github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 02:48:13 -05:00
Code Issues 1.1k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #19148] issue: Verify OAuth mcp server sends incorrect authorization header #34314

New Issue
Closed
opened 2026-04-25 08:15:13 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-25 08:15:13 -05:00
Owner
Copy Link

Originally created by @Oleg52 on GitHub (Nov 12, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/19148

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.6.36

Ollama Version (if applicable)

No response

Operating System

Windows 11

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Correct authorization header is sent to the mcp server url, for example:

Authorization: Bearer eyJh.....

Actual Behavior

Whole OAuth token response is sent to the mcp server url in authorization header, example:

Authorization: Bearer {"id_token":"eyJh....

Steps to Reproduce

  1. Start Open Web UI.
  2. Go to Admin Panel -> External Tools.
  3. Set type to MCP Streamable HTTP.
  4. Set MCP server url.
  5. Set Auth type to OAuth.
  6. Verify connection.

Logs & Screenshots

None

Additional Information

I will create PR to fix it.

Originally created by @Oleg52 on GitHub (Nov 12, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/19148 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.6.36 ### Ollama Version (if applicable) _No response_ ### Operating System Windows 11 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Correct authorization header is sent to the mcp server url, for example: ``` Authorization: Bearer eyJh..... ``` ### Actual Behavior Whole OAuth token response is sent to the mcp server url in authorization header, example: ``` Authorization: Bearer {"id_token":"eyJh.... ``` ### Steps to Reproduce 1. Start Open Web UI. 2. Go to Admin Panel -> External Tools. 3. Set type to MCP Streamable HTTP. 4. Set MCP server url. 5. Set Auth type to OAuth. 6. Verify connection. ### Logs & Screenshots None ### Additional Information I will create PR to fix it.
GiteaMirror added the bug label 2026-04-25 08:15:13 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#34314
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?