OAuth logout functionality fails to remove cookies with external domain SSO #3413

New Issue

Closed

opened 2025-11-11 15:31:17 -06:00 by GiteaMirror · 3 comments

GiteaMirror commented 2025-11-11 15:31:17 -06:00

Owner

Copy Link

Originally created by @TheDropZone on GitHub (Jan 24, 2025).

Bug Report

Installation Method

docker-compose deployment, with nginx proxy

Environment

• Open WebUI Version: v0.5.4
• Operating System: Ubuntu 20.04.6 LTS
• Browser (if applicable): Chrome
• Keycloak: 24.0

Expected Behavior:

When using keycloak as the OAuth provider, after logging in, I see token and oauth_id_token cookies stored in my browser for the open-webui domain. When I click signout in the UI, both "token" and "oauth_id_token" cookies are removed from my browser (on open-webui domain) and I am redirected to my keycloak signout endpoint where I am signed out of keycloak.

Based on work done in keycloak signout MR: https://github.com/open-webui/open-webui/pull/7678

Actual Behavior:

When using keycloak as the OAuth provider, after logging in, I see token and oauth_id_token cookies stored in my browser for the open-webui domain. When I click signout in the UI, I am redirected to my keycloak signout endpoint where I am signed out of keycloak, but I see an error on the network redirect and the "token" and "oauth_id_token" cookies are still registered in my browser for open-webui domain

Description

So, I've deployed this OAuth functionality alongside a keycloak instance, and am running into some issues with the cookie deletion when open-webui and keycloak live on different domains.

• openwebui01-domain.com
• kc01-domain.com
  The cookies (token, oauth_id_token) live and are set on the open-webui domain (openwebui01-domain.com), but the signout url from keycloak (and the openid_config) is on kc01-domain.com. So, it seems that when the signout endpoint requests to delete the cookies (living on openwebui01) but then redirects to kc01-domain for signout, the cookies don't get deleted (due to cookie domain mismatch). Because I'm redirected to the kc01-domain for the signout, the cookies dont exist at that domain to be deleted, and token and oauth_id_token live forever.

Reproduction Details

1. Run open-webui (via docker) with OAuth configuration pointed at a keycloak instance with a client setup for oauth
2. Configure OAuth via environment variables

      - ENABLE_OAUTH_SIGNUP=True
      - OAUTH_MERGE_ACCOUNTS_BY_EMAIL=True
      - OAUTH_CLIENT_ID=open-webui
      - OAUTH_CLIENT_SECRET=secret-here
      - OAUTH_PROVIDER_NAME=name-here
      - OAUTH_SCOPES=openid email roles
      - OPENID_PROVIDER_URL=https://kc01-domain.com/realms/your-realm/.well-known/openid-configuration
      - OPENID_REDIRECT_URI=https://openwebui01-domain.com/oauth/oidc/callback
      - ENABLE_OAUTH_ROLE_MANAGEMENT=False

3. Ensure keycloak has a valid client for that client-id at your-realm.
4. Sign into open-webui using oauth provider via chrome
5. Open chrome dev-tools and the application tab and check the cookies for your open-webui domain. Expect to see "token" and "oauth_id_token" cookie values
6. Click the signout button in the UI
7. Notice that you are redirected to your keycloak signout url, and signed out of keycloak. With your chrome dev tools still up, notice that the redirect request to logout is marked as red (but 200 ok) -> do to cookie issues
8. go back to your open-webui domain, open dev tools, check application tab and cookies for your open-webui domain. See the token and oauth_id_token cookies still remain.

