github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 19:08:59 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #23665] Bug: MCP servers with auth_type 'oauth_2.1_static' never receive Bearer token (middleware gap) #35566

New Issue
Closed
opened 2026-04-25 09:45:30 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-25 09:45:30 -05:00
Owner
Copy Link

Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23665

Summary

When an MCP tool server is configured with auth_type: oauth_2.1_static, requests to that server are sent without an Authorization header, so every call fails (401 from the protected resource). This effectively breaks the static-OAuth MCP integration end-to-end — reproducible against Microsoft Entra ID / M365 MCP servers.

Introduced alongside oauth_2.1_static support (commit 601bb7835 feat: oauth 2.1 static mcp).

Location

backend/open_webui/utils/middleware.py around lines 2497–2523.

The auth-type dispatch handles bearer, none, session, system_oauth, and oauth_2.1 — but not oauth_2.1_static:

elif auth_type == 'oauth_2.1':
    try:
        splits = server_id.split(':')
        server_id = splits[-1] if len(splits) > 1 else server_id
        oauth_token = await request.app.state.oauth_client_manager.get_oauth_token(
            user.id, f'mcp:{server_id}'
        )
        if oauth_token:
            headers['Authorization'] = f'Bearer {oauth_token.get("access_token", "")}'
    except Exception as e:
        log.error(f'Error getting OAuth token: {e}')
        oauth_token = None
# <-- no elif for 'oauth_2.1_static'

Other parts of the codebase already group the two types together — e.g. main.py:2264, configs.py:181,204,365, and utils/oauth.py:567 all use in ('oauth_2.1', 'oauth_2.1_static'). The middleware branch is the outlier.

Impact

  • Critical — static-OAuth MCP servers cannot make a single authenticated request.
  • Silent failure: the admin sees only a downstream 401 / "failed to connect" error, nothing about the missing header.

Suggested fix

elif auth_type in ('oauth_2.1', 'oauth_2.1_static'):
    ...
Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23665 ### Summary When an MCP tool server is configured with `auth_type: oauth_2.1_static`, requests to that server are sent **without an `Authorization` header**, so every call fails (401 from the protected resource). This effectively breaks the static-OAuth MCP integration end-to-end — reproducible against Microsoft Entra ID / M365 MCP servers. Introduced alongside `oauth_2.1_static` support (commit `601bb7835 feat: oauth 2.1 static mcp`). ### Location `backend/open_webui/utils/middleware.py` around lines 2497–2523. The auth-type dispatch handles `bearer`, `none`, `session`, `system_oauth`, and `oauth_2.1` — but **not** `oauth_2.1_static`: ```python elif auth_type == 'oauth_2.1': try: splits = server_id.split(':') server_id = splits[-1] if len(splits) > 1 else server_id oauth_token = await request.app.state.oauth_client_manager.get_oauth_token( user.id, f'mcp:{server_id}' ) if oauth_token: headers['Authorization'] = f'Bearer {oauth_token.get("access_token", "")}' except Exception as e: log.error(f'Error getting OAuth token: {e}') oauth_token = None # <-- no elif for 'oauth_2.1_static' ``` Other parts of the codebase already group the two types together — e.g. `main.py:2264`, `configs.py:181,204,365`, and `utils/oauth.py:567` all use `in ('oauth_2.1', 'oauth_2.1_static')`. The middleware branch is the outlier. ### Impact - **Critical** — static-OAuth MCP servers cannot make a single authenticated request. - Silent failure: the admin sees only a downstream 401 / "failed to connect" error, nothing about the missing header. ### Suggested fix ```python elif auth_type in ('oauth_2.1', 'oauth_2.1_static'): ... ```
GiteaMirror commented 2026-04-25 09:45:31 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Apr 13, 2026):

Already addressed in dev.

<!-- gh-comment-id:4240076273 --> @tjbck commented on GitHub (Apr 13, 2026): Already addressed in dev.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#35566
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?