github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 02:48:13 -05:00
Code Issues 1.1k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #23463] issue: v0.8.11/12, connection OAuth Authorization header no longer sent to model backend. undeclared cookie_expires var #35518

New Issue
Closed
opened 2026-04-25 09:43:35 -05:00 by GiteaMirror · 7 comments
GiteaMirror commented 2026-04-25 09:43:35 -05:00
Owner
Copy Link

Originally created by @bitsofinfo on GitHub (Apr 6, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23463

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.8.11 and v0.8.12

Ollama Version (if applicable)

No response

Operating System

osx

Browser (if applicable)

chrome latest

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Here is my configuration in v0.8.10. Works fine.

  • User logs into my oauth provider, redirects back to UI ok
  • My connections are configured to for "OAuth" authentication
  • I send a chat message for a model available on the connection and I see an proper Authorization header with the JWT bearer token from the OAuth exchange

When I simply upgrade to 0.8.11, this breaks. The Authorization header is not longer sent over the connection to the model's chat completions endpoint.

  open-webui:
    image: ghcr.io/open-webui/open-webui:0.8.10
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
    ports:
      - '9999:8080'
    volumes:
      - ./open-webui-data:/app/backend/data

    environment:
      ENABLE_FOLLOW_UP_GENERATION: false
      ENABLE_TAGS_GENERATION: false
      ENABLE_TITLE_GENERATION: false
      OPENAI_LOG_LEVEL: DEBUG
      GLOBAL_LOG_LEVEL: DEBUG
      ENABLE_FORWARD_USER_INFO_HEADERS: true
      OAUTH_CLIENT_ID: ${OPEN_WEBUI__OAUTH_CLIENT_ID}
      OAUTH_CLIENT_SECRET: ${OPEN_WEBUI__OAUTH_CLIENT_SECRET}
      OPENID_PROVIDER_URL: ${OPEN_WEBUI__OPENID_PROVIDER_URL}
      OAUTH_PROVIDER_NAME: My Auth0
      OAUTH_SCOPES: "openid email profile groups my:scope"
      ENABLE_OAUTH_SIGNUP: true
      ENABLE_OLLAMA_API: false
      OPENAI_API_BASE_URL: http://host.docker.internal:9090/v1
      DATA_DIR: /app/backend/data
      DATABASE_URL: postgresql://myuser:XXXXX@postgres:5432/myuser
      OAUTH_AUDIENCE: https://my.audience.test.com

Actual Behavior

see above

Steps to Reproduce

see above. Just take a working OAUTH configured open-webui instance running v0.8.10 or below, and upgrade it to v0.8.11 (or v0.8.12)

Logs & Screenshots

The only thing I see in the logs post upgrade related to/during the oauth redirect flow is this:

open-webui-1           | 2026-04-06 22:44:05.792 | ERROR    | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined

This variable doesn't even appear defined (cookie_expires) 9bd84258d0/backend/open_webui/utils/oauth.py (L1686)

Looks like it was introduced here: bb3526f4e4 (r181648930) @tjbck

Additional Information

none

Originally created by @bitsofinfo on GitHub (Apr 6, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23463 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.8.11 and v0.8.12 ### Ollama Version (if applicable) _No response_ ### Operating System osx ### Browser (if applicable) chrome latest ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Here is my configuration in v0.8.10. Works fine. - User logs into my oauth provider, redirects back to UI ok - My connections are configured to for "OAuth" authentication - I send a chat message for a model available on the connection and I see an proper `Authorization` header with the JWT bearer token from the OAuth exchange When I simply upgrade to 0.8.11, this breaks. The `Authorization` header is not longer sent over the connection to the model's chat completions endpoint. ``` open-webui: image: ghcr.io/open-webui/open-webui:0.8.10 restart: unless-stopped depends_on: postgres: condition: service_healthy ports: - '9999:8080' volumes: - ./open-webui-data:/app/backend/data environment: ENABLE_FOLLOW_UP_GENERATION: false ENABLE_TAGS_GENERATION: false ENABLE_TITLE_GENERATION: false OPENAI_LOG_LEVEL: DEBUG GLOBAL_LOG_LEVEL: DEBUG ENABLE_FORWARD_USER_INFO_HEADERS: true OAUTH_CLIENT_ID: ${OPEN_WEBUI__OAUTH_CLIENT_ID} OAUTH_CLIENT_SECRET: ${OPEN_WEBUI__OAUTH_CLIENT_SECRET} OPENID_PROVIDER_URL: ${OPEN_WEBUI__OPENID_PROVIDER_URL} OAUTH_PROVIDER_NAME: My Auth0 OAUTH_SCOPES: "openid email profile groups my:scope" ENABLE_OAUTH_SIGNUP: true ENABLE_OLLAMA_API: false OPENAI_API_BASE_URL: http://host.docker.internal:9090/v1 DATA_DIR: /app/backend/data DATABASE_URL: postgresql://myuser:XXXXX@postgres:5432/myuser OAUTH_AUDIENCE: https://my.audience.test.com ``` ### Actual Behavior see above ### Steps to Reproduce see above. Just take a working OAUTH configured open-webui instance running v0.8.10 or below, and upgrade it to v0.8.11 (or v0.8.12) ### Logs & Screenshots The only thing I see in the logs post upgrade related to/during the oauth redirect flow is this: ``` open-webui-1 | 2026-04-06 22:44:05.792 | ERROR | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined ``` This variable doesn't even appear defined (`cookie_expires`) https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/backend/open_webui/utils/oauth.py#L1686 Looks like it was introduced here: https://github.com/open-webui/open-webui/commit/bb3526f4e4d36e4e9d99c5f8c57f34c68ce76397#r181648930 @tjbck ### Additional Information none
GiteaMirror added the bug label 2026-04-25 09:43:35 -05:00
GiteaMirror commented 2026-04-25 09:43:36 -05:00
Author
Owner
Copy Link

