github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 19:08:59 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #17829] issue: Exception during token refresh for provider oidc: Constructor parameter should be str #33938

New Issue
Closed
opened 2026-04-25 07:49:03 -05:00 by GiteaMirror · 16 comments
GiteaMirror commented 2026-04-25 07:49:03 -05:00
Owner
Copy Link

Originally created by @davidshen84 on GitHub (Sep 27, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/17829

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.6.31

Ollama Version (if applicable)

No response

Operating System

Linux+k3s

Browser (if applicable)

Chrome

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

There are repetitive errors and warnings related to OAuth; however, I was able to log in and use the app using OAuth authentication.

Actual Behavior

Repeatitive messages like the following.

Steps to Reproduce

Set up the openweb-ui container with OAuth support using OIDC.

    # oauth
    - name: WEBUI_URL
      value: https://openwebui.xyz.duckdns.org
    - name: ENABLE_OAUTH_PERSISTENT_CONFIG
      value: 'false'
    - name: ENABLE_OAUTH_SIGNUP
      value: 'true'
    - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
      value: 'true'
    - name: OAUTH_SESSION_TOKEN_ENCRYPTION_KEY
      valueFrom:
        secretKeyRef:
          name: openwebui-oauth-secrets
          key: sessionTokenEncryptionKey
    - name: OAUTH_CLIENT_ID
      value: duck
    - name: OAUTH_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: openwebui-oauth-secrets
          key: clientSecret
    - name: OPENID_PROVIDER_URL
      value: https://xyz.cloud-iam.com/auth/realms/duck/.well-known/openid-configuration
    - name: OPENID_REDIRECT_URI
      value: https://openwebui.xyz.duckdns.org/oauth/oidc/callback
    - name: ENABLE_OAUTH_ROLE_MANAGEMENT
      value: 'true'
    - name: OAUTH_ROLES_CLAIM
      value: resource_access.duck.roles
    - name: OAUTH_ALLOWED_ROLES
      value: user
    - name: OAUTH_ADMIN_ROLES
      value: admin
    # end oauth

Logs & Screenshots

open-webui 2025-09-27 22:59:51.936 | ERROR    | open_webui.utils.oauth:_perform_token_refresh:786 - Exception during token refresh for provider oidc: Constructor parameter should be str
open-webui 2025-09-27 22:59:51.936 | ERROR    | open_webui.utils.oauth:_refresh_token:691 - Failed to refresh token for session d73df636-2da3-4593-b849-f65db28a59cd
open-webui 2025-09-27 22:59:51.936 | WARNING  | open_webui.utils.oauth:get_oauth_token:657 - Token refresh failed for user 4be9e804-6278-481a-9793-cbe17fac2a2f, provider oidc, deleting session d73df636-2da3-4593-b849-f65db28a59cd
open-webui 2025-09-27 22:59:58.168 | WARNING  | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session d73df636-2da3-4593-b849-f65db28a59cd

Additional Information

I don't fully understand how to use the ENABLE_OAUTH_PERSISTENT_CONFIG settings, so I set it to false.

I wonder if the error is related to the value in OAUTH_SESSION_TOKEN_ENCRYPTION_KEY. The key value is not some random string. It is a Fernet encryption key, but there's no mention of it in the document. I wonder if there are other hidden requirements of this key or other related settings that I didn't set correctly.

Originally created by @davidshen84 on GitHub (Sep 27, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/17829 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.6.31 ### Ollama Version (if applicable) _No response_ ### Operating System Linux+k3s ### Browser (if applicable) Chrome ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior There are repetitive errors and warnings related to OAuth; however, I was able to log in and use the app using OAuth authentication. ### Actual Behavior Repeatitive messages like the following. ### Steps to Reproduce Set up the openweb-ui container with OAuth support using OIDC. ```yaml # oauth - name: WEBUI_URL value: https://openwebui.xyz.duckdns.org - name: ENABLE_OAUTH_PERSISTENT_CONFIG value: 'false' - name: ENABLE_OAUTH_SIGNUP value: 'true' - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL value: 'true' - name: OAUTH_SESSION_TOKEN_ENCRYPTION_KEY valueFrom: secretKeyRef: name: openwebui-oauth-secrets key: sessionTokenEncryptionKey - name: OAUTH_CLIENT_ID value: duck - name: OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: name: openwebui-oauth-secrets key: clientSecret - name: OPENID_PROVIDER_URL value: https://xyz.cloud-iam.com/auth/realms/duck/.well-known/openid-configuration - name: OPENID_REDIRECT_URI value: https://openwebui.xyz.duckdns.org/oauth/oidc/callback - name: ENABLE_OAUTH_ROLE_MANAGEMENT value: 'true' - name: OAUTH_ROLES_CLAIM value: resource_access.duck.roles - name: OAUTH_ALLOWED_ROLES value: user - name: OAUTH_ADMIN_ROLES value: admin # end oauth ``` ### Logs & Screenshots ``` open-webui 2025-09-27 22:59:51.936 | ERROR | open_webui.utils.oauth:_perform_token_refresh:786 - Exception during token refresh for provider oidc: Constructor parameter should be str open-webui 2025-09-27 22:59:51.936 | ERROR | open_webui.utils.oauth:_refresh_token:691 - Failed to refresh token for session d73df636-2da3-4593-b849-f65db28a59cd open-webui 2025-09-27 22:59:51.936 | WARNING | open_webui.utils.oauth:get_oauth_token:657 - Token refresh failed for user 4be9e804-6278-481a-9793-cbe17fac2a2f, provider oidc, deleting session d73df636-2da3-4593-b849-f65db28a59cd open-webui 2025-09-27 22:59:58.168 | WARNING | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session d73df636-2da3-4593-b849-f65db28a59cd ``` ### Additional Information I don't fully understand how to use the `ENABLE_OAUTH_PERSISTENT_CONFIG` settings, so I set it to *false*. I wonder if the error is related to the value in `OAUTH_SESSION_TOKEN_ENCRYPTION_KEY`. The key value is not some random string. It is a [Fernet](https://github.com/open-webui/open-webui/blob/598282cf75de358215d045c617e70d28bc48929e/backend/open_webui/models/oauth_sessions.py#L76) encryption key, but there's no mention of it in the document. I wonder if there are other hidden requirements of this key or other related settings that I didn't set correctly.
GiteaMirror added the bug label 2026-04-25 07:49:03 -05:00
GiteaMirror commented 2026-04-25 07:49:05 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Sep 28, 2025):

