github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #24094] issue: Feishu OAuth env var names mismatch between code and docs #35711

New Issue
Open
opened 2026-04-25 09:53:27 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-25 09:53:27 -05:00
Owner
Copy Link

Originally created by @tuzkiyoung on GitHub (Apr 24, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/24094

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Other

Open WebUI Version

0.9.2

Ollama Version (if applicable)

No response

Operating System

k8s

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Setting the Feishu OAuth env variables exactly as documented at env-configuration#feishu — i.e. FEISHU_CLIENT_ID,
FEISHU_CLIENT_SECRET, FEISHU_CLIENT_SCOPE, FEISHU_CLIENT_REDIRECT_URI — should produce a working Feishu login flow, with the redirect_uri parameter sent to accounts.feishu.cn
matching the configured value.

Actual Behavior

The code reads two of those variables under different names than the docs use:

Documented (env-configuration#feishu) Actually read by code
FEISHU_CLIENT_REDIRECT_URI FEISHU_REDIRECT_URI
FEISHU_CLIENT_SCOPE FEISHU_OAUTH_SCOPE
FEISHU_CLIENT_ID FEISHU_CLIENT_ID
FEISHU_CLIENT_SECRET FEISHU_CLIENT_SECRET

Code refs (v0.9.2, also present on main):

Because users following the docs set FEISHU_CLIENT_REDIRECT_URI, the value the code looks for (FEISHU_REDIRECT_URI) is empty. The Feishu provider is registered with
redirect_uri='', and authlib falls back to request.url_for(...) (utils/oauth.py
L1434).

When the reverse proxy in front of Open WebUI terminates TLS but does not forward X-Forwarded-Proto: https (e.g. Aliyun ALB with the default XForwardedForProtoEnabled: false listener
config), request.url_for() produces an http://... URL. Feishu then rejects the callback as a redirect_uri mismatch. The failure is silent from Open WebUI's side — no warning at
startup, no log entry pointing at the env var name.

The mismatch dates back to docs PR https://github.com/open-webui/docs/pull/685, which named the variables to follow the *_CLIENT_* pattern used by Google/Microsoft/GitHub providers,
while the code under config.py had shipped with the shorter FEISHU_REDIRECT_URI / FEISHU_OAUTH_SCOPE names. The related fix in PRs
https://github.com/open-webui/open-webui/pull/23129 / https://github.com/open-webui/open-webui/pull/23203 (resolving https://github.com/open-webui/open-webui/issues/23128) only takes
effect when the env var name matches what the code reads — which the docs currently get wrong.

Steps to Reproduce

  1. Deploy Open WebUI v0.9.0 or later behind a reverse proxy that terminates TLS but does not forward X-Forwarded-Proto: https (e.g. Aliyun ALB with default listener config).
  2. Configure Feishu OAuth exactly per the docs, including: 
    FEISHU_CLIENT_ID=<your client id>                                                                                                                                                      
FEISHU_CLIENT_SECRET=<your client secret>                                                                                                                                              
FEISHU_CLIENT_REDIRECT_URI=https://<your-host>/oauth/feishu/callback
  3. Visit https://<your-host>/oauth/feishu/login and inspect the 302 response.

Observed: the Location header contains redirect_uri=http%3A%2F%2F<your-host>%2Foauth%2Ffeishu%2Fcallback (note http, not https), and Feishu rejects the callback.

Workaround: rename the env var to FEISHU_REDIRECT_URI (and FEISHU_OAUTH_SCOPE if used) to match what the code actually reads. The redirect_uri then comes from the explicit value
and is unaffected by what the proxy forwards.

Logs & Screenshots

N/A

Additional Information

Option A — fix the docs (smallest change): rename FEISHU_CLIENT_REDIRECT_URIFEISHU_REDIRECT_URI and FEISHU_CLIENT_SCOPEFEISHU_OAUTH_SCOPE on the env-configuration page.
One PR to open-webui/docs.

Option B — fix the code (better consistency with sibling providers, but a behavior change): rename the env keys in config.py to FEISHU_CLIENT_REDIRECT_URI / FEISHU_CLIENT_SCOPE
while keeping the old names as a fallback for one or two releases so existing deployments don't break:

FEISHU_REDIRECT_URI = PersistentConfig(
    'FEISHU_CLIENT_REDIRECT_URI',      
    'oauth.feishu.redirect_uri', 
    os.environ.get('FEISHU_CLIENT_REDIRECT_URI',                                                                                                                                          
                   os.environ.get('FEISHU_REDIRECT_URI', '')),
)

Independent of A/B, it would help users a lot if FEISHU_CLIENT_ID being set while the redirect URI env var is empty produced a startup warning, so the silent fallback to http:// URLs
doesn't go unnoticed.

Happy to send a PR for whichever direction you prefer.

