OIDC Login Role Management Configuration Issue: Roles Not Correctly Recognized from Lark #4307

New Issue

Closed

opened 2025-11-11 15:51:13 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2025-11-11 15:51:13 -06:00

Owner

Copy Link

Originally created by @hongspell on GitHub (Mar 7, 2025).

Issue Content:

### Description
We have configured Open WebUI to use Lark's OIDC for authentication, but we are still receiving the following error when trying to log in:

{"detail":"You do not have permission to access this resource. Please contact your administrator for assistance."}

### Environment Variables Configured:
```bash
OAUTH_CLIENT_ID=xxx
OAUTH_CLIENT_SECRET=xxx
OPENID_PROVIDER_URL=https://anycross.larksuite.com/sso/xxx/.well-known/openid-configuration
OAUTH_PROVIDER_NAME=Lark
OAUTH_SCOPES=openid email profile
OAUTH_AUTO_SIGNUP=true
OAUTH_EMAIL_VERIFIED=true
ENABLE_OAUTH_ROLE_MANAGEMENT=true
OAUTH_ROLES_CLAIM=user.roles  # The role claim returned by Lark
OAUTH_ALLOWED_ROLES=member,user
OAUTH_ADMIN_ROLES=admin

Explanation

1. Role Field Configuration: We have configured OAUTH_ROLES_CLAIM=user.roles, but still cannot log in, receiving the "permission denied" message.
2. Role Return: We need to confirm whether Lark's OIDC is returning the correct role field (user.roles) and whether these roles match the configurations in OAUTH_ALLOWED_ROLES and OAUTH_ADMIN_ROLES.

Possible Issue:

• Does Lark return the correct role information?
• Do we need to adjust the OAUTH_ROLES_CLAIM configuration to match the role field returned by Lark?

Request for Help:

Has anyone encountered a similar configuration issue or have any suggestions on how to correct the role field mapping or Open WebUI configuration?

Originally created by @hongspell on GitHub (Mar 7, 2025). ### Issue Content: ```markdown ### Description We have configured Open WebUI to use Lark's OIDC for authentication, but we are still receiving the following error when trying to log in: ``` `{"detail":"You do not have permission to access this resource. Please contact your administrator for assistance."}` ```markdown ### Environment Variables Configured: ```bash OAUTH_CLIENT_ID=xxx OAUTH_CLIENT_SECRET=xxx OPENID_PROVIDER_URL=https://anycross.larksuite.com/sso/xxx/.well-known/openid-configuration OAUTH_PROVIDER_NAME=Lark OAUTH_SCOPES=openid email profile OAUTH_AUTO_SIGNUP=true OAUTH_EMAIL_VERIFIED=true ENABLE_OAUTH_ROLE_MANAGEMENT=true OAUTH_ROLES_CLAIM=user.roles # The role claim returned by Lark OAUTH_ALLOWED_ROLES=member,user OAUTH_ADMIN_ROLES=admin ``` ### Explanation 1. **Role Field Configuration**: We have configured `OAUTH_ROLES_CLAIM=user.roles`, but still cannot log in, receiving the "permission denied" message. 2. **Role Return**: We need to confirm whether Lark's OIDC is returning the correct role field (`user.roles`) and whether these roles match the configurations in `OAUTH_ALLOWED_ROLES` and `OAUTH_ADMIN_ROLES`. ### Possible Issue: - Does Lark return the correct role information? - Do we need to adjust the `OAUTH_ROLES_CLAIM` configuration to match the role field returned by Lark? ### Request for Help: Has anyone encountered a similar configuration issue or have any suggestions on how to correct the role field mapping or Open WebUI configuration?

GiteaMirror closed this issue 2025-11-11 15:51:13 -06:00

GiteaMirror referenced this issue 2025-11-11 17:48:45 -06:00

[PR #4307] [MERGED] 💄 Support @Model display model pictures #8245

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

backend-outlet

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#4307