Do you have WEBUI_SECRET_KEY set?

<!-- gh-comment-id:3343875875 --> @tjbck commented on GitHub (Sep 28, 2025): Do you have `WEBUI_SECRET_KEY` set?
GiteaMirror commented 2026-04-25 07:49:05 -05:00
Author
Owner
Copy Link

@davidshen84 commented on GitHub (Sep 28, 2025):

No. I thinks the doc says if I set OAUTH_SESSION_TOKEN_ENCRYPTION_KEY, I
don't need to set the web secret key. Also, the log says it generated one
on startup.

If I set the web secret key, do I need to reset the database?

On Mon, 29 Sept 2025, 02:53 Tim Jaeryang Baek, @.***>
wrote:

tjbck left a comment (open-webui/open-webui#17829)
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3343875875

Do you have WEBUI_SECRET_KEY set?


Reply to this email directly, view it on GitHub
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3343875875,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAQBTPJT6HCTUMRMNRV7ZT3VAHAHAVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBTHA3TKOBXGU
.
You are receiving this because you authored the thread.Message ID:
@.***>

<!-- gh-comment-id:3344218868 --> @davidshen84 commented on GitHub (Sep 28, 2025): No. I thinks the doc says if I set OAUTH_SESSION_TOKEN_ENCRYPTION_KEY, I don't need to set the web secret key. Also, the log says it generated one on startup. If I set the web secret key, do I need to reset the database? On Mon, 29 Sept 2025, 02:53 Tim Jaeryang Baek, ***@***.***> wrote: > *tjbck* left a comment (open-webui/open-webui#17829) > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3343875875> > > Do you have WEBUI_SECRET_KEY set? > > — > Reply to this email directly, view it on GitHub > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3343875875>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAAQBTPJT6HCTUMRMNRV7ZT3VAHAHAVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBTHA3TKOBXGU> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >
GiteaMirror commented 2026-04-25 07:49:06 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Sep 28, 2025):

@davidshen84
incorrect, the docs say that OAUTH_SESSION_TOKEN_ENCRYPTION_KEY defaults back to WEBUI_SECRET_KEY

It does not say you don't need to set the WEBUI_SECRET_KEY
In fact, the SSO tutorial page specifically says that WEBUI_SECRET_KEY is required.

<!-- gh-comment-id:3344222047 --> @Classic298 commented on GitHub (Sep 28, 2025): @davidshen84 incorrect, the docs say that OAUTH_SESSION_TOKEN_ENCRYPTION_KEY defaults back to WEBUI_SECRET_KEY It does not say you don't need to set the WEBUI_SECRET_KEY In fact, the SSO tutorial page specifically says that WEBUI_SECRET_KEY is required.
GiteaMirror commented 2026-04-25 07:49:06 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Sep 28, 2025):

Correction: The SSO Troubleshooting Tutorial says it, not the normal one. Updating the docs rn!

But the troubleshooting tutorial should have been conducted first before opening an issue

<!-- gh-comment-id:3344224634 --> @Classic298 commented on GitHub (Sep 28, 2025): Correction: The SSO Troubleshooting Tutorial says it, not the normal one. Updating the docs rn! But the troubleshooting tutorial should have been conducted first before opening an issue
GiteaMirror commented 2026-04-25 07:49:07 -05:00
Author
Owner
Copy Link

@davidshen84 commented on GitHub (Sep 28, 2025):

Ok, thanks for the clarification.

On Mon, 29 Sept 2025, 06:26 Classic298, @.***> wrote:

Classic298 left a comment (open-webui/open-webui#17829)
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3344224634

Correction: The SSO Troubleshooting Tutorial says it, not the normal one.
Updating.

