github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #23537] [CLOSED] feat: add support for custom SSO/OAuth providers #42874

New Issue
Closed
opened 2026-04-25 14:39:01 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-25 14:39:01 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23537
Author: @RoryChou-flux
Created: 4/9/2026
Status: Closed

Base: devHead: feat/custom-sso-providers

📝 Commits (1)

  • f49104f feat: add support for custom SSO/OAuth providers

📊 Changes

8 files changed (+867 additions, -134 deletions)

View changed files

📝 backend/open_webui/config.py (+134 -1)
📝 backend/open_webui/main.py (+14 -1)
📝 backend/open_webui/routers/auths.py (+133 -0)
📝 backend/open_webui/utils/oauth.py (+41 -18)
📝 src/lib/apis/auths/index.ts (+100 -0)
📝 src/lib/components/admin/Settings.svelte (+4 -1)
📝 src/lib/components/admin/Settings/General.svelte (+364 -2)
📝 src/routes/auth/+page.svelte (+77 -111)

📄 Description

Pull Request Checklist

Discussion: https://github.com/open-webui/open-webui/discussions/23536

  • Target branch: dev
  • Description: Provided below.
  • Changelog: Included below.
  • Documentation: Will add docs if PR is accepted.
  • Dependencies: No new dependencies.
  • Testing: Manually tested with real Feishu OAuth — built-in provider login, custom provider login, dual-provider display, per-provider claim overrides, Admin UI CRUD, slug validation, malformed env var graceful fallback.
  • Agentic AI Code: Human reviewed and manually tested with real Feishu OAuth flow.
  • Code review: Self-reviewed, also addressed automated code review findings.
  • Design & Architecture: Extends existing OAuth system — adds a section in existing General settings.
  • Git Hygiene: Single atomic commit on feature branch, rebased on dev.
  • Title Prefix: feat:

Changelog Entry

Description

Allow administrators to configure multiple custom OAuth/SSO providers at runtime via Admin UI or CUSTOM_OAUTH_PROVIDERS_CONFIG environment variable. This enables use cases like multiple Feishu enterprises, multiple OIDC providers, or any OAuth2-compatible provider — without code changes.

Related PRs #12945 and #18948 focus on Admin UI for existing single-instance OAuth config. This PR specifically addresses the multiple providers of the same type use case.

Added

  • CUSTOM_OAUTH_PROVIDERS_CONFIG PersistentConfig for dynamic custom OAuth provider storage (supports both env var JSON array and Admin UI)
  • Admin CRUD API endpoints at /api/v1/auths/admin/config/oauth/custom
  • "Custom SSO Providers" management section in Admin Settings > General
  • Per-provider claim overrides: sub_claim, email_claim, username_claim, picture_claim, email_fallback
  • provider_type field on all providers to generalize type-specific logic
  • reload_providers() on OAuthManager for hot-reloading after config changes
  • Dynamic OAuth login button rendering via {#each} loop

Changed

  • /api/config oauth.providers values from plain strings to objects {name, icon_url, is_custom, provider_type}
  • Feishu data-unwrap logic generalized via provider_type instead of hardcoded provider name
  • Built-in providers now include name and provider_type fields

Fixed

  • Feishu sub_claim from user_id to open_id to match actual Feishu v1 userinfo API response

Security

  • Client secrets redacted in admin API GET responses
  • Slug validation prevents conflicts with built-in provider names
  • GitHub email fetch restricted to built-in github provider only
  • Malformed env var handled gracefully with fallback

Breaking Changes

  • BREAKING CHANGE: /api/config oauth.providers response format changed from {key: name_string} to {key: {name, icon_url, is_custom, provider_type}}. Only affects the bundled frontend (updated in this PR).

Configuration Example

CUSTOM_OAUTH_PROVIDERS_CONFIG='[{
  "slug": "feishu-enterprise-b",
  "display_name": "Feishu Enterprise B",
  "provider_type": "feishu",
  "client_id": "cli_xxx",
  "client_secret": "xxx",
  "authorize_url": "https://accounts.feishu.cn/open-apis/authen/v1/authorize",
  "access_token_url": "https://open.feishu.cn/open-apis/authen/v2/oauth/token",
  "userinfo_endpoint": "https://open.feishu.cn/open-apis/authen/v1/user_info",
  "scope": "contact:user.base:readonly",
  "sub_claim": "open_id",
  "email_fallback": true,
  "enabled": true
}]'

No database migration needed.

Testing Performed

  1. Started Open WebUI locally with FEISHU_CLIENT_ID + CUSTOM_OAUTH_PROVIDERS_CONFIG (two Feishu providers)
  2. Verified /api/config returns both providers in new object format
  3. Login page displayed both "Feishu" and "飞书企业B" buttons
  4. Built-in Feishu OAuth login: redirect → authorize → callback → user created successfully
  5. Custom feishu-b OAuth: redirect → authorize → callback → correctly detected email conflict (same test account)
  6. Unit tests: slug validation (11 cases pass), malformed JSON graceful fallback, provider reload add/remove

