mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-17 08:21:12 -05:00
[GH-ISSUE #21016] issue:Trusted Header Authentication does not automatically register new users after the first login #34886
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @FHaggs on GitHub (Jan 28, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21016
Check Existing Issues
Installation Method
Git Clone
Open WebUI Version
0.7.2
Ollama Version (if applicable)
No response
Operating System
Debian 12
Browser (if applicable)
Firefox
Confirmation
README.md.Expected Behavior
According to the documentation for WEBUI_AUTH_TRUSTED_EMAIL_HEADER, Open WebUI should handle "automatic registration and login" for any user passed in the header.
When a request is received with a valid email in the X-User-Email header (that does not currently exist in the database), the system should:
This should apply to all users, not just the initial admin account.
Actual Behavior
Automatic registration works only for the very first user (who is assigned the Admin role).
For any subsequent requests with a new email address in the X-User-Email header:
To make it work, I currently have to manually create the user in the Open WebUI admin panel first. Once the user exists in the database, the Trusted Header authentication works correctly.
Steps to Reproduce
Start Open WebUI using the following Docker command on Debian 12 (ensure the volume is fresh/empty to simulate a first install):
Bash
docker run --rm
-p 3000:8080
--add-host=host.docker.internal:host-gateway
-e OLLAMA_BASE_URL=http://host.docker.internal:11434
-e WEBUI_AUTH_TRUSTED_EMAIL_HEADER="X-User-Email"
-e DEFAULT_USER_ROLE=user
-v open-webui:/app/backend/data
--name open-webui-remote
ghcr.io/open-webui/open-webui:main-slim
Authenticate User 1 (Admin):
Authenticate User 2 (Regular User):
Workaround:
Logs & Screenshots
Additional Information
2026-01-28 19:42:26.476 | INFO | open_webui.utils.logger:start_logger:166 - GLOBAL_LOG_LEVEL: INFO
2026-01-28 19:42:26.477 | INFO | open_webui.main:lifespan:604 - Installing external dependencies of functions and tools...
2026-01-28 19:42:26.485 | INFO | open_webui.utils.plugin:install_frontmatter_requirements:286 - No requirements found in frontmatter.
2026-01-28 19:42:33.182 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/custom.css HTTP/1.1" 200
2026-01-28 19:42:33.183 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /static/loader.js HTTP/1.1" 200
2026-01-28 19:42:33.328 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/splash-dark.png HTTP/1.1" 200
2026-01-28 19:42:33.329 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /static/splash.png HTTP/1.1" 200
2026-01-28 19:42:33.457 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/apple-touch-icon.png HTTP/1.1" 200
2026-01-28 19:42:33.458 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /static/favicon.svg HTTP/1.1" 200
2026-01-28 19:42:33.560 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /api/config HTTP/1.1" 200
2026-01-28 19:42:33.572 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /api/v1/auths/ HTTP/1.1" 401
2026-01-28 19:42:33.612 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/favicon.png HTTP/1.1" 200
2026-01-28 19:42:33.613 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56572 - "GET /static/favicon-dark.png HTTP/1.1" 200
2026-01-28 19:42:33.614 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "POST /api/v1/auths/signin HTTP/1.1" 403
2026-01-28 19:42:37.564 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56572 - "GET /api/version HTTP/1.1" 200
2026-01-28 19:42:37.565 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56590 - "GET /api/version HTTP/1.1" 200
2026-01-28 19:42:44.208 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /static/loader.js HTTP/1.1" 304
2026-01-28 19:42:44.208 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57390 - "GET /static/custom.css HTTP/1.1" 304
2026-01-28 19:42:44.225 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /static/splash-dark.png HTTP/1.1" 304
2026-01-28 19:42:44.229 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57390 - "GET /static/splash.png HTTP/1.1" 304
2026-01-28 19:42:44.373 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /api/config HTTP/1.1" 200
2026-01-28 19:42:44.397 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57390 - "GET /static/favicon.png HTTP/1.1" 304
2026-01-28 19:42:44.398 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57402 - "GET /static/favicon-dark.png HTTP/1.1" 304
2026-01-28 19:42:44.399 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "POST /api/v1/auths/signin HTTP/1.1" 403
2026-01-28 19:42:44.406 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /api/version HTTP/1.1" 200
2026-01-28 19:42:52.843 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:49190 - "GET /_app/version.json HTTP/1.1" 304
@pr-validator-bot commented on GitHub (Jan 28, 2026):
⚠️ Invalid Issue Title
Hey @FHaggs, please provide a descriptive title for your issue. Titles that are empty, very short (under 10 characters), or generic (like "issue:") make it difficult for volunteer contributors to understand and triage issues.
Please update the title to reflect the content of your issue.
@Classic298 commented on GitHub (Jan 28, 2026):
I am a bit unsure if this is now a feature request for a missing header check to be introduced or a report of incorrect docs or both?
The docs you reference were added here:
9b9162c182not sure if this existed in the past and got removed at some point (?), the commit is very old.@tjbck commented on GitHub (Feb 11, 2026):
Addressed in dev.