Originally created by @tuzkiyoung on GitHub (Apr 24, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/24094 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Other ### Open WebUI Version 0.9.2 ### Ollama Version (if applicable) _No response_ ### Operating System k8s ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Setting the Feishu OAuth env variables exactly as documented at [env-configuration#feishu](https://docs.openwebui.com/reference/env-configuration/#feishu) — i.e. `FEISHU_CLIENT_ID`, `FEISHU_CLIENT_SECRET`, `FEISHU_CLIENT_SCOPE`, `FEISHU_CLIENT_REDIRECT_URI` — should produce a working Feishu login flow, with the `redirect_uri` parameter sent to `accounts.feishu.cn` matching the configured value. ### Actual Behavior The code reads two of those variables under different names than the docs use: | Documented (env-configuration#feishu) | Actually read by code | |---|---| | `FEISHU_CLIENT_REDIRECT_URI` | **`FEISHU_REDIRECT_URI`** | | `FEISHU_CLIENT_SCOPE` | **`FEISHU_OAUTH_SCOPE`** | | `FEISHU_CLIENT_ID` | `FEISHU_CLIENT_ID` ✅ | | `FEISHU_CLIENT_SECRET` | `FEISHU_CLIENT_SECRET` ✅ | Code refs (v0.9.2, also present on `main`): - https://github.com/open-webui/open-webui/blob/v0.9.2/backend/open_webui/config.py#L626-L635 - https://github.com/open-webui/open-webui/blob/v0.9.2/backend/open_webui/config.py#L866-L869 Because users following the docs set `FEISHU_CLIENT_REDIRECT_URI`, the value the code looks for (`FEISHU_REDIRECT_URI`) is empty. The Feishu provider is registered with `redirect_uri=''`, and authlib falls back to `request.url_for(...)` ([utils/oauth.py L1434](https://github.com/open-webui/open-webui/blob/v0.9.2/backend/open_webui/utils/oauth.py#L1434)). When the reverse proxy in front of Open WebUI terminates TLS but does not forward `X-Forwarded-Proto: https` (e.g. Aliyun ALB with the default `XForwardedForProtoEnabled: false` listener config), `request.url_for()` produces an `http://...` URL. Feishu then rejects the callback as a `redirect_uri` mismatch. The failure is silent from Open WebUI's side — no warning at startup, no log entry pointing at the env var name. The mismatch dates back to docs PR https://github.com/open-webui/docs/pull/685, which named the variables to follow the `*_CLIENT_*` pattern used by Google/Microsoft/GitHub providers, while the code under `config.py` had shipped with the shorter `FEISHU_REDIRECT_URI` / `FEISHU_OAUTH_SCOPE` names. The related fix in PRs https://github.com/open-webui/open-webui/pull/23129 / https://github.com/open-webui/open-webui/pull/23203 (resolving https://github.com/open-webui/open-webui/issues/23128) only takes effect when the env var name matches what the code reads — which the docs currently get wrong. ### Steps to Reproduce 1. Deploy Open WebUI v0.9.0 or later behind a reverse proxy that terminates TLS but does **not** forward `X-Forwarded-Proto: https` (e.g. Aliyun ALB with default listener config). 2. Configure Feishu OAuth exactly per the docs, including: ``` FEISHU_CLIENT_ID=<your client id> FEISHU_CLIENT_SECRET=<your client secret> FEISHU_CLIENT_REDIRECT_URI=https://<your-host>/oauth/feishu/callback ``` 3. Visit `https://<your-host>/oauth/feishu/login` and inspect the 302 response. Observed: the `Location` header contains `redirect_uri=http%3A%2F%2F<your-host>%2Foauth%2Ffeishu%2Fcallback` (note `http`, not `https`), and Feishu rejects the callback. Workaround: rename the env var to `FEISHU_REDIRECT_URI` (and `FEISHU_OAUTH_SCOPE` if used) to match what the code actually reads. The `redirect_uri` then comes from the explicit value and is unaffected by what the proxy forwards. ### Logs & Screenshots N/A ### Additional Information **Option A — fix the docs** (smallest change): rename `FEISHU_CLIENT_REDIRECT_URI` → `FEISHU_REDIRECT_URI` and `FEISHU_CLIENT_SCOPE` → `FEISHU_OAUTH_SCOPE` on the env-configuration page. One PR to [open-webui/docs](https://github.com/open-webui/docs). **Option B — fix the code** (better consistency with sibling providers, but a behavior change): rename the env keys in `config.py` to `FEISHU_CLIENT_REDIRECT_URI` / `FEISHU_CLIENT_SCOPE` while keeping the old names as a fallback for one or two releases so existing deployments don't break: ```python FEISHU_REDIRECT_URI = PersistentConfig( 'FEISHU_CLIENT_REDIRECT_URI', 'oauth.feishu.redirect_uri', os.environ.get('FEISHU_CLIENT_REDIRECT_URI', os.environ.get('FEISHU_REDIRECT_URI', '')), ) ``` Independent of A/B, it would help users a lot if `FEISHU_CLIENT_ID` being set while the redirect URI env var is empty produced a startup warning, so the silent fallback to `http://` URLs doesn't go unnoticed. Happy to send a PR for whichever direction you prefer.
GiteaMirror added the bug label 2026-04-25 09:53:27 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#35711
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?