But the troubleshooting tutorial should have been conducted first before
opening an issue


Reply to this email directly, view it on GitHub
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3344224634,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAQBTMRJDTSGHOOLBT2HU33VA76RAVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBUGIZDINRTGQ
.
You are receiving this because you were mentioned.Message ID:
@.***>

<!-- gh-comment-id:3344249832 --> @davidshen84 commented on GitHub (Sep 28, 2025): Ok, thanks for the clarification. On Mon, 29 Sept 2025, 06:26 Classic298, ***@***.***> wrote: > *Classic298* left a comment (open-webui/open-webui#17829) > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3344224634> > > Correction: The SSO Troubleshooting Tutorial says it, not the normal one. > Updating. > > But the troubleshooting tutorial should have been conducted first before > opening an issue > > — > Reply to this email directly, view it on GitHub > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3344224634>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAAQBTMRJDTSGHOOLBT2HU33VA76RAVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBUGIZDINRTGQ> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >
GiteaMirror commented 2026-04-25 07:49:07 -05:00
Author
Owner
Copy Link

@davidshen84 commented on GitHub (Sep 29, 2025):

I have set both WEBUI_SECRET_KEY and OAUTH_SESSION_TOKEN_ENCRYPTION_KEY to the same value and still get this Error. The site still seems to be functional.

Perhaps it's related to my OIDC provider? I am using cloud-iam.com, which uses KeyCloak for its service.

open-webui INFO  [alembic.runtime.migration] Context impl PostgresqlImpl.
open-webui INFO  [alembic.runtime.migration] Will assume transactional DDL.
open-webui WARNI [open_webui.env] 
open-webui 
open-webui WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS.
open-webui 
open-webui 
open-webui  ██████╗ ██████╗ ███████╗███╗   ██╗    ██╗    ██╗███████╗██████╗ ██╗   ██╗██╗
open-webui ██╔═══██╗██╔══██╗██╔════╝████╗  ██║    ██║    ██║██╔════╝██╔══██╗██║   ██║██║
open-webui ██║   ██║██████╔╝█████╗  ██╔██╗ ██║    ██║ █╗ ██║█████╗  ██████╔╝██║   ██║██║
open-webui ██║   ██║██╔═══╝ ██╔══╝  ██║╚██╗██║    ██║███╗██║██╔══╝  ██╔══██╗██║   ██║██║
open-webui ╚██████╔╝██║     ███████╗██║ ╚████║    ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║
open-webui  ╚═════╝ ╚═╝     ╚══════╝╚═╝  ╚═══╝     ╚══╝╚══╝ ╚══════╝╚═════╝  ╚═════╝ ╚═╝
open-webui 
open-webui 
open-webui v0.6.31 - building the best AI user interface.
open-webui 
open-webui https://github.com/open-webui/open-webui
open-webui 
open-webui INFO:     Started server process [1]
open-webui INFO:     Waiting for application startup.
open-webui 2025-09-29 01:37:45.838 | WARNING  | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session 2fe1a28a-81a6-467e-9d52-dc59ecab8e18
stream closed EOF for llm-stack/open-webui-0 (copy-app-data)
open-webui 2025-09-29 01:37:48.318 | WARNING  | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session 2fe1a28a-81a6-467e-9d52-dc59ecab8e18
open-webui 2025-09-29 01:38:25.617 | ERROR    | open_webui.utils.oauth:_perform_token_refresh:786 - Exception during token refresh for provider oidc: Constructor parameter should be str
open-webui 2025-09-29 01:38:25.617 | ERROR    | open_webui.utils.oauth:_refresh_token:691 - Failed to refresh token for session e054c838-ad49-4dcf-a9bd-f45851529e5a
open-webui 2025-09-29 01:38:25.617 | WARNING  | open_webui.utils.oauth:get_oauth_token:657 - Token refresh failed for user 4be9e804-6278-481a-9793-cbe17fac2a2f, provider oidc, deleting session e054c838-ad49-4dcf-a9bd-f45851529e5a
open-webui 2025-09-29 01:38:28.044 | WARNING  | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session e054c838-ad49-4dcf-a9bd-f45851529e5a
<!-- gh-comment-id:3344567914 --> @davidshen84 commented on GitHub (Sep 29, 2025): I have set both `WEBUI_SECRET_KEY` and `OAUTH_SESSION_TOKEN_ENCRYPTION_KEY` to the same value and still get this Error. The site still seems to be functional. Perhaps it's related to my OIDC provider? I am using cloud-iam.com, which uses KeyCloak for its service. ``` open-webui INFO [alembic.runtime.migration] Context impl PostgresqlImpl. open-webui INFO [alembic.runtime.migration] Will assume transactional DDL. open-webui WARNI [open_webui.env] open-webui open-webui WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS. open-webui open-webui open-webui ██████╗ ██████╗ ███████╗███╗ ██╗ ██╗ ██╗███████╗██████╗ ██╗ ██╗██╗ open-webui ██╔═══██╗██╔══██╗██╔════╝████╗ ██║ ██║ ██║██╔════╝██╔══██╗██║ ██║██║ open-webui ██║ ██║██████╔╝█████╗ ██╔██╗ ██║ ██║ █╗ ██║█████╗ ██████╔╝██║ ██║██║ open-webui ██║ ██║██╔═══╝ ██╔══╝ ██║╚██╗██║ ██║███╗██║██╔══╝ ██╔══██╗██║ ██║██║ open-webui ╚██████╔╝██║ ███████╗██║ ╚████║ ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║ open-webui ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═══╝ ╚══╝╚══╝ ╚══════╝╚═════╝ ╚═════╝ ╚═╝ open-webui open-webui open-webui v0.6.31 - building the best AI user interface. open-webui open-webui https://github.com/open-webui/open-webui open-webui open-webui INFO: Started server process [1] open-webui INFO: Waiting for application startup. open-webui 2025-09-29 01:37:45.838 | WARNING | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session 2fe1a28a-81a6-467e-9d52-dc59ecab8e18 stream closed EOF for llm-stack/open-webui-0 (copy-app-data) open-webui 2025-09-29 01:37:48.318 | WARNING | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session 2fe1a28a-81a6-467e-9d52-dc59ecab8e18 open-webui 2025-09-29 01:38:25.617 | ERROR | open_webui.utils.oauth:_perform_token_refresh:786 - Exception during token refresh for provider oidc: Constructor parameter should be str open-webui 2025-09-29 01:38:25.617 | ERROR | open_webui.utils.oauth:_refresh_token:691 - Failed to refresh token for session e054c838-ad49-4dcf-a9bd-f45851529e5a open-webui 2025-09-29 01:38:25.617 | WARNING | open_webui.utils.oauth:get_oauth_token:657 - Token refresh failed for user 4be9e804-6278-481a-9793-cbe17fac2a2f, provider oidc, deleting session e054c838-ad49-4dcf-a9bd-f45851529e5a open-webui 2025-09-29 01:38:28.044 | WARNING | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session e054c838-ad49-4dcf-a9bd-f45851529e5a ```
GiteaMirror commented 2026-04-25 07:49:08 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Sep 30, 2025):

