github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #23250] issue: oauth_session_id cookie never set due to undefined cookie_expires variable #35460

New Issue
Closed
opened 2026-04-25 09:40:14 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-25 09:40:14 -05:00
Owner
Copy Link

Originally created by @pennycoders on GitHub (Mar 31, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23250

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.8.12

Operating System

macOS Sequoia 15.5 (Darwin 25.3.0)

Browser (if applicable)

Chrome 131

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup.
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation.

Expected Behavior

When a user logs in via OIDC (e.g., Authentik), the OAuth access token should be stored server-side and the oauth_session_id cookie should be set in the browser. This allows the system_oauth auth_type for OpenAI API connections to forward the user's OIDC access token to upstream LLM providers.

Actual Behavior

The oauth_session_id cookie is never set. The OAuth session IS created in the database (via OAuthSessions.create_session()), but the subsequent response.set_cookie() call raises a NameError because cookie_expires is referenced but never defined. The exception is caught silently by the broad except Exception handler.

Error in logs:

ERROR | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined

Impact: The system_oauth auth_type for OpenAI API connections is completely broken. When a user configures an OpenAI-compatible connection with auth_type: system_oauth, the code at routers/openai.py:184 tries to read oauth_session_id from cookies, finds nothing, and falls back to sending no Authorization header — defeating the purpose of OAuth token forwarding.

Steps to Reproduce

  1. Deploy Open WebUI v0.8.12 via Docker: ghcr.io/open-webui/open-webui:v0.8.12
  2. Configure an OIDC provider (e.g., Authentik, Keycloak) with valid OAuth2/OpenID Connect settings: 
    ENABLE_OAUTH_SIGNUP=true
OAUTH_CLIENT_ID=<client_id>
OAUTH_CLIENT_SECRET=<client_secret>
OPENID_PROVIDER_URL=http://<provider>/.well-known/openid-configuration
  3. Configure an OpenAI API connection with auth_type: system_oauth via Admin → Settings → Connections → gear icon → Auth Type: OAuth
  4. Log in via OIDC SSO
  5. Send a chat message
  6. Observe in Docker logs: 
    ERROR | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined
  7. Inspect browser cookies — oauth_session_id is absent
  8. The upstream LLM request is sent without the user's OAuth access token

Logs & Screenshots

Docker logs showing the error on every OIDC login:

2026-03-31 06:24:58.887 | ERROR | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined

Root cause in backend/open_webui/utils/oauth.py line 1686:

response.set_cookie(
    key='oauth_session_id',
    value=session.id,
    httponly=True,
    samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
    secure=WEBUI_AUTH_COOKIE_SECURE,
    **({'max_age': cookie_max_age, 'expires': cookie_expires} if cookie_max_age is not None else {}),
    #                                        ^^^^^^^^^^^^^^
    #                          This variable is NEVER defined.
)

The other set_cookie calls in the same function (lines 1637, 1648) correctly use only max_age without expires. The cookie_expires reference appears to be a copy-paste error.

