github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #20733] issue: OIDC Client Secret Value not URL Encoding Special Characters #34807

New Issue
Closed
opened 2026-04-25 08:59:14 -05:00 by GiteaMirror · 4 comments
GiteaMirror commented 2026-04-25 08:59:14 -05:00
Owner
Copy Link

Originally created by @atnjqt on GitHub (Jan 16, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/20733

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.7.2

Ollama Version (if applicable)

No response

Operating System

Amazon Linux 2023

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

I just recently setup an AWS Beanstalk EC2 deployment for Open-WebUI, to keep all environment configurations as environment variables. Notably we are rolling OIDC OAUTH SSO login for this application and surprisingly we are finding that the OIDC Client Secret value is rejected at the IDP if containing a special character.

Actual Behavior

In my case, our client secret value was a + symbol in it and only works if saving the environment variable value as URL encoded %2B the IDP authenticates and provides the token.

Steps to Reproduce

Deploying using the following env vars helps confirms this, make sure your OAUTH OIDC generates a client secret with a special char (in this case, a plus character +)

    # Authentication
    WEBUI_AUTH: "true"
    ENABLE_OAUTH_SIGNUP: "true"
    ENABLE_LOGIN_FORM: "false"
    ENABLE_OAUTH_PERSISTENT_CONFIG: "false"
    OAUTH_CLIENT_ID: "www.your-domain.com.abcd1234"
    OAUTH_CLIENT_SECRET: "helloworld+1234"
    OPENID_PROVIDER_URL: "https://idp.your_oauth_provider.com/.well-known/openid-configuration"
    OAUTH_PROVIDER_NAME: "SSO"
    OAUTH_SCOPES: "openid email profile"
    OPENID_REDIRECT_URI: "https://www.your-domain.com/oauth/oidc/callback"
    OAUTH_USERNAME_CLAIM: "name"
    OAUTH_EMAIL_CLAIM: "email"
    OAUTH_CODE_CHALLENGE_METHOD: "S256"

Logs & Screenshots

2026-01-15 21:11:36.112 | INFO     | uvicorn.protocols.http.httptools_impl:send:483 - 128.91.58.254:0 - "GET /api/version HTTP/1.1" 200
2026-01-15 21:11:36.890 | INFO     | httpx._client:_send_single_request:1740 - HTTP Request: GET https://idp.your_oauth_provider.com/well-known/openid-configuration "HTTP/1.1 200 OK"
2026-01-15 21:11:36.944 | INFO     | uvicorn.protocols.http.httptools_impl:send:483 - 128.91.58.254:0 - "GET /oauth/oidc/login HTTP/1.1" 302
2026-01-15 21:11:37.101 | INFO     | uvicorn.protocols.http.httptools_impl:send:483 - 128.91.58.254:0 - "GET /api/version HTTP/1.1" 200
2026-01-15 21:11:37.699 | INFO     | httpx._client:_send_single_request:1740 - HTTP Request: POST https://idp.your_oauth_provider.com/idp/profile/oidc/token "HTTP/1.1 401 401"
2026-01-15 21:11:37.701 | WARNING  | open_webui.utils.oauth:handle_callback:1423 - OAuth callback error during authorize_access_token for provider oidc: OAuth callback failed: invalid_client: Client authentication failed
Traceback (most recent call last):
...
authlib.integrations.base_client.errors.OAuthError: invalid_client: Client authentication failed
2026-01-15 21:11:37.716 | ERROR    | open_webui.utils.oauth:handle_callback:1636 - Error during OAuth process: 400: The email or password provided is incorrect. Please check for typos and try logging in again.

Additional Information

If the team isn't want to handle this URL encoding at the backend layer, I would probably say at least helpful to add a troubleshooting bulletpoint on the docs here: https://docs.openwebui.com/troubleshooting/sso/

Or similar to the note under WEB_BANNER you might mentioned under CLIENT_SECRET that the URL encoding should be handled by the IDP https://docs.openwebui.com/getting-started/env-configuration