We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting?

<!-- gh-comment-id:3349832618 --> @tjbck commented on GitHub (Sep 30, 2025): We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting?
GiteaMirror commented 2026-04-25 07:49:09 -05:00
Author
Owner
Copy Link

@davidshen84 commented on GitHub (Sep 30, 2025):

I enabled the global debugging log, but I don't find anything useful.
Here's the full container log https://0x0.st/KBRE.log.

Is there any particular log or configuration setting you are looking for?

Also, I found the error did not occur right after I logged in, but after I
started a new chat session. The error log only occurred once, but the
warning log repeated.

Thanks

On Tue, 30 Sept 2025 at 13:47, Tim Jaeryang Baek @.***>
wrote:

tjbck left a comment (open-webui/open-webui#17829)
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3349832618

We're unable to reproduce here, are you able to provide any other relevant
logs to help with troubleshooting?


Reply to this email directly, view it on GitHub
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3349832618,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAQBTOJ75NKH26LXOHDXC33VH4L7AVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBZHAZTENRRHA
.
You are receiving this because you were mentioned.Message ID:
@.***>

<!-- gh-comment-id:3350003953 --> @davidshen84 commented on GitHub (Sep 30, 2025): I enabled the global debugging log, but I don't find anything useful. Here's the full container log https://0x0.st/KBRE.log. Is there any particular log or configuration setting you are looking for? Also, I found the error did not occur right after I logged in, but after I started a new chat session. The error log only occurred once, but the warning log repeated. Thanks On Tue, 30 Sept 2025 at 13:47, Tim Jaeryang Baek ***@***.***> wrote: > *tjbck* left a comment (open-webui/open-webui#17829) > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3349832618> > > We're unable to reproduce here, are you able to provide any other relevant > logs to help with troubleshooting? > > — > Reply to this email directly, view it on GitHub > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3349832618>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAAQBTOJ75NKH26LXOHDXC33VH4L7AVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBZHAZTENRRHA> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >
GiteaMirror commented 2026-04-25 07:49:09 -05:00
Author
Owner
Copy Link

@gvo commented on GitHub (Oct 1, 2025):

We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting?

My provider is Microsoft.

The typo mentioned in https://github.com/open-webui/open-webui/issues/17585 - fixed in 0.6.32 - was intended to call get_server_metadata_url.

Per my tests with 0.6.32, get_server_metadata_url() is returning None which throws the error during _perform_token_refresh. Same error as the OP. My provider is microsoft.

