github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-21 17:13:00 -05:00
Code Issues 2.4k Packages Projects Releases 129 Wiki Activity

[GH-ISSUE #15337] issue: OIDC Redirects to http://localhost:3000/auth Instead of Configured PUBLIC_URL After Authentik Login #33064

New Issue
Closed
opened 2026-04-25 06:55:35 -05:00 by GiteaMirror · 2 comments
GiteaMirror commented 2026-04-25 06:55:35 -05:00
Owner
Copy Link

Originally created by @Raman236 on GitHub (Jun 26, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/15337

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.6.15

Ollama Version (if applicable)

latest

Operating System

Linux

Browser (if applicable)

Chrome/Firefox/Edge

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

After login, user should be redirected to:

https://<redacted-domain>.com/auth#token=<JWT>

Actual Behavior

After successfully logging into Open WebUI using Authentik via OIDC, the Web UI redirects to:

http://localhost:3000/auth#token=...

The entire login flow completes successfully, including token exchange and callback reception.
However, the redirect breaks since my deployment is hosted at:

https://<redacted-domain>.com

Steps to Reproduce

  1. Deploy Open WebUI via Docker Compose
webui:
  image: ghcr.io/open-webui/open-webui:main
  environment:
    PUBLIC_URL: https://<redacted-domain>.com
    OLLAMA_BASE_URL: http://ollama:11434
    ENABLE_OAUTH_SIGNUP: true
    OAUTH_MERGE_ACCOUNTS_BY_EMAIL: true
    OAUTH_PROVIDER_NAME: Authentik
    OAUTH_CLIENT_ID: <REDACTED_CLIENT_ID>
    OAUTH_CLIENT_SECRET: <REDACTED_CLIENT_SECRET>
    OPENID_PROVIDER_URL: https://auth.<redacted-domain>.com/application/o/ollama-webui/.well-known/openid-configuration
    OAUTH_SCOPES: openid email profile
    OPENID_REDIRECT_URI: https://<redacted-domain>.com/oauth/oidc/callback

 Set up Authentik with matching callback URLs

Authentik Provider: 

     Client Type: Confidential
     Redirect URIs:
         https://<redacted-domain>.com/oauth/oidc/callback
         (Optional local dev) http://192.168.1.X:8000/oauth/oidc/callback

 Login using Authentik from homepage (https://<redacted-domain>.com)
 Successful token returned
 Redirects to http://localhost:3000/auth#token=...

Logs & Screenshots

GET /oauth/oidc/login HTTP/1.1" 302
POST https://auth.<redacted-domain>.com/application/o/token/ "HTTP/1.1 200 OK"
GET /oauth/oidc/callback?... HTTP/1.1" 307

Additional Information

It was working fine for many months since November 2024. Only recently after an update in April or May, this has been happening
Please confirm:

 Whether the PUBLIC_URL is respected during final frontend redirect
 If any frontend caching or extra config is needed to fix this
 Whether this is a bug or an expected fallback behavior
Originally created by @Raman236 on GitHub (Jun 26, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/15337 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.6.15 ### Ollama Version (if applicable) latest ### Operating System Linux ### Browser (if applicable) Chrome/Firefox/Edge ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior After login, user should be redirected to: `https://<redacted-domain>.com/auth#token=<JWT>` ### Actual Behavior After successfully logging into Open WebUI using Authentik via OIDC, the Web UI redirects to: `http://localhost:3000/auth#token=...` The entire login flow completes successfully, including token exchange and callback reception. However, the redirect breaks since my deployment is hosted at: `https://<redacted-domain>.com` ### Steps to Reproduce 1. Deploy Open WebUI via Docker Compose ``` webui: image: ghcr.io/open-webui/open-webui:main environment: PUBLIC_URL: https://<redacted-domain>.com OLLAMA_BASE_URL: http://ollama:11434 ENABLE_OAUTH_SIGNUP: true OAUTH_MERGE_ACCOUNTS_BY_EMAIL: true OAUTH_PROVIDER_NAME: Authentik OAUTH_CLIENT_ID: <REDACTED_CLIENT_ID> OAUTH_CLIENT_SECRET: <REDACTED_CLIENT_SECRET> OPENID_PROVIDER_URL: https://auth.<redacted-domain>.com/application/o/ollama-webui/.well-known/openid-configuration OAUTH_SCOPES: openid email profile OPENID_REDIRECT_URI: https://<redacted-domain>.com/oauth/oidc/callback ``` Set up Authentik with matching callback URLs ``` Authentik Provider: Client Type: Confidential Redirect URIs: https://<redacted-domain>.com/oauth/oidc/callback (Optional local dev) http://192.168.1.X:8000/oauth/oidc/callback ``` Login using Authentik from homepage (https://<redacted-domain>.com) Successful token returned Redirects to http://localhost:3000/auth#token=... ### Logs & Screenshots ``` GET /oauth/oidc/login HTTP/1.1" 302 POST https://auth.<redacted-domain>.com/application/o/token/ "HTTP/1.1 200 OK" GET /oauth/oidc/callback?... HTTP/1.1" 307 ``` ### Additional Information It was working fine for many months since November 2024. Only recently after an update in April or May, this has been happening Please confirm: Whether the PUBLIC_URL is respected during final frontend redirect If any frontend caching or extra config is needed to fix this Whether this is a bug or an expected fallback behavior
GiteaMirror added the bug label 2026-04-25 06:55:35 -05:00
GiteaMirror commented 2026-04-25 06:55:38 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Jun 27, 2025):

Please read the changelogs before updating, this is an intended behaviour going forward.

<!-- gh-comment-id:3012066053 --> @tjbck commented on GitHub (Jun 27, 2025): Please read the changelogs before updating, this is an intended behaviour going forward.
GiteaMirror commented 2026-04-25 06:55:40 -05:00
Author
Owner
Copy Link

@IdefixRC commented on GitHub (Sep 7, 2025):

Update: found another user with the same issue. Here is the fix:

WEBUI_URL is a persistent config variable
This means once it has been set (ever) you can't change it again from environment variables, only via the admin panel. Persistent config variables are meant for initial setup. Further changes are to be done in the admin panel.
Just change the webui url in the admin panel.

<!-- gh-comment-id:3263610783 --> @IdefixRC commented on GitHub (Sep 7, 2025): Update: found another user with the same issue. Here is the fix: _WEBUI_URL is a persistent config variable This means once it has been set (ever) you can't change it again from environment variables, only via the admin panel. Persistent config variables are meant for initial setup. Further changes are to be done in the admin panel. Just change the webui url in the admin panel._
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#33064
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?