github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-27 20:07:29 -05:00
Code Issues 2.4k Packages Projects Releases 129 Wiki Activity

[GH-ISSUE #20651] issue: Audit logging skips browser/cookie-based sessions - only logs API key requests #34777

New Issue
Closed
opened 2026-04-25 08:57:36 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-25 08:57:36 -05:00
Owner
Copy Link

Originally created by @domklusak on GitHub (Jan 13, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/20651

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.7.2

Ollama Version (if applicable)

No response

Operating System

Ubuntu 22.04

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Audit logging should capture all authenticated requests, regardless of whether authentication is via:

  • Authorization header (API keys)
  • Session cookies (browser/OAuth sessions)

Suggested fix:
The _should_skip_auditing method should also check for valid session cookies or attempt to resolve the user from the request context.

Actual Behavior

The audit logging middleware (AuditLoggingMiddleware) only logs requests that contain an Authorization header. This means all browser-based user activity is not captured in audit logs, since web sessions use cookies (owui-session) for authentication, not Authorization headers.

Only API key-based requests (using sk-... tokens in the Authorization header) are logged.

Authentication: OAuth (Okta OIDC)

Root Cause
In backend/open_webui/utils/audit.py, the _should_skip_auditing method skips all requests without an authorization header:

def _should_skip_auditing(self, request: Request) -> bool:
    if (
        request.method not in {"POST", "PUT", "PATCH", "DELETE"}
        or AUDIT_LOG_LEVEL == "NONE"
    ):
        return True

    ALWAYS_LOG_ENDPOINTS = {
        "/api/v1/auths/signin",
        "/api/v1/auths/signout",
        "/api/v1/auths/signup",
    }
    path = request.url.path.lower()
    for endpoint in ALWAYS_LOG_ENDPOINTS:
        if path.startswith(endpoint):
            return False

    # Skip logging if the request is not authenticated
    if not request.headers.get("authorization"):    # <-- HERE
        return True
    ...

Steps to Reproduce

  1. Configure audit logging by setting these environment variables:
AUDIT_LOG_LEVEL=REQUEST_RESPONSE
ENABLE_AUDIT_LOGS_FILE=true
AUDIT_LOGS_FILE_PATH=/app/backend/data/audit.log
``
2. Configure OAuth/SSO authentication (e.g., Okta, Google, or any OIDC provider) with:

ENABLE_LOGIN_FORM=false
ENABLE_OAUTH_SIGNUP=true

3. Restart OpenWebUI to apply the configuration
4. Log in via OAuth (browser-based SSO login)
5. Perform some actions as the logged-in user
6. Check the audit log file
7. The audit log file is empty (0 bytes) despite user activity

### Logs & Screenshots

-rw-r--r-- 1 root root 0 Jan 13 21:25 audit.log
drwxr-xr-x 1 root root 49 Jan 13 21:25 cache
drwxr-xr-x 2 root root 6 Jan 13 21:25 uploads


### Additional Information

Configuration used:

AUDIT_LOG_LEVEL: "REQUEST_RESPONSE"
ENABLE_AUDIT_STDOUT: "true"
ENABLE_AUDIT_LOGS_FILE: "true"
AUDIT_EXCLUDED_PATHS: ""


Despite this configuration, the audit.log file remains empty (0 bytes) because all browser-based requests are skipped.
Originally created by @domklusak on GitHub (Jan 13, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/20651 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.7.2 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 22.04 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Audit logging should capture all authenticated requests, regardless of whether authentication is via: - `Authorization` header (API keys) - Session cookies (browser/OAuth sessions) Suggested fix: The `_should_skip_auditing` method should also check for valid session cookies or attempt to resolve the user from the request context. ### Actual Behavior The audit logging middleware (`AuditLoggingMiddleware`) only logs requests that contain an Authorization header. This means all browser-based user activity is not captured in audit logs, since web sessions use cookies (`owui-session`) for authentication, not Authorization headers. Only API key-based requests (using sk-... tokens in the Authorization header) are logged. Authentication: OAuth (Okta OIDC) Root Cause In `backend/open_webui/utils/audit.py,` the `_should_skip_auditing` method skips all requests without an `authorization` header: ``` def _should_skip_auditing(self, request: Request) -> bool: if ( request.method not in {"POST", "PUT", "PATCH", "DELETE"} or AUDIT_LOG_LEVEL == "NONE" ): return True ALWAYS_LOG_ENDPOINTS = { "/api/v1/auths/signin", "/api/v1/auths/signout", "/api/v1/auths/signup", } path = request.url.path.lower() for endpoint in ALWAYS_LOG_ENDPOINTS: if path.startswith(endpoint): return False # Skip logging if the request is not authenticated if not request.headers.get("authorization"): # <-- HERE return True ... ``` ### Steps to Reproduce 1. Configure audit logging by setting these environment variables: ``` AUDIT_LOG_LEVEL=REQUEST_RESPONSE ENABLE_AUDIT_LOGS_FILE=true AUDIT_LOGS_FILE_PATH=/app/backend/data/audit.log `` 2. Configure OAuth/SSO authentication (e.g., Okta, Google, or any OIDC provider) with: ``` ENABLE_LOGIN_FORM=false ENABLE_OAUTH_SIGNUP=true ``` 3. Restart OpenWebUI to apply the configuration 4. Log in via OAuth (browser-based SSO login) 5. Perform some actions as the logged-in user 6. Check the audit log file 7. The audit log file is empty (0 bytes) despite user activity ### Logs & Screenshots ``` -rw-r--r-- 1 root root 0 Jan 13 21:25 audit.log drwxr-xr-x 1 root root 49 Jan 13 21:25 cache drwxr-xr-x 2 root root 6 Jan 13 21:25 uploads ``` ### Additional Information Configuration used: ``` AUDIT_LOG_LEVEL: "REQUEST_RESPONSE" ENABLE_AUDIT_STDOUT: "true" ENABLE_AUDIT_LOGS_FILE: "true" AUDIT_EXCLUDED_PATHS: "" ``` Despite this configuration, the audit.log file remains empty (0 bytes) because all browser-based requests are skipped.
GiteaMirror added the bug label 2026-04-25 08:57:36 -05:00
GiteaMirror commented 2026-04-25 08:57:37 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Jan 22, 2026):

Should be addressed in dev!

<!-- gh-comment-id:3786740038 --> @tjbck commented on GitHub (Jan 22, 2026): Should be addressed in dev!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#34777
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?