='user' ghcr.io/open-webui/open-webui:cuda

Oauth2/oidc provider is "Jumpcloud". The Jumpcloud SSO application is configured with a custom attribute/claim "roles" which returns "user" or "admin" based on which Jumpcloud user group they are included in.

I've debugged the SSO application and confirmed that the "roles" claim is populated, here's an example response id token which has been decoded:

"idTokenDecoded": {
    "at_hash": "redacted",
    "aud": [
      "redacted"
    ],
    "auth_time": 1736739844,
    "email": "test@example.com",
    "email_verified": "true",
    "exp": 1736743445,
    "iat": 1736739845,
    "iss": "https://oauth.id.jumpcloud.com/",
    "jc_org": "redacted",
    "jti": "redacted",
    "nonce": "redacted",
    "rat": 1736739842,
    "roles": "user",
    "sid": "redacted",
    "sub": "redacted",
    "authorizations": []
  },

The open-webui user's Oauth ID is consistent across login attempts.

Nginx proxy config:

location / {

        # Add WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_pass http://127.0.0.1:3000;
        include proxy_params;
    }
Originally created by @NetValue-noc on GitHub (Jan 13, 2025). # Bug Report ## Installation Method Podman container pulled from ghcr.io/open-webui/open-webui:cuda Nginx providing HTTPS proxy in front ## Environment - **Open WebUI Version:** v0.5.4 - **Operating System:** Ubuntu 22.04 - **Browser (if applicable):** Firefox,chrome **Confirmation:** - [x] I have read and followed all the instructions provided in the README.md. - [x] I am on the latest version of both Open WebUI and Ollama. - [ ] I have included the browser console logs. - [ ] I have included the Docker container logs. - [x] I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below. ## Expected Behavior: User authenticates via oauth2/oidc and is placed into 'pending' state. open-webui admin changes user to 'user' (or 'admin') state User logs out User re-authenticates via oauth2/oidc User is logged in and retains previous state ## Actual Behavior: Each time the user authenticates via oauth2/oidc, they are reverted to 'pending' state ## Description **Bug Summary:** Users are set to 'pending' state on each oauth2/oidc authentication. ## Reproduction Details **Steps to Reproduce:** See expected behaviour ## Logs and Screenshots No relevant logs are emitted by the container, having more debug log info around the open webui oauth traffic would be great... ## Additional Information Container is started via: ``` ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon --replace -d --name open-webui --label io.containers.autoupdate=registry --network=slirp4netns:allow_host_loopback=true --http-proxy=false -p 3000:8080 --gpus all -e OLLAMA_BASE_URL=http://ollama:11434 -v open-webui:/app/backend/data -e HF_HUB_OFFLINE=1 -e ENABLE_OAUTH_SIGNUP='True' -e OAUTH_CLIENT_ID='redacted' -e OAUTH_CLIENT_SECRET='redacted' -e OPENID_PROVIDER_URL='https://oauth.id.jumpcloud.com/.well-known/openid-configuration' -e OAUTH_PROVIDER_NAME='Jumpcloud ollama SSO' -e OAUTH_SCOPES='openid email' -e ENABLE_OAUTH_ROLE_MANAGEMENT='True' -e OAUTH_ALLOWED_ROLES='user,admin' -e OAUTH_ADMIN_ROLES='admin' -e OAUTH_ROLES_CLAIM='roles' -e ENABLE_SIGNUP='False' -e ENABLE_LOGIN_FORM='True' -e DEFAULT_USER_ROLE='user' ghcr.io/open-webui/open-webui:cuda ``` Oauth2/oidc provider is "Jumpcloud". The Jumpcloud SSO application is configured with a custom attribute/claim "roles" which returns "user" or "admin" based on which Jumpcloud user group they are included in. I've debugged the SSO application and confirmed that the "roles" claim is populated, here's an example response id token which has been decoded: ``` "idTokenDecoded": { "at_hash": "redacted", "aud": [ "redacted" ], "auth_time": 1736739844, "email": "test@example.com", "email_verified": "true", "exp": 1736743445, "iat": 1736739845, "iss": "https://oauth.id.jumpcloud.com/", "jc_org": "redacted", "jti": "redacted", "nonce": "redacted", "rat": 1736739842, "roles": "user", "sid": "redacted", "sub": "redacted", "authorizations": [] }, ``` The open-webui user's Oauth ID is consistent across login attempts. Nginx proxy config: ``` location / { # Add WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass http://127.0.0.1:3000; include proxy_params; } ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#3256
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?