Logs and Screenshots

Browser Console Logs:

Docker Container Logs:

INFO:     10.102.0.117:0 - "GET /api/v1/auths/signout HTTP/1.1" 307 Temporary Redirect

Additional Information

From initial debugging and adding log statements and such, I have validated that the signout code is executing correctly:
https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/auths.py#L513

async def signout(request: Request, response: Response):
    response.delete_cookie("token")

    if ENABLE_OAUTH_SIGNUP.value:
        oauth_id_token = request.cookies.get("oauth_id_token")
        if oauth_id_token:
            try:
                async with ClientSession() as session:
                    async with session.get(OPENID_PROVIDER_URL.value) as resp:
                        if resp.status == 200:
                            openid_data = await resp.json()
                            logout_url = openid_data.get("end_session_endpoint")
                            if logout_url:
                                response.delete_cookie("oauth_id_token")
                                return RedirectResponse(
                                    url=f"{logout_url}?id_token_hint={oauth_id_token}"
                                )
                        else:
                            raise HTTPException(
                                status_code=resp.status,
                                detail="Failed to fetch OpenID configuration",
                            )
            except Exception as e:
                raise HTTPException(status_code=500, detail=str(e))

But, I have confirmed that the token and oauth_id_token values are stored on the open-webui domain, but the redirect sends me to the keycloak domain (which doesn't have the cookies, do to domain locking).

So, I'm not quite sure how to address this issue? It almost seems that the signout and cookie removal on open-webui would need to happen in a distinct and separate request chain than the logout call to keycloak?

Originally created by @TheDropZone on GitHub (Jan 24, 2025). # Bug Report ## Installation Method docker-compose deployment, with nginx proxy ## Environment - **Open WebUI Version:** v0.5.4 - **Operating System:** Ubuntu 20.04.6 LTS - **Browser (if applicable):** Chrome - **Keycloak:** 24.0 ## Expected Behavior: When using keycloak as the OAuth provider, after logging in, I see token and oauth_id_token cookies stored in my browser for the open-webui domain. When I click signout in the UI, both "token" and "oauth_id_token" cookies are removed from my browser (on open-webui domain) and I am redirected to my keycloak signout endpoint where I am signed out of keycloak. Based on work done in keycloak signout MR: https://github.com/open-webui/open-webui/pull/7678 ## Actual Behavior: When using keycloak as the OAuth provider, after logging in, I see token and oauth_id_token cookies stored in my browser for the open-webui domain. When I click signout in the UI, I am redirected to my keycloak signout endpoint where I am signed out of keycloak, but I see an error on the network redirect and the "token" and "oauth_id_token" cookies are still registered in my browser for open-webui domain ## Description So, I've deployed this OAuth functionality alongside a keycloak instance, and am running into some issues with the cookie deletion when open-webui and keycloak live on different domains. - openwebui01-domain.com - kc01-domain.com The cookies (token, oauth_id_token) live and are set on the open-webui domain (openwebui01-domain.com), but the signout url from keycloak (and the openid_config) is on kc01-domain.com. So, it seems that when the signout endpoint requests to delete the cookies (living on openwebui01) but then redirects to kc01-domain for signout, the cookies don't get deleted (due to cookie domain mismatch). Because I'm redirected to the kc01-domain for the signout, the cookies dont exist at that domain to be deleted, and token and oauth_id_token live forever. ## Reproduction Details 1. Run open-webui (via docker) with OAuth configuration pointed at a keycloak instance with a client setup for oauth 2. Configure OAuth via environment variables ``` - ENABLE_OAUTH_SIGNUP=True - OAUTH_MERGE_ACCOUNTS_BY_EMAIL=True - OAUTH_CLIENT_ID=open-webui - OAUTH_CLIENT_SECRET=secret-here - OAUTH_PROVIDER_NAME=name-here - OAUTH_SCOPES=openid email roles - OPENID_PROVIDER_URL=https://kc01-domain.com/realms/your-realm/.well-known/openid-configuration - OPENID_REDIRECT_URI=https://openwebui01-domain.com/oauth/oidc/callback - ENABLE_OAUTH_ROLE_MANAGEMENT=False ``` 3. Ensure keycloak has a valid client for that client-id at your-realm. 4. Sign into open-webui using oauth provider via chrome 5. Open chrome dev-tools and the application tab and check the cookies for your open-webui domain. Expect to see "token" and "oauth_id_token" cookie values 6. Click the signout button in the UI 7. Notice that you are redirected to your keycloak signout url, and signed out of keycloak. With your chrome dev tools still up, notice that the redirect request to logout is marked as red (but 200 ok) -> do to cookie issues 8. go back to your open-webui domain, open dev tools, check application tab and cookies for your open-webui domain. See the token and oauth_id_token cookies still remain. ## Logs and Screenshots **Browser Console Logs:**   **Docker Container Logs:** ``` INFO: 10.102.0.117:0 - "GET /api/v1/auths/signout HTTP/1.1" 307 Temporary Redirect ``` ## Additional Information From initial debugging and adding log statements and such, I have validated that the signout code is executing correctly: https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/auths.py#L513 ``` async def signout(request: Request, response: Response): response.delete_cookie("token") if ENABLE_OAUTH_SIGNUP.value: oauth_id_token = request.cookies.get("oauth_id_token") if oauth_id_token: try: async with ClientSession() as session: async with session.get(OPENID_PROVIDER_URL.value) as resp: if resp.status == 200: openid_data = await resp.json() logout_url = openid_data.get("end_session_endpoint") if logout_url: response.delete_cookie("oauth_id_token") return RedirectResponse( url=f"{logout_url}?id_token_hint={oauth_id_token}" ) else: raise HTTPException( status_code=resp.status, detail="Failed to fetch OpenID configuration", ) except Exception as e: raise HTTPException(status_code=500, detail=str(e)) ``` But, I have confirmed that the token and oauth_id_token values are stored on the open-webui domain, but the redirect sends me to the keycloak domain (which doesn't have the cookies, do to domain locking). So, I'm not quite sure how to address this issue? It almost seems that the signout and cookie removal on open-webui would need to happen in a distinct and separate request chain than the logout call to keycloak?