@bitsofinfo commented on GitHub (Apr 6, 2026):

Image Image
<!-- gh-comment-id:4195290201 --> @bitsofinfo commented on GitHub (Apr 6, 2026): <img width="1118" height="1142" alt="Image" src="https://github.com/user-attachments/assets/495beaaf-1af4-4d16-9362-d010ae963d5a" /> <img width="1146" height="1172" alt="Image" src="https://github.com/user-attachments/assets/ff2991ec-2245-48c1-8c23-afbf60d10977" />
GiteaMirror commented 2026-04-25 09:43:37 -05:00
Author
Owner
Copy Link

@HenriqueMendesCoelho commented on GitHub (Apr 7, 2026):

I'm experiencing the same issue. Downgrading to v0.8.10 fixed it for me.

<!-- gh-comment-id:4196227335 --> @HenriqueMendesCoelho commented on GitHub (Apr 7, 2026): I'm experiencing the same issue. Downgrading to v0.8.10 fixed it for me.
GiteaMirror commented 2026-04-25 09:43:37 -05:00
Author
Owner
Copy Link

@pedro-inf-custodio commented on GitHub (Apr 7, 2026):

I'm experiencing the same issue. Downgrading to v0.8.10 fixed it for me.

Me too, also downgrading to v0.8.10.
Note: I'm using Microsoft Entra ID.

<!-- gh-comment-id:4197569559 --> @pedro-inf-custodio commented on GitHub (Apr 7, 2026): > I'm experiencing the same issue. Downgrading to v0.8.10 fixed it for me. Me too, also downgrading to v0.8.10. Note: I'm using Microsoft Entra ID.
GiteaMirror commented 2026-04-25 09:43:37 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Apr 12, 2026):

Duplicate. Addressed in dev.

<!-- gh-comment-id:4233000972 --> @tjbck commented on GitHub (Apr 12, 2026): Duplicate. Addressed in dev.
GiteaMirror commented 2026-04-25 09:43:37 -05:00
Author
Owner
Copy Link

@roller100 commented on GitHub (Apr 18, 2026):

Thanks to the Open WebUI team and to everyone who raised and narrowed this issue.

These threads were very helpful in tracking down and resolving our own authentication problems around oauth_session_id / system_oauth.

For anyone who is temporarily stuck on v0.8.11 / v0.8.12 while the fix works its way through the normal release cycle, we wrote up the minimal interim hotfix we used here:
https://github.com/BearingNode/bn-open-webui/issues/7

That note keeps the details public-safe and shows the smallest callback-path patch / Docker overlay we found useful in the interim.

Appreciate the issue reports and the fact that the fix is already tracked upstream.

<!-- gh-comment-id:4273491416 --> @roller100 commented on GitHub (Apr 18, 2026): Thanks to the Open WebUI team and to everyone who raised and narrowed this issue. These threads were very helpful in tracking down and resolving our own authentication problems around `oauth_session_id` / `system_oauth`. For anyone who is temporarily stuck on `v0.8.11` / `v0.8.12` while the fix works its way through the normal release cycle, we wrote up the minimal interim hotfix we used here: https://github.com/BearingNode/bn-open-webui/issues/7 That note keeps the details public-safe and shows the smallest callback-path patch / Docker overlay we found useful in the interim. Appreciate the issue reports and the fact that the fix is already tracked upstream.
GiteaMirror commented 2026-04-25 09:43:38 -05:00
Author
Owner
Copy Link

@bitsofinfo commented on GitHub (Apr 21, 2026):

is this in the 0.9.x series?

<!-- gh-comment-id:4290497101 --> @bitsofinfo commented on GitHub (Apr 21, 2026): is this in the 0.9.x series?
GiteaMirror commented 2026-04-25 09:43:39 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Apr 21, 2026):

yes fixed for me

<!-- gh-comment-id:4290582993 --> @Classic298 commented on GitHub (Apr 21, 2026): yes fixed for me
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#35518
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?