Additional Information

  • The bug exists on both main (v0.8.12) and dev branches
  • cookie_max_age is defined on line 1627 and is sufficient — browsers prefer max_age over expires per RFC 6265 §5.3
  • The fix is a one-line change: remove 'expires': cookie_expires from the dict on line 1686
  • PR with fix: (will link after creation)
Originally created by @pennycoders on GitHub (Mar 31, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23250 ### Check Existing Issues - [X] I have searched for any existing and/or related issues. - [X] I have searched for any existing and/or related discussions. - [X] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items. - [X] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.8.12 ### Operating System macOS Sequoia 15.5 (Darwin 25.3.0) ### Browser (if applicable) Chrome 131 ### Confirmation - [X] I have read and followed all instructions in `README.md`. - [X] I am using the latest version of **both** Open WebUI and Ollama. - [X] I have included the browser console logs. - [X] I have included the Docker container logs. - [X] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [X] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup**. - [X] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. ### Expected Behavior When a user logs in via OIDC (e.g., Authentik), the OAuth access token should be stored server-side and the `oauth_session_id` cookie should be set in the browser. This allows the `system_oauth` auth_type for OpenAI API connections to forward the user's OIDC access token to upstream LLM providers. ### Actual Behavior The `oauth_session_id` cookie is never set. The OAuth session IS created in the database (via `OAuthSessions.create_session()`), but the subsequent `response.set_cookie()` call raises a `NameError` because `cookie_expires` is referenced but never defined. The exception is caught silently by the broad `except Exception` handler. **Error in logs:** ``` ERROR | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined ``` **Impact:** The `system_oauth` auth_type for OpenAI API connections is completely broken. When a user configures an OpenAI-compatible connection with `auth_type: system_oauth`, the code at `routers/openai.py:184` tries to read `oauth_session_id` from cookies, finds nothing, and falls back to sending no Authorization header — defeating the purpose of OAuth token forwarding. ### Steps to Reproduce 1. Deploy Open WebUI v0.8.12 via Docker: `ghcr.io/open-webui/open-webui:v0.8.12` 2. Configure an OIDC provider (e.g., Authentik, Keycloak) with valid OAuth2/OpenID Connect settings: ``` ENABLE_OAUTH_SIGNUP=true OAUTH_CLIENT_ID=<client_id> OAUTH_CLIENT_SECRET=<client_secret> OPENID_PROVIDER_URL=http://<provider>/.well-known/openid-configuration ``` 3. Configure an OpenAI API connection with `auth_type: system_oauth` via Admin → Settings → Connections → gear icon → Auth Type: OAuth 4. Log in via OIDC SSO 5. Send a chat message 6. Observe in Docker logs: ``` ERROR | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined ``` 7. Inspect browser cookies — `oauth_session_id` is absent 8. The upstream LLM request is sent without the user's OAuth access token ### Logs & Screenshots **Docker logs showing the error on every OIDC login:** ``` 2026-03-31 06:24:58.887 | ERROR | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined ``` **Root cause** in `backend/open_webui/utils/oauth.py` line 1686: ```python response.set_cookie( key='oauth_session_id', value=session.id, httponly=True, samesite=WEBUI_AUTH_COOKIE_SAME_SITE, secure=WEBUI_AUTH_COOKIE_SECURE, **({'max_age': cookie_max_age, 'expires': cookie_expires} if cookie_max_age is not None else {}), # ^^^^^^^^^^^^^^ # This variable is NEVER defined. ) ``` The other `set_cookie` calls in the same function (lines 1637, 1648) correctly use only `max_age` without `expires`. The `cookie_expires` reference appears to be a copy-paste error. ### Additional Information - The bug exists on both `main` (v0.8.12) and `dev` branches - `cookie_max_age` is defined on line 1627 and is sufficient — browsers prefer `max_age` over `expires` per RFC 6265 §5.3 - The fix is a one-line change: remove `'expires': cookie_expires` from the dict on line 1686 - PR with fix: (will link after creation)
GiteaMirror commented 2026-04-25 09:40:16 -05:00
Author
Owner
Copy Link

@roller100 commented on GitHub (Apr 18, 2026):

Thanks to the Open WebUI team and to everyone who raised and narrowed this issue.

These threads were very helpful in tracking down and resolving our own authentication problems around oauth_session_id / system_oauth.

For anyone who is temporarily stuck on v0.8.11 / v0.8.12 while the fix works its way through the normal release cycle, we wrote up the minimal interim hotfix we used here:
https://github.com/BearingNode/bn-open-webui/issues/7

That note keeps the details public-safe and shows the smallest callback-path patch / Docker overlay we found useful in the interim.

Appreciate the issue reports and the fact that the fix is already tracked upstream.

<!-- gh-comment-id:4273492104 --> @roller100 commented on GitHub (Apr 18, 2026): Thanks to the Open WebUI team and to everyone who raised and narrowed this issue. These threads were very helpful in tracking down and resolving our own authentication problems around `oauth_session_id` / `system_oauth`. For anyone who is temporarily stuck on `v0.8.11` / `v0.8.12` while the fix works its way through the normal release cycle, we wrote up the minimal interim hotfix we used here: https://github.com/BearingNode/bn-open-webui/issues/7 That note keeps the details public-safe and shows the smallest callback-path patch / Docker overlay we found useful in the interim. Appreciate the issue reports and the fact that the fix is already tracked upstream.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#35460
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?