GiteaMirror closed this issue 2025-11-11 15:31:17 -06:00

GiteaMirror commented 2025-11-11 15:31:18 -06:00

Author

Owner

Copy Link

@the-c0d3br34k3r commented on GitHub (Feb 9, 2025):

@TheDropZone, great job on documenting the steps in detail 🙌
It seems like a simple fix.
I've proposed the fix here

@the-c0d3br34k3r commented on GitHub (Feb 9, 2025): @TheDropZone, great job on documenting the steps in detail 🙌 It seems like a simple fix. I've proposed the fix [here](https://github.com/open-webui/open-webui/discussions/9679)

GiteaMirror commented 2025-11-11 15:31:18 -06:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Feb 18, 2025):

PR Welcome!

@tjbck commented on GitHub (Feb 18, 2025): PR Welcome!

GiteaMirror commented 2025-11-11 15:31:18 -06:00

Author

Owner

Copy Link

@the-c0d3br34k3r commented on GitHub (Feb 18, 2025):

PR Welcome!

Here it is - https://github.com/open-webui/open-webui/pull/10285

@the-c0d3br34k3r commented on GitHub (Feb 18, 2025): > PR Welcome! Here it is - https://github.com/open-webui/open-webui/pull/10285

GiteaMirror referenced this issue 2025-11-11 17:43:22 -06:00

[PR #3413] [CLOSED] Fix building usercontext from memories #8035

GiteaMirror referenced this issue 2026-04-20 03:24:51 -05:00

[PR #3413] [CLOSED] Fix building usercontext from memories #21239

GiteaMirror referenced this issue 2026-04-25 10:35:30 -05:00

[PR #3413] [CLOSED] Fix building usercontext from memories #36869

GiteaMirror referenced this issue 2026-04-29 18:20:05 -05:00

[PR #3413] [CLOSED] Fix building usercontext from memories #44287

GiteaMirror referenced this issue 2026-05-06 02:42:17 -05:00

[PR #3413] [CLOSED] Fix building usercontext from memories #60095

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#3413