[GH-ISSUE #17178] feat: Add a way to set OAuth response_mode and handle large groups claim (AD FS + allatclaims) #33725

New Issue

Closed

opened 2026-04-25 07:36:31 -05:00 by GiteaMirror · 1 comment

GiteaMirror commented 2026-04-25 07:36:31 -05:00

Owner

Copy Link

Originally created by @m20l22 on GitHub (Sep 3, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/17178

Check Existing Issues

• I have searched the existing issues and discussions.

Problem Description

I’m running Open WebUI with Microsoft AD FS as the OIDC provider and I use OAuth Group Management by emitting a groups claim (enabled via the AD FS allatclaims scope). In practice, AD FS + allatclaims works and users can authenticate successfully, and Open WebUI reads groups on login.

However, when a user belongs to many groups, the resulting ID/access token (with the groups claim) becomes large. Open WebUI appears to store token data in a cookie, and for users with a large groups claim this exceeds common browser cookie size limits. The net effect is:

• Authentication succeeds, but
• Group membership in Open WebUI does not update for that user (the large claim can’t be persisted/processed because the cookie is too big).

Separately, Microsoft’s guidance for AD FS when customizing ID tokens (e.g., to include extra claims like groups) requires using response_mode=form_post. Open WebUI currently has no configuration/env var to set response_mode, so AD FS deployments can’t explicitly choose form_post.

Desired Solution you'd like

1. Configurable response_mode: Add an environment variable (and/or admin setting) to control the OIDC authorization request response_mode. Example:

• OAUTH_RESPONSE_MODE=form_post|query|fragment
• If set, include response_mode=<value> on the /authorize request.

2. Handle large claims without cookie overflow (any one of the below would help):

• Store tokens (or parsed claims) server-side and keep only a session identifier in the cookie.
• Allow using the UserInfo endpoint to fetch the groups claim on login instead of relying on a large ID/access token in the cookie.
• Provide an option to strip or compress large claims from the cookie while still using them once during the login callback to update groups.

Either (2a), (2b), or (2c) would prevent group sync from silently failing when the groups claim is large.

Alternatives Considered

• Reducing group memberships / claim size: Not practical in enterprise AD environments.
• Mapping groups to a smaller claim: Possible, but still risks hitting size limits for some users.
• Switching IdP (e.g., Keycloak/Okta): Not feasible for organizations standardized on AD FS.
• Relying only on access tokens: Doesn’t address cookie size if the access token itself is large and stored the same way.

Additional Context

• Scenario: AD FS emits groups via allatclaims; Open WebUI parses groups on login to assign roles/teams. Works for users with few groups. Fails to update groups for users with many groups due to cookie size.
• Request is twofold:
  1. Add OAUTH_RESPONSE_MODE so AD FS setups can use form_post per Microsoft guidance.
  2. Add a mechanism to handle large groups claims without exceeding cookie limits (server-side session, UserInfo fetch, or similar).
• Repro (simplified):
  1. Configure AD FS client with claim rules to emit groups; grant allatclaims.
  2. Enable Open WebUI SSO with group management (groups claim).
  3. Log in as a user who belongs to a large number of groups.
  4. Observe: login succeeds, but the user’s groups in Open WebUI are not updated.

Originally created by @m20l22 on GitHub (Sep 3, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/17178 ### Check Existing Issues - [x] I have searched the existing issues and discussions. ### Problem Description I’m running Open WebUI with Microsoft AD FS as the OIDC provider and I use OAuth Group Management by emitting a `groups` claim (enabled via the AD FS `allatclaims` scope). In practice, AD FS + `allatclaims` works and users can authenticate successfully, and Open WebUI reads groups on login. However, when a user belongs to many groups, the resulting ID/access token (with the `groups` claim) becomes large. Open WebUI appears to store token data in a cookie, and for users with a large `groups` claim this exceeds common browser cookie size limits. The net effect is: - Authentication succeeds, but - Group membership in Open WebUI does not update for that user (the large claim can’t be persisted/processed because the cookie is too big). Separately, [Microsoft’s guidance for AD FS when customizing ID tokens](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-openid-connect-oauth-concepts#customize-id-token-extra-claims-in-id-token) (e.g., to include extra claims like `groups`) requires using `response_mode=form_post`. Open WebUI currently has no configuration/env var to set `response_mode`, so AD FS deployments can’t explicitly choose `form_post`. ### Desired Solution you'd like 1. Configurable `response_mode`: Add an environment variable (and/or admin setting) to control the OIDC authorization request `response_mode`. Example: - `OAUTH_RESPONSE_MODE=form_post|query|fragment` - If set, include `response_mode=<value>` on the `/authorize` request. 2. Handle large claims without cookie overflow (any one of the below would help): - Store tokens (or parsed claims) server-side and keep only a session identifier in the cookie. - Allow using the UserInfo endpoint to fetch the `groups` claim on login instead of relying on a large ID/access token in the cookie. - Provide an option to strip or compress large claims from the cookie while still using them once during the login callback to update groups. Either (2a), (2b), or (2c) would prevent group sync from silently failing when the `groups` claim is large. ### Alternatives Considered - Reducing group memberships / claim size: Not practical in enterprise AD environments. - Mapping groups to a smaller claim: Possible, but still risks hitting size limits for some users. - Switching IdP (e.g., Keycloak/Okta): Not feasible for organizations standardized on AD FS. - Relying only on access tokens: Doesn’t address cookie size if the access token itself is large and stored the same way. ### Additional Context - Scenario: AD FS emits groups via allatclaims; Open WebUI parses groups on login to assign roles/teams. Works for users with few groups. Fails to update groups for users with many groups due to cookie size. - Request is twofold: 1. Add OAUTH_RESPONSE_MODE so AD FS setups can use form_post per Microsoft guidance. 2. Add a mechanism to handle large groups claims without exceeding cookie limits (server-side session, UserInfo fetch, or similar). - Repro (simplified): 1. Configure AD FS client with claim rules to emit groups; grant allatclaims. 2. Enable Open WebUI SSO with group management (groups claim). 3. Log in as a user who belongs to a large number of groups. 4. Observe: login succeeds, but the user’s groups in Open WebUI are not updated.

GiteaMirror closed this issue 2026-04-25 07:36:31 -05:00

GiteaMirror commented 2026-04-25 07:36:32 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Sep 8, 2025):

Addressed with 217f4daef0

<!-- gh-comment-id:3266956612 --> @tjbck commented on GitHub (Sep 8, 2025): Addressed with 217f4daef09b36d3d4cc4681e11d3ebd9984a1a5

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#33725