2025-10-01T18:13:32.4657963Z 2025-10-01 18:13:32.465 | DEBUG    | open_webui.utils.oauth:get_oauth_token:666 - Token refresh needed for user 53c23607-bd0f-4e5d-ac78-19fe7e84c3f9, provider microsoft
2025-10-01T18:13:32.4658559Z 2025-10-01 18:13:32.465 | DEBUG    | open_webui.utils.oauth:_perform_token_refresh:727 - REFRESH_DEBUG: Session provider: microsoft (type: str)
2025-10-01T18:13:32.4658873Z 2025-10-01 18:13:32.465 | DEBUG    | open_webui.utils.oauth:_perform_token_refresh:728 - REFRESH_DEBUG: Token data type: dict
2025-10-01T18:13:32.4658919Z 2025-10-01 18:13:32.465 | DEBUG    | open_webui.utils.oauth:_perform_token_refresh:739 - REFRESH_DEBUG: Client: <authlib.integrations.starlette_client.apps.StarletteOAuth2App object at 0x7ed3283cbe90>, client_id: 093db6c9-xxxx-xxxx-xxxx-569c81e8b46b (type: str)
2025-10-01T18:13:32.4663653Z 2025-10-01 18:13:32.465 | DEBUG    | open_webui.utils.oauth:_perform_token_refresh:742 - REFRESH_DEBUG: Server metadata URL: None (type: NoneType)
2025-10-01T18:13:32.4737630Z 2025-10-01 18:13:32.473 | ERROR    | open_webui.utils.oauth:_perform_token_refresh:830 - Exception during token refresh for provider microsoft: Constructor parameter should be str

I know this works instead of calling get_server_metadata_url - perhaps it may be of some use.

            token_endpoint = None
            try:
                metadata = await client.load_server_metadata()
                if metadata:
                    token_endpoint = metadata.get("token_endpoint")
                    if token_endpoint:
                        log.debug(f"Retrieved token endpoint for provider {provider}: {token_endpoint}")
            except Exception as e:
                log.error(f"Failed to load server metadata for provider {provider}: {e}")

Maybe an issue with specific providers?

<!-- gh-comment-id:3357685019 --> @gvo commented on GitHub (Oct 1, 2025): > We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting? My provider is Microsoft. The typo mentioned in https://github.com/open-webui/open-webui/issues/17585 - fixed in 0.6.32 - was intended to call get_server_metadata_url. Per my tests with 0.6.32, get_server_metadata_url() is returning `None` which throws the error during _perform_token_refresh. Same error as the OP. _My provider is microsoft._ ``` 2025-10-01T18:13:32.4657963Z 2025-10-01 18:13:32.465 | DEBUG | open_webui.utils.oauth:get_oauth_token:666 - Token refresh needed for user 53c23607-bd0f-4e5d-ac78-19fe7e84c3f9, provider microsoft 2025-10-01T18:13:32.4658559Z 2025-10-01 18:13:32.465 | DEBUG | open_webui.utils.oauth:_perform_token_refresh:727 - REFRESH_DEBUG: Session provider: microsoft (type: str) 2025-10-01T18:13:32.4658873Z 2025-10-01 18:13:32.465 | DEBUG | open_webui.utils.oauth:_perform_token_refresh:728 - REFRESH_DEBUG: Token data type: dict 2025-10-01T18:13:32.4658919Z 2025-10-01 18:13:32.465 | DEBUG | open_webui.utils.oauth:_perform_token_refresh:739 - REFRESH_DEBUG: Client: <authlib.integrations.starlette_client.apps.StarletteOAuth2App object at 0x7ed3283cbe90>, client_id: 093db6c9-xxxx-xxxx-xxxx-569c81e8b46b (type: str) 2025-10-01T18:13:32.4663653Z 2025-10-01 18:13:32.465 | DEBUG | open_webui.utils.oauth:_perform_token_refresh:742 - REFRESH_DEBUG: Server metadata URL: None (type: NoneType) 2025-10-01T18:13:32.4737630Z 2025-10-01 18:13:32.473 | ERROR | open_webui.utils.oauth:_perform_token_refresh:830 - Exception during token refresh for provider microsoft: Constructor parameter should be str ``` I know this works instead of calling get_server_metadata_url - perhaps it may be of some use. ``` token_endpoint = None try: metadata = await client.load_server_metadata() if metadata: token_endpoint = metadata.get("token_endpoint") if token_endpoint: log.debug(f"Retrieved token endpoint for provider {provider}: {token_endpoint}") except Exception as e: log.error(f"Failed to load server metadata for provider {provider}: {e}") ``` Maybe an issue with specific providers?
GiteaMirror commented 2026-04-25 07:49:10 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Oct 1, 2025):

e493562735 may have addressed this issue in dev, testing wanted here!

<!-- gh-comment-id:3357979010 --> @tjbck commented on GitHub (Oct 1, 2025): e493562735089462ad6cc30060778eb79ed302a6 may have addressed this issue in dev, testing wanted here!
GiteaMirror commented 2026-04-25 07:49:10 -05:00
Author
Owner
Copy Link

@brainboutique commented on GitHub (Oct 3, 2025):

We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting?

