[GH-ISSUE #19730] feat: oauth allow for custom query parameters in call to authorize_redirect() for auth0 audience and jwt access_tokens #34500

Closed
opened 2026-04-25 08:30:49 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @bitsofinfo on GitHub (Dec 3, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/19730

Check Existing Issues

  • I have searched for all existing open AND closed issues and discussions for similar requests. I have found none that is comparable to my request.

Verify Feature Scope

  • I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions.

Problem Description

Using open-webui: 0.6.40

Have OIDC setup and working fine w/ Auth0. User gets redirected to auth0, login, redirected back with a valid token. The issue is that the access_token is an opaque auth0 token and not a JWT. This token is encrypted and stored fine in the open-webui db.

In order to get JWT access_tokens from Auth0, on authorize the query parameter audience must be passed.

I have the "OAuth" passthrough configured as the authorization for a particular model. We need this model's /v1/chat/completions call to receive the the access_token for the user, as configured. It does received the token, but because the token is not a jwt (but an auth0 opaque token), downstream systems cannot just decode it on the fly and it makes interoperability with oauth resource endpoints expecting a jwt to fail.

The reason for this is because the oauth.py (handle_login method) does not permit any customization of query parameters during the call to authlib's client.authorize_redirect(): 6f1486ffd0/backend/open_webui/utils/oauth.py (L1263)

authlib's authorize_redirect() does allow extra parameters to be passed in kwargs but oauth.py isn't doing this:
260d04edee/authlib/integrations/starlette_client/apps.py (L25)

authlib's create_authorization_url() also has an authorization_params that it will seed into the kwargs, but not sure if openweb-ui is setting that on the client instantiation:

260d04edee/authlib/integrations/base_client/sync_app.py (L143)

260d04edee/authlib/integrations/base_client/async_app.py (L21)

Would be great to add a configuration to customize the parameters for the authorize redirect call.

Desired Solution you'd like

see above

Alternatives Considered

see above

Additional Context

No response

Originally created by @bitsofinfo on GitHub (Dec 3, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/19730 ### Check Existing Issues - [x] I have searched for all existing **open AND closed** issues and discussions for similar requests. I have found none that is comparable to my request. ### Verify Feature Scope - [x] I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions. ### Problem Description Using open-webui: 0.6.40 Have OIDC setup and working fine w/ Auth0. User gets redirected to auth0, login, redirected back with a valid token. The issue is that the access_token is an opaque auth0 token and not a JWT. This token is encrypted and stored fine in the open-webui db. In order to get JWT access_tokens from Auth0, on authorize the query parameter `audience` must be passed. I have the "OAuth" passthrough configured as the authorization for a particular model. We need this model's /v1/chat/completions call to receive the the access_token for the user, as configured. It does received the token, but because the token is not a jwt (but an auth0 opaque token), downstream systems cannot just decode it on the fly and it makes interoperability with oauth resource endpoints expecting a jwt to fail. The reason for this is because the `oauth.py` (`handle_login` method) does not permit any customization of query parameters during the call to authlib's `client.authorize_redirect()`: https://github.com/open-webui/open-webui/blob/6f1486ffd0cb288d0e21f41845361924e0d742b3/backend/open_webui/utils/oauth.py#L1263 authlib's `authorize_redirect()` does allow extra parameters to be passed in kwargs but `oauth.py` isn't doing this: https://github.com/authlib/authlib/blob/260d04edee23d8470057ea659c16fb8a2c7b0dc2/authlib/integrations/starlette_client/apps.py#L25 authlib's `create_authorization_url()` also has an `authorization_params` that it will seed into the kwargs, but not sure if openweb-ui is setting that on the client instantiation: https://github.com/authlib/authlib/blob/260d04edee23d8470057ea659c16fb8a2c7b0dc2/authlib/integrations/base_client/sync_app.py#L143 https://github.com/authlib/authlib/blob/260d04edee23d8470057ea659c16fb8a2c7b0dc2/authlib/integrations/base_client/async_app.py#L21 Would be great to add a configuration to customize the parameters for the authorize redirect call. ### Desired Solution you'd like see above ### Alternatives Considered see above ### Additional Context _No response_
Author
Owner

@owui-terminator[bot] commented on GitHub (Dec 3, 2025):

🔍 Similar Issues Found

I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions:

  1. #19708 feat: Keycloak authentication support
    by fux-dev • Dec 03, 2025

  2. #18924 feat: Allow authorization code flow with SSO logins
    by pllopis • Nov 04, 2025

  3. #17183 feat: Allow Passing OAuth Token to Tool Calls
    by koflerm • Sep 03, 2025

  4. #19313 feat: User specific MCP headers
    by patrykkozuch • Nov 20, 2025

  5. #18045 feat: openid login without email scope
    by itsHenry35 • Oct 04, 2025

Show 2 more related issues
  1. #15239 feat: Enable Oauth Popup flow
    by Ardakilic • Jun 23, 2025

  2. #19460 feat: Support Role Assignment via LDAP or OAuth Groups in OpenWebUI
    by PrinzMichiDE • Nov 25, 2025


💡 Tips:

  • If this is a duplicate, please consider closing this issue and adding any additional details to the existing one
  • If you found a solution in any of these issues, please share it here to help others

This comment was generated automatically by a bot. Please react with a 👍 if this comment was helpful, or a 👎 if it was not.

<!-- gh-comment-id:3609205436 --> @owui-terminator[bot] commented on GitHub (Dec 3, 2025): 🔍 **Similar Issues Found** I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions: 1. [#19708](https://github.com/open-webui/open-webui/issues/19708) **feat: Keycloak authentication support** *by fux-dev • Dec 03, 2025* 2. [#18924](https://github.com/open-webui/open-webui/issues/18924) **feat: Allow authorization code flow with SSO logins** *by pllopis • Nov 04, 2025* 3. [#17183](https://github.com/open-webui/open-webui/issues/17183) **feat: Allow Passing OAuth Token to Tool Calls** *by koflerm • Sep 03, 2025* 4. [#19313](https://github.com/open-webui/open-webui/issues/19313) **feat: User specific MCP headers** *by patrykkozuch • Nov 20, 2025* 5. [#18045](https://github.com/open-webui/open-webui/issues/18045) **feat: openid login without email scope** *by itsHenry35 • Oct 04, 2025* <details> <summary>Show 2 more related issues</summary> 6. [#15239](https://github.com/open-webui/open-webui/issues/15239) **feat: Enable Oauth Popup flow** *by Ardakilic • Jun 23, 2025* 7. [#19460](https://github.com/open-webui/open-webui/issues/19460) **feat: Support Role Assignment via LDAP or OAuth Groups in OpenWebUI** *by PrinzMichiDE • Nov 25, 2025* </details> --- 💡 **Tips:** - If this is a duplicate, please consider closing this issue and adding any additional details to the existing one - If you found a solution in any of these issues, please share it here to help others *This comment was generated automatically by a bot.* Please react with a 👍 if this comment was helpful, or a 👎 if it was not.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#34500