Originally created by @atnjqt on GitHub (Jan 16, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/20733 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.7.2 ### Ollama Version (if applicable) _No response_ ### Operating System Amazon Linux 2023 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior I just recently setup an AWS Beanstalk EC2 deployment for Open-WebUI, to keep all environment configurations as environment variables. Notably we are rolling OIDC OAUTH SSO login for this application and surprisingly we are finding that the OIDC Client Secret value is rejected at the IDP if containing a special character. ### Actual Behavior In my case, our client secret value was a `+` symbol in it and only works if saving the environment variable value as URL encoded `%2B` the IDP authenticates and provides the token. ### Steps to Reproduce Deploying using the following env vars helps confirms this, make sure your OAUTH OIDC generates a client secret with a special char (in this case, a plus character `+`) ```bash # Authentication WEBUI_AUTH: "true" ENABLE_OAUTH_SIGNUP: "true" ENABLE_LOGIN_FORM: "false" ENABLE_OAUTH_PERSISTENT_CONFIG: "false" OAUTH_CLIENT_ID: "www.your-domain.com.abcd1234" OAUTH_CLIENT_SECRET: "helloworld+1234" OPENID_PROVIDER_URL: "https://idp.your_oauth_provider.com/.well-known/openid-configuration" OAUTH_PROVIDER_NAME: "SSO" OAUTH_SCOPES: "openid email profile" OPENID_REDIRECT_URI: "https://www.your-domain.com/oauth/oidc/callback" OAUTH_USERNAME_CLAIM: "name" OAUTH_EMAIL_CLAIM: "email" OAUTH_CODE_CHALLENGE_METHOD: "S256" ``` ### Logs & Screenshots ```logs 2026-01-15 21:11:36.112 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 128.91.58.254:0 - "GET /api/version HTTP/1.1" 200 2026-01-15 21:11:36.890 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://idp.your_oauth_provider.com/well-known/openid-configuration "HTTP/1.1 200 OK" 2026-01-15 21:11:36.944 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 128.91.58.254:0 - "GET /oauth/oidc/login HTTP/1.1" 302 2026-01-15 21:11:37.101 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 128.91.58.254:0 - "GET /api/version HTTP/1.1" 200 2026-01-15 21:11:37.699 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: POST https://idp.your_oauth_provider.com/idp/profile/oidc/token "HTTP/1.1 401 401" 2026-01-15 21:11:37.701 | WARNING | open_webui.utils.oauth:handle_callback:1423 - OAuth callback error during authorize_access_token for provider oidc: OAuth callback failed: invalid_client: Client authentication failed Traceback (most recent call last): ... authlib.integrations.base_client.errors.OAuthError: invalid_client: Client authentication failed 2026-01-15 21:11:37.716 | ERROR | open_webui.utils.oauth:handle_callback:1636 - Error during OAuth process: 400: The email or password provided is incorrect. Please check for typos and try logging in again. ``` ### Additional Information If the team isn't want to handle this URL encoding at the backend layer, I would probably say at least helpful to add a troubleshooting bulletpoint on the docs here: https://docs.openwebui.com/troubleshooting/sso/ Or similar to the note under `WEB_BANNER` you might mentioned under `CLIENT_SECRET` that the URL encoding should be handled by the IDP https://docs.openwebui.com/getting-started/env-configuration
GiteaMirror added the bug label 2026-04-25 08:59:14 -05:00
GiteaMirror commented 2026-04-25 08:59:16 -05:00
Author
Owner
Copy Link

@owui-terminator[bot] commented on GitHub (Jan 16, 2026):

🔍 Similar Issues Found

I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions:

  1. #19361 issue: Unicode rendering issues when using HTTP header-based authentication
    by tlhr • Nov 21, 2025 • bug

💡 Tips:

  • If this is a duplicate, please consider closing this issue and adding any additional details to the existing one
  • If you found a solution in any of these issues, please share it here to help others

This comment was generated automatically by a bot. Please react with a 👍 if this comment was helpful, or a 👎 if it was not.

<!-- gh-comment-id:3760660082 --> @owui-terminator[bot] commented on GitHub (Jan 16, 2026): 🔍 **Similar Issues Found** I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions: 1. [#19361](https://github.com/open-webui/open-webui/issues/19361) **issue: Unicode rendering issues when using HTTP header-based authentication** *by tlhr • Nov 21, 2025 • `bug`* --- 💡 **Tips:** - If this is a duplicate, please consider closing this issue and adding any additional details to the existing one - If you found a solution in any of these issues, please share it here to help others *This comment was generated automatically by a bot.* Please react with a 👍 if this comment was helpful, or a 👎 if it was not.
GiteaMirror commented 2026-04-25 08:59:17 -05:00
Author
Owner
Copy Link

@jagg2 commented on GitHub (Mar 9, 2026):

Still an issue.
Was able to work around it by changing out the client secret for one that didn't have any char requiring encoding

<!-- gh-comment-id:4025420847 --> @jagg2 commented on GitHub (Mar 9, 2026): Still an issue. Was able to work around it by changing out the client secret for one that didn't have any char requiring encoding
GiteaMirror commented 2026-04-25 08:59:18 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Mar 25, 2026):

Intended upstream behaviour.

<!-- gh-comment-id:4122641834 --> @tjbck commented on GitHub (Mar 25, 2026): Intended upstream behaviour.
GiteaMirror commented 2026-04-25 08:59:19 -05:00
Author
Owner
Copy Link

@jagg2 commented on GitHub (Mar 25, 2026):

@tjbck Who's upstream in this case?

<!-- gh-comment-id:4129847255 --> @jagg2 commented on GitHub (Mar 25, 2026): @tjbck Who's upstream in this case?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#34807
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?