Same issue here.

open_webui.utils.oauth:get_oauth_token:654 - No OAuth session found for user xxx, session yy

but only after some time (I suspect after access token expiry). I do NOT have any log entries from
open_webui.utils.oauth:_perform_token_refresh

Yes, secret keys are set. Will keep monitoring and try the fix mentioned above.

<!-- gh-comment-id:3365301588 --> @brainboutique commented on GitHub (Oct 3, 2025): > We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting? Same issue here. `open_webui.utils.oauth:get_oauth_token:654 - No OAuth session found for user xxx, session yy` but only after some time (I suspect after access token expiry). I do NOT have any log entries from `open_webui.utils.oauth:_perform_token_refresh` Yes, secret keys are set. Will keep monitoring and try the fix mentioned above.
GiteaMirror commented 2026-04-25 07:49:11 -05:00
Author
Owner
Copy Link

@BrysonCrookDrewlo commented on GitHub (Oct 3, 2025):

Issue Report:
This issue still seems to be persisting. I’m currently running the latest dev build. However, when my token is close to expiring and I trigger a tool that relies on it, the refresh process fails with the following errors:

2025-10-03 17:21:44.357 | ERROR    | open_webui.utils.oauth:_perform_token_refresh:804 - Exception during token refresh for provider microsoft: Constructor parameter should be str
2025-10-03 17:21:44.357 | ERROR    | open_webui.utils.oauth:_refresh_token:709 - Failed to refresh token for session 5657803b-8f5c-4b84-9f0f-af4ed2df5b8e

My OAuth provider is Microsoft.
I have all required environment variables set.

<!-- gh-comment-id:3366572728 --> @BrysonCrookDrewlo commented on GitHub (Oct 3, 2025): **Issue Report:** This issue still seems to be persisting. I’m currently running the latest `dev` build. However, when my token is close to expiring and I trigger a tool that relies on it, the refresh process fails with the following errors: ``` 2025-10-03 17:21:44.357 | ERROR | open_webui.utils.oauth:_perform_token_refresh:804 - Exception during token refresh for provider microsoft: Constructor parameter should be str 2025-10-03 17:21:44.357 | ERROR | open_webui.utils.oauth:_refresh_token:709 - Failed to refresh token for session 5657803b-8f5c-4b84-9f0f-af4ed2df5b8e ``` My OAuth provider is **Microsoft**. I have all required environment variables set.
GiteaMirror commented 2026-04-25 07:49:12 -05:00
Author
Owner
Copy Link

@jshelman commented on GitHub (Oct 6, 2025):

I was having exact same issue and errors in the log using Microsoft provider as well.

The issue appears to be that

self.get_server_metadata_url(client_id) returns None?, and throws this exception at

08f8713ee1/backend/open_webui/utils/oauth.py (L477C15-L479C24)

I haven't dug into root cause of that yet, but hard coding it to 'https://login.microsoftonline.com/{mytenantid}/v2.0/.well-known/openid-configuration' resolves the issue.

maybe this should be getting it from OPENID_PROVIDER_URL, but isn't?

<!-- gh-comment-id:3369855654 --> @jshelman commented on GitHub (Oct 6, 2025): I was having exact same issue and errors in the log using Microsoft provider as well. The issue appears to be that `self.get_server_metadata_url(client_id)` returns None?, and throws this exception at https://github.com/open-webui/open-webui/blob/08f8713ee1c290491f4e6584ec36e022fcfecd34/backend/open_webui/utils/oauth.py#L477C15-L479C24 I haven't dug into root cause of that yet, but hard coding it to 'https://login.microsoftonline.com/{mytenantid}/v2.0/.well-known/openid-configuration' resolves the issue. maybe this should be getting it from OPENID_PROVIDER_URL, but isn't?
GiteaMirror commented 2026-04-25 07:49:12 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Oct 23, 2025):

I believe this issue has been resolved, please flag again if the issue persists!

<!-- gh-comment-id:3438012426 --> @tjbck commented on GitHub (Oct 23, 2025): I believe this issue has been resolved, please flag again if the issue persists!
GiteaMirror commented 2026-04-25 07:49:13 -05:00
Author
Owner
Copy Link

@habetuz commented on GitHub (Feb 14, 2026):

@tjbck I am experiencing this issue with version 0.8.0 having WEBUI_SECRET_KEY set.

open-webui 2026-02-14 21:31:01.204 | WARNING  | open_webui.utils.oauth:get_oauth_token:973 - No OAuth session found for user a6ca1e6b-a28b-4182-8ad3-0286aa42
1a16, session 5c6b6578-499c-48f7-8aef-8673416227ae

This results in the following error in the UI:

Failed to authenticate request with Clerk

The issue only occurs when trying to chat. Not when navigating the UI. Login is successful. For OIDC I am using Authentik.