Contributor License Agreement

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23537 **Author:** [@RoryChou-flux](https://github.com/RoryChou-flux) **Created:** 4/9/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `feat/custom-sso-providers` --- ### 📝 Commits (1) - [`f49104f`](https://github.com/open-webui/open-webui/commit/f49104ff69a79efb54bc2d1a21b21edd4a5ce63d) feat: add support for custom SSO/OAuth providers ### 📊 Changes **8 files changed** (+867 additions, -134 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+134 -1) 📝 `backend/open_webui/main.py` (+14 -1) 📝 `backend/open_webui/routers/auths.py` (+133 -0) 📝 `backend/open_webui/utils/oauth.py` (+41 -18) 📝 `src/lib/apis/auths/index.ts` (+100 -0) 📝 `src/lib/components/admin/Settings.svelte` (+4 -1) 📝 `src/lib/components/admin/Settings/General.svelte` (+364 -2) 📝 `src/routes/auth/+page.svelte` (+77 -111) </details> ### 📄 Description <!-- ⚠️ CRITICAL CHECKS FOR CONTRIBUTORS (READ, DON'T DELETE) ⚠️ 1. Target the `dev` branch. PRs targeting `main` will be automatically closed. 2. Do NOT delete the CLA section at the bottom. It is required for the bot to accept your PR. --> # Pull Request Checklist **Discussion:** https://github.com/open-webui/open-webui/discussions/23536 - [x] **Target branch:** `dev` - [x] **Description:** Provided below. - [x] **Changelog:** Included below. - [ ] **Documentation:** Will add docs if PR is accepted. - [x] **Dependencies:** No new dependencies. - [x] **Testing:** Manually tested with real Feishu OAuth — built-in provider login, custom provider login, dual-provider display, per-provider claim overrides, Admin UI CRUD, slug validation, malformed env var graceful fallback. - [x] **Agentic AI Code:** Human reviewed and manually tested with real Feishu OAuth flow. - [x] **Code review:** Self-reviewed, also addressed automated code review findings. - [x] **Design & Architecture:** Extends existing OAuth system — adds a section in existing General settings. - [x] **Git Hygiene:** Single atomic commit on feature branch, rebased on `dev`. - [x] **Title Prefix:** `feat:` # Changelog Entry ### Description Allow administrators to configure **multiple custom OAuth/SSO providers** at runtime via Admin UI or `CUSTOM_OAUTH_PROVIDERS_CONFIG` environment variable. This enables use cases like multiple Feishu enterprises, multiple OIDC providers, or any OAuth2-compatible provider — without code changes. Related PRs #12945 and #18948 focus on Admin UI for existing single-instance OAuth config. This PR specifically addresses the **multiple providers of the same type** use case. ### Added - `CUSTOM_OAUTH_PROVIDERS_CONFIG` PersistentConfig for dynamic custom OAuth provider storage (supports both env var JSON array and Admin UI) - Admin CRUD API endpoints at `/api/v1/auths/admin/config/oauth/custom` - "Custom SSO Providers" management section in Admin Settings > General - Per-provider claim overrides: `sub_claim`, `email_claim`, `username_claim`, `picture_claim`, `email_fallback` - `provider_type` field on all providers to generalize type-specific logic - `reload_providers()` on OAuthManager for hot-reloading after config changes - Dynamic OAuth login button rendering via `{#each}` loop ### Changed - `/api/config` `oauth.providers` values from plain strings to objects `{name, icon_url, is_custom, provider_type}` - Feishu data-unwrap logic generalized via `provider_type` instead of hardcoded provider name - Built-in providers now include `name` and `provider_type` fields ### Fixed - Feishu `sub_claim` from `user_id` to `open_id` to match actual Feishu v1 userinfo API response ### Security - Client secrets redacted in admin API GET responses - Slug validation prevents conflicts with built-in provider names - GitHub email fetch restricted to built-in `github` provider only - Malformed env var handled gracefully with fallback ### Breaking Changes - **BREAKING CHANGE**: `/api/config` `oauth.providers` response format changed from `{key: name_string}` to `{key: {name, icon_url, is_custom, provider_type}}`. Only affects the bundled frontend (updated in this PR). --- ### Configuration Example ```bash CUSTOM_OAUTH_PROVIDERS_CONFIG='[{ "slug": "feishu-enterprise-b", "display_name": "Feishu Enterprise B", "provider_type": "feishu", "client_id": "cli_xxx", "client_secret": "xxx", "authorize_url": "https://accounts.feishu.cn/open-apis/authen/v1/authorize", "access_token_url": "https://open.feishu.cn/open-apis/authen/v2/oauth/token", "userinfo_endpoint": "https://open.feishu.cn/open-apis/authen/v1/user_info", "scope": "contact:user.base:readonly", "sub_claim": "open_id", "email_fallback": true, "enabled": true }]' ``` No database migration needed. ### Testing Performed 1. Started Open WebUI locally with `FEISHU_CLIENT_ID` + `CUSTOM_OAUTH_PROVIDERS_CONFIG` (two Feishu providers) 2. Verified `/api/config` returns both providers in new object format 3. Login page displayed both "Feishu" and "飞书企业B" buttons 4. Built-in Feishu OAuth login: redirect → authorize → callback → user created successfully 5. Custom feishu-b OAuth: redirect → authorize → callback → correctly detected email conflict (same test account) 6. Unit tests: slug validation (11 cases pass), malformed JSON graceful fallback, provider reload add/remove ### Contributor License Agreement - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-25 14:39:01 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#42874
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?