github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #18979] feat: support for semicolon-separated oauth group claims #34265

New Issue
Closed
opened 2026-04-25 08:11:13 -05:00 by GiteaMirror · 6 comments
GiteaMirror commented 2026-04-25 08:11:13 -05:00
Owner
Copy Link

Originally created by @ianmichaelterry on GitHub (Nov 6, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/18979

Check Existing Issues

  • I have searched for all existing open AND closed issues and discussions for similar requests. I have found none that is comparable to my request.

Verify Feature Scope

  • I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions.

Problem Description

My OIDC provider returns claims for "affiliation" as a semicolon separated list, ex "Faculty@ucsc.edu;Employee@ucsc.edu;Member@ucsc.edu". However, OWUI treats this as a single monolithic group name.

Desired Solution you'd like

I propose that we detect semicolons and interpret the result as a list of group names. I have implemented this in my local copy of OWUI with the following code:


if ";" in claim_data:
    user_oauth_groups = claim_data.split(";")
else:
    user_oauth_groups = [claim_data]

This code goes in the update_user_groups function in oauth.py, approximate line number 920.
ex.


if isinstance(claim_data, list):
    user_oauth_groups = claim_data
elif isinstance(claim_data, str):
    if ";" in claim_data:
        user_oauth_groups = claim_data.split(";")
    else:
        user_oauth_groups = [claim_data]
else:
    user_oauth_groups = []

Alternatives Considered

No response

Additional Context

Screenshot shows before and after of the proposed change

Image

For the CILogon authentication system that supports thousands of universities worldwide, semicolons are the conventional separator for group membership associated with the affiliation claim. See "affiliation" on cilogon.org/oidc

Originally created by @ianmichaelterry on GitHub (Nov 6, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/18979 ### Check Existing Issues - [x] I have searched for all existing **open AND closed** issues and discussions for similar requests. I have found none that is comparable to my request. ### Verify Feature Scope - [x] I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions. ### Problem Description My OIDC provider returns claims for "affiliation" as a semicolon separated list, ex "Faculty@ucsc.edu;Employee@ucsc.edu;Member@ucsc.edu". However, OWUI treats this as a single monolithic group name. ### Desired Solution you'd like I propose that we detect semicolons and interpret the result as a list of group names. I have implemented this in my local copy of OWUI with the following code: ```python if ";" in claim_data: user_oauth_groups = claim_data.split(";") else: user_oauth_groups = [claim_data] ``` This code goes in the `update_user_groups` function in `oauth.py`, approximate line number 920. ex. ```python if isinstance(claim_data, list): user_oauth_groups = claim_data elif isinstance(claim_data, str): if ";" in claim_data: user_oauth_groups = claim_data.split(";") else: user_oauth_groups = [claim_data] else: user_oauth_groups = [] ``` ### Alternatives Considered _No response_ ### Additional Context Screenshot shows before and after of the proposed change <img width="971" height="187" alt="Image" src="https://github.com/user-attachments/assets/02694490-27df-44d9-ab46-ae8464a542ae" /> For the CILogon authentication system that supports thousands of universities worldwide, semicolons are the conventional separator for group membership associated with the affiliation claim. See "affiliation" on [cilogon.org/oidc](https://cilogon.org/oidc)
GiteaMirror commented 2026-04-25 08:11:16 -05:00
Author
Owner
Copy Link

@rndmcnlly commented on GitHub (Nov 6, 2025):

I want to endorse this change because it will have a big impact on my ability to spread OWUI-based BayLeaf to many other universities around the world.

<!-- gh-comment-id:3499269973 --> @rndmcnlly commented on GitHub (Nov 6, 2025): I want to endorse this change because it will have a big impact on my ability to spread OWUI-based [BayLeaf](https://bayleaf.chat/about) to many other universities around the world.
GiteaMirror commented 2026-04-25 08:11:16 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Nov 6, 2025):

should be addressed by this env var which was introduced today - please confirm.

https://docs.openwebui.com/getting-started/env-configuration#oauth_roles_separator

<!-- gh-comment-id:3499270736 --> @Classic298 commented on GitHub (Nov 6, 2025): should be addressed by this env var which was introduced today - please confirm. https://docs.openwebui.com/getting-started/env-configuration#oauth_roles_separator
GiteaMirror commented 2026-04-25 08:11:18 -05:00
Author
Owner
Copy Link

@rndmcnlly commented on GitHub (Nov 6, 2025):

Wait, please reopen, OAUTH_ROLES_SEPARATOR is not a solution here because we need a separator for groups rather than roles.

That said, OAUTH_GROUPS_SEPARATOR would be a nice name for a configurable version of what we've hard-coded as ; in the solution above.

<!-- gh-comment-id:3499347698 --> @rndmcnlly commented on GitHub (Nov 6, 2025): Wait, please reopen, `OAUTH_ROLES_SEPARATOR` is not a solution here because we need a separator for **groups** rather than **roles**. That said, `OAUTH_GROUPS_SEPARATOR` would be a nice name for a configurable version of what we've hard-coded as `;` in the solution above.
GiteaMirror commented 2026-04-25 08:11:20 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Nov 6, 2025):

Pr welcome, sorry for the misunderstanding

<!-- gh-comment-id:3499357528 --> @Classic298 commented on GitHub (Nov 6, 2025): Pr welcome, sorry for the misunderstanding
GiteaMirror commented 2026-04-25 08:11:20 -05:00
Author
Owner
Copy Link

@rndmcnlly commented on GitHub (Nov 6, 2025):

No problem, here's the PR: https://github.com/open-webui/open-webui/pull/18983

<!-- gh-comment-id:3499405256 --> @rndmcnlly commented on GitHub (Nov 6, 2025): No problem, here's the PR: https://github.com/open-webui/open-webui/pull/18983
GiteaMirror commented 2026-04-25 08:11:21 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Nov 6, 2025):

@rndmcnlly please reopen with correct CLA

<!-- gh-comment-id:3499416856 --> @Classic298 commented on GitHub (Nov 6, 2025): @rndmcnlly please reopen with correct CLA
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#34265
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?