Please let me know what additional information you need!
The following is the pod resource (only relevant parts):

apiVersion: v1
kind: Pod
metadata:
  name: openwebui-open-webui-0
  namespace: openwebui
spec:
  containers:
  - env:
    - name: WEBUI_URL
      value: <domain>
    - name: ENABLE_OLLAMA_API
      value: "False"
    - name: OPENAI_API_BASE_URLS
      value: http://openwebui-pipelines.openwebui.svc.cluster.local:9099;https://openrouter.ai/api/v1
    - name: CONTENT_EXTRACTION_ENGINE
      value: Tika
    - name: TIKA_SERVER_URL
      value: http://open-webui-tika:9998
    - name: ENABLE_WEBSOCKET_SUPPORT
      value: "True"
    - name: WEBSOCKET_MANAGER
      value: redis
    - name: REDIS_URL
      value: redis://openwebui-open-webui-redis.openwebui.svc.cluster.local:6379/0
    - name: WEBSOCKET_REDIS_URL
      value: redis://openwebui-open-webui-redis.openwebui.svc.cluster.local:6379/0
    - name: ENABLE_OAUTH_SIGNUP
      value: "True"
    - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
      value: "True"
    - name: OAUTH_CLIENT_ID
      value: 6Yx17bam8Q7UxAIP38JFdgEjhSJ2jR1OgnuBVEIO
    - name: OAUTH_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          key: secret
          name: oidc-secret
    - name: OPENID_PROVIDER_URL
      value: <authentik-domain>
    - name: OAUTH_PROVIDER_NAME
      value: Authentik
    - name: OAUTH_SCOPES
      value: openid email profile
    - name: ENABLE_OAUTH_ROLE_MANAGEMENT
      value: "True"
    - name: OAUTH_ROLES_CLAIM
      value: groups
    - name: OAUTH_ALLOWED_ROLES
      value: Open-Webui User
    - name: OAUTH_ADMIN_ROLES
      value: Open-Webui Admin
    - name: ENABLE_SIGNUP
      value: "False"
    - name: ENABLE_LOGIN_FORM
      value: "False"
    - name: OPENAI_API_KEY
      valueFrom:
        secretKeyRef:
          key: apiKey
          name: openrouter-secret
    - name: DEFAULT_MODELS
      value: google/gemini-3-flash-preview
    - name: DATABASE_URL
      valueFrom:
        secretKeyRef:
          key: uri
          name: postgres-app
    - name: ENABLE_PERSISTENT_CONFIG
      value: "False"
    - name: TASK_MODEL_EXTERNAL
      value: google/gemini-3-flash-preview
    - name: ENABLE_EVALUATION_ARENA_MODELS
      value: "False"
    - name: ENABLE_BASE_MODELS_CACHE
      value: "True"
    - name: MODELS_CACHE_TTL
      value: "86400"
    - name: ENABLE_WEB_SEARCH
      value: "True"
    - name: WEB_SEARCH_ENGINE
      value: searxng
    - name: SEARXNG_QUERY_URL
      value: http://searxng.searxng.svc.cluster.local/search?q={query}
    - name: VECTOR_DB
      value: pgvector
    - name: PGVECTOR_CREATE_EXTENSION
      value: "False"
    - name: CONTENT_EXTRACTION_ENGINE
      value: tika
    - name: TIKA_SERVER_URL
      value: http://openwebui-tika.openwebui.svc.cluster.local:9998
    - name: ENABLE_IMAGE_GENERATION
      value: "True"
    - name: IMAGE_GENERATION_ENGINE
      value: openai
    - name: IMAGE_GENERATION_MODEL
      value: runware:z-image@turbo
    - name: ENABLE_IMAGE_EDIT
      value: "True"
    - name: IMAGE_EDIT_ENGINE
      value: openai
    - name: IMAGE_EDIT_MODEL
      value: black-forest-labs/flux-krea-dev
    - name: WEBUI_SECRET_KEY
      valueFrom:
        secretKeyRef:
          key: key
          name: webui-secret
    - name: GLOBAL_LOG_LEVEL
      value: DEBUG
    image: ghcr.io/open-webui/open-webui:0.8.0
    imagePullPolicy: IfNotPresent
    name: open-webui
    ports:
    - containerPort: 8080
      name: http
      protocol: TCP
    volumeMounts:
    - mountPath: /app/backend/data
      name: data
  initContainers:
  - command:
    - sh
    - -c
    - cp -R -n /app/backend/data/* /tmp/app-data/
    image: ghcr.io/open-webui/open-webui:0.8.0
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - mountPath: /tmp/app-data
      name: data
  volumes:
  - name: data
    persistentVolumeClaim:
      claimName: openwebui-open-webui
