[GH-ISSUE #23667] Bug: PKCE (S256) not enforced for OAuth 2.1 when authorization server metadata omits code_challenge_methods_supported #35568

New Issue

GiteaMirror · 2026-04-25T09:45:32-05:00

GiteaMirror commented

2026-04-25 09:45:32 -05:00

Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23667

Summary

OAuth 2.1 requires PKCE. In the current client registration, code_challenge_method='S256' is only added when the authorization server advertises code_challenge_methods_supported in its metadata. If that field is missing from discovery (or discovery itself is unavailable), the Authlib client is configured without PKCE and the resulting authorization request has no code_challenge.

For providers that require PKCE (Microsoft Entra ID public clients, and many modern IdPs), this causes authorization to fail — the redirect round-trips but the token exchange is rejected.

Location

backend/open_webui/utils/oauth.py lines 535–543:

if oauth_client_info.server_metadata and oauth_client_info.server_metadata.code_challenge_methods_supported:
    if (
        isinstance(
            oauth_client_info.server_metadata.code_challenge_methods_supported,
            list,
        )
        and 'S256' in oauth_client_info.server_metadata.code_challenge_methods_supported
    ):
        kwargs['code_challenge_method'] = 'S256'

Impact

Silent auth failure against Entra ID and other PKCE-required providers. The exact failure mode is confusing because discovery/callback look fine until the token endpoint returns an error.

Suggested fix

Default code_challenge_method to 'S256' for OAuth 2.1 clients, and only downgrade/skip if metadata explicitly advertises only alternative methods. Per RFC 9700 (OAuth 2.1), PKCE is mandatory.

Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23667 ### Summary OAuth 2.1 requires PKCE. In the current client registration, `code_challenge_method='S256'` is only added when the authorization server advertises `code_challenge_methods_supported` in its metadata. If that field is missing from discovery (or discovery itself is unavailable), the Authlib client is configured **without** PKCE and the resulting authorization request has no `code_challenge`. For providers that require PKCE (Microsoft Entra ID public clients, and many modern IdPs), this causes authorization to fail — the redirect round-trips but the token exchange is rejected. ### Location `backend/open_webui/utils/oauth.py` lines 535–543: ```python if oauth_client_info.server_metadata and oauth_client_info.server_metadata.code_challenge_methods_supported: if ( isinstance( oauth_client_info.server_metadata.code_challenge_methods_supported, list, ) and 'S256' in oauth_client_info.server_metadata.code_challenge_methods_supported ): kwargs['code_challenge_method'] = 'S256' ``` ### Impact Silent auth failure against Entra ID and other PKCE-required providers. The exact failure mode is confusing because discovery/callback look fine until the token endpoint returns an error. ### Suggested fix Default `code_challenge_method` to `'S256'` for OAuth 2.1 clients, and only downgrade/skip if metadata explicitly advertises *only* alternative methods. Per RFC 9700 (OAuth 2.1), PKCE is mandatory.

GiteaMirror closed this issue

2026-04-25 09:45:33 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#35568