github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 19:08:59 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #23666] Bug: tool listing never sets 'authenticated' flag for auth_type 'oauth_2.1_static' #35567

New Issue
Closed
opened 2026-04-25 09:45:31 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-25 09:45:31 -05:00
Owner
Copy Link

Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23666

Summary

In the MCP tool listing endpoint, the session-token lookup and the authenticated flag on the response are both gated on auth_type == 'oauth_2.1'. For servers with auth_type == 'oauth_2.1_static', the frontend never receives the authenticated key, so the OAuth status badge / re-auth button renders incorrectly (or not at all) for static-OAuth MCP servers.

Location

backend/open_webui/routers/tools.py — lines 123 and 151:

if auth_type == 'oauth_2.1':                      # line 123
    splits = server_id.split(':')
    server_id = splits[-1] if len(splits) > 1 else server_id
    session_token = await request.app.state.oauth_client_manager.get_oauth_token(
        user.id, f'mcp:{server_id}'
    )
...
**(
    {'authenticated': session_token is not None}
    if auth_type == 'oauth_2.1'                  # line 151
    else {}
),

Impact

Admin UI can't tell whether a static-OAuth MCP server is currently authorized; users can't discover that they need to (re-)authorize.

Suggested fix

Replace both checks with auth_type in ('oauth_2.1', 'oauth_2.1_static').

Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23666 ### Summary In the MCP tool listing endpoint, the session-token lookup and the `authenticated` flag on the response are both gated on `auth_type == 'oauth_2.1'`. For servers with `auth_type == 'oauth_2.1_static'`, the frontend never receives the `authenticated` key, so the OAuth status badge / re-auth button renders incorrectly (or not at all) for static-OAuth MCP servers. ### Location `backend/open_webui/routers/tools.py` — lines 123 and 151: ```python if auth_type == 'oauth_2.1': # line 123 splits = server_id.split(':') server_id = splits[-1] if len(splits) > 1 else server_id session_token = await request.app.state.oauth_client_manager.get_oauth_token( user.id, f'mcp:{server_id}' ) ... **( {'authenticated': session_token is not None} if auth_type == 'oauth_2.1' # line 151 else {} ), ``` ### Impact Admin UI can't tell whether a static-OAuth MCP server is currently authorized; users can't discover that they need to (re-)authorize. ### Suggested fix Replace both checks with `auth_type in ('oauth_2.1', 'oauth_2.1_static')`.
GiteaMirror commented 2026-04-25 09:45:32 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Apr 13, 2026):

Already addressed in dev.

<!-- gh-comment-id:4240076414 --> @tjbck commented on GitHub (Apr 13, 2026): Already addressed in dev.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#35567
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?