<!-- gh-comment-id:3902560316 --> @habetuz commented on GitHub (Feb 14, 2026): @tjbck I am experiencing this issue with version `0.8.0` having `WEBUI_SECRET_KEY` set. ``` open-webui 2026-02-14 21:31:01.204 | WARNING | open_webui.utils.oauth:get_oauth_token:973 - No OAuth session found for user a6ca1e6b-a28b-4182-8ad3-0286aa42 1a16, session 5c6b6578-499c-48f7-8aef-8673416227ae ``` This results in the following error in the UI: ``` Failed to authenticate request with Clerk ``` The issue only occurs when trying to chat. Not when navigating the UI. Login is successful. For OIDC I am using Authentik. Please let me know what additional information you need! The following is the pod resource (only relevant parts): ```yaml apiVersion: v1 kind: Pod metadata: name: openwebui-open-webui-0 namespace: openwebui spec: containers: - env: - name: WEBUI_URL value: <domain> - name: ENABLE_OLLAMA_API value: "False" - name: OPENAI_API_BASE_URLS value: http://openwebui-pipelines.openwebui.svc.cluster.local:9099;https://openrouter.ai/api/v1 - name: CONTENT_EXTRACTION_ENGINE value: Tika - name: TIKA_SERVER_URL value: http://open-webui-tika:9998 - name: ENABLE_WEBSOCKET_SUPPORT value: "True" - name: WEBSOCKET_MANAGER value: redis - name: REDIS_URL value: redis://openwebui-open-webui-redis.openwebui.svc.cluster.local:6379/0 - name: WEBSOCKET_REDIS_URL value: redis://openwebui-open-webui-redis.openwebui.svc.cluster.local:6379/0 - name: ENABLE_OAUTH_SIGNUP value: "True" - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL value: "True" - name: OAUTH_CLIENT_ID value: 6Yx17bam8Q7UxAIP38JFdgEjhSJ2jR1OgnuBVEIO - name: OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: key: secret name: oidc-secret - name: OPENID_PROVIDER_URL value: <authentik-domain> - name: OAUTH_PROVIDER_NAME value: Authentik - name: OAUTH_SCOPES value: openid email profile - name: ENABLE_OAUTH_ROLE_MANAGEMENT value: "True" - name: OAUTH_ROLES_CLAIM value: groups - name: OAUTH_ALLOWED_ROLES value: Open-Webui User - name: OAUTH_ADMIN_ROLES value: Open-Webui Admin - name: ENABLE_SIGNUP value: "False" - name: ENABLE_LOGIN_FORM value: "False" - name: OPENAI_API_KEY valueFrom: secretKeyRef: key: apiKey name: openrouter-secret - name: DEFAULT_MODELS value: google/gemini-3-flash-preview - name: DATABASE_URL valueFrom: secretKeyRef: key: uri name: postgres-app - name: ENABLE_PERSISTENT_CONFIG value: "False" - name: TASK_MODEL_EXTERNAL value: google/gemini-3-flash-preview - name: ENABLE_EVALUATION_ARENA_MODELS value: "False" - name: ENABLE_BASE_MODELS_CACHE value: "True" - name: MODELS_CACHE_TTL value: "86400" - name: ENABLE_WEB_SEARCH value: "True" - name: WEB_SEARCH_ENGINE value: searxng - name: SEARXNG_QUERY_URL value: http://searxng.searxng.svc.cluster.local/search?q={query} - name: VECTOR_DB value: pgvector - name: PGVECTOR_CREATE_EXTENSION value: "False" - name: CONTENT_EXTRACTION_ENGINE value: tika - name: TIKA_SERVER_URL value: http://openwebui-tika.openwebui.svc.cluster.local:9998 - name: ENABLE_IMAGE_GENERATION value: "True" - name: IMAGE_GENERATION_ENGINE value: openai - name: IMAGE_GENERATION_MODEL value: runware:z-image@turbo - name: ENABLE_IMAGE_EDIT value: "True" - name: IMAGE_EDIT_ENGINE value: openai - name: IMAGE_EDIT_MODEL value: black-forest-labs/flux-krea-dev - name: WEBUI_SECRET_KEY valueFrom: secretKeyRef: key: key name: webui-secret - name: GLOBAL_LOG_LEVEL value: DEBUG image: ghcr.io/open-webui/open-webui:0.8.0 imagePullPolicy: IfNotPresent name: open-webui ports: - containerPort: 8080 name: http protocol: TCP volumeMounts: - mountPath: /app/backend/data name: data initContainers: - command: - sh - -c - cp -R -n /app/backend/data/* /tmp/app-data/ image: ghcr.io/open-webui/open-webui:0.8.0 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /tmp/app-data name: data volumes: - name: data persistentVolumeClaim: claimName: openwebui-open-webui ```
GiteaMirror commented 2026-04-25 07:49:14 -05:00
Author
Owner
Copy Link

@habetuz commented on GitHub (Feb 15, 2026):

Leaving this here if anyone else faces the same problem:

I installed Open-Webui using the helm chart and enabled pipelines. After disabling pipelines everything works as expected. As I currently do not need pipelines, I did not investigate further, why this occurs, but I think it has something to do with how OPENAI_API_BASE_URLS is used in combination with OPENAI_API_KEY.

<!-- gh-comment-id:3904397568 --> @habetuz commented on GitHub (Feb 15, 2026): Leaving this here if anyone else faces the same problem: I installed Open-Webui using the helm chart and enabled pipelines. After disabling pipelines everything works as expected. As I currently do not need pipelines, I did not investigate further, why this occurs, but I think it has something to do with how `OPENAI_API_BASE_URLS` is used in combination with `OPENAI_API_KEY`.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#33938
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?