[PR #12945] feat: Full OAuth/OIDC Admin Support – Dynamic Provider Settings, Claims, and Role/Group Management #46106

New Issue

GiteaMirror · 2026-04-29T20:46:37-05:00

GiteaMirror commented

2026-04-29 20:46:37 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/12945
Author: @taylorwilsdon
Created: 4/17/2025
Status: 🔄 Open

Base: dev ← Head: add_identity_mgmt

📝 Commits (10+)

a413865 add ui elements and auths.py handlers for full set of oauth settings
64d5b76 fix config route response logic
421dd69 API & Frontend in sync
e3778e1 all working, prep for client id and secret / provider values
65cf437 add additional oauth/oidc settings to admin general ui
df623ff PersistentConfig entries exist for all settings, AdminConfig model updated to include the new settings, update_admin_config endpoint updated to handle saving the new settings, OAuth provider registration uses these settings when configuring the OIDC provider
690a3ab fix config init
5c4e46a Properly initializing the OAuth config variables in config.py with correct paths
2eea797 Added the missing imports for these OAuth config variables
4024db6 working great hell yeah + improve input styling

📊 Changes

5 files changed (+539 additions, -135 deletions)

View changed files

📝 backend/open_webui/config.py (+102 -79)
📝 backend/open_webui/main.py (+31 -0)
📝 backend/open_webui/routers/auths.py (+182 -53)
📝 backend/open_webui/utils/oauth.py (+11 -3)
📝 src/lib/components/admin/Settings/General.svelte (+213 -0)

📄 Description

Pull Request Checklist

Before submitting, make sure you've checked the following:

Target branch: Please verify that the pull request targets the dev branch.
Description: Provide a concise description of the changes made in this pull request.
Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
Testing: Have you written and run sufficient tests to validate the changes?
Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
- feat

Pull Request Title

feat: Comprehensive OAuth/OIDC Identity Management in Admin UI and Backend

Description

This PR introduces a comprehensive set of features for managing OAuth/OIDC identity provider settings through the administrative interface and backend. It enables dynamic configuration of OAuth parameters—including client ID/secret, provider name, OIDC URLs, claim mappings, and access role/group logic—directly from the admin UI, with full persistence and immediate effect in the backend authentication system.

OAuth provider configuration can now be fully managed through persistent config, ensuring a smoother, more flexible SSO/identity integration workflow for admins and deployments.

Changelog Entry

Description

Added, exposed, and persistently stored all major OAuth/OIDC configuration options, allowing for identity management settings (claims mapping, allowed domains/roles/groups, client details, and provider endpoints) to be set from the frontend admin UI panel and stored via the API and backend.
Reviewed and improved the state mapping between Svelte admin UI, backend FastAPI models, and persisted configuration files.

Added

OAuth/OIDC settings section in the Admin UI (frontend/Svelte) to manage:
- OAuth sign-up enablement
- Account merging by email
- Group and role mapping toggle
- Claim mapping fields (email, username, picture, roles, groups)
- Allowed roles, admin roles, domains
- Client ID, secret, provider name, OIDC URL
New PersistentConfig fields in config.py for all option keys (including correct key paths).
Corresponding import and registration in FastAPI's app state for all OAuth variables.
Full round-trip support in /admin/config PATCH API for all OAuth/OIDC fields with correct branching to CONFIG_DATA.
Updated backend utility modules (utils/oauth.py) and model definitions for new config fields.
Mapping from frontend admin OAuth input fields through to config persistence.
Safety checks and validation for claim paths and role/group value formats.

Changed

Consolidated OAuth configuration initialization and eliminated duplicate or ambiguous settings.
Switched all legacy OIDC prefixed keys to a unified path under oauth.<key>.
Refactored config save logic to handle nested OAuth and provider structures.
Clarified backend-to-frontend admin config sync to include all identity management fields.

Deprecated

Removed

Fixed

Ensured consistent synchronization of OAuth settings between the frontend admin panel, backend config objects, and the authentication runtime.
Fixed improper/ambiguous initialization or override of some OAuth config fields (client/group/role mapping, claims, etc).

Security

Allowed secret configuration and storage of client secrets and OIDC issuer URLs only for admin users.
Reinforced correct validation of claims and sensitive OAuth settings.

Additional Information

Closes feature gap for enterprise/SSO deployments requiring on-the-fly OAuth/OIDC config changes post-deployment and makes it significantly easier to configure SSO for users with clear guided flow that only displays required fields when the appropriate parent feature is enabled. Better validation in general.
Spun self-testing of configuration round-trips, UI responsiveness, and backend authentication behavior performed - would also like others to test, will ping on discord.

Screenshots or Videos

New section with no OAuth/OIDC configured, everything collapsed:

Expanded Admin UI Section for OAuth/OIDC Settings:

Conditional display for groups input:

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/12945 **Author:** [@taylorwilsdon](https://github.com/taylorwilsdon) **Created:** 4/17/2025 **Status:** 🔄 Open **Base:** `dev` ← **Head:** `add_identity_mgmt` --- ### 📝 Commits (10+) - [`a413865`](https://github.com/open-webui/open-webui/commit/a413865d6b1fbd58de9d1d67d351e3f3f9b1bf9c) add ui elements and auths.py handlers for full set of oauth settings - [`64d5b76`](https://github.com/open-webui/open-webui/commit/64d5b76283726e7bc1c1f0181e959c5757beeed1) fix config route response logic - [`421dd69`](https://github.com/open-webui/open-webui/commit/421dd699c639c32672ea72c3c0a3da2ba89426a3) API & Frontend in sync - [`e3778e1`](https://github.com/open-webui/open-webui/commit/e3778e1f1003775290f6569ee6aea3154be725de) all working, prep for client id and secret / provider values - [`65cf437`](https://github.com/open-webui/open-webui/commit/65cf437013080023e73f9b46058eb574ab6a8dbf) add additional oauth/oidc settings to admin general ui - [`df623ff`](https://github.com/open-webui/open-webui/commit/df623ff664c3abf1f479e9d311202075cc14e1e5) PersistentConfig entries exist for all settings, AdminConfig model updated to include the new settings, update_admin_config endpoint updated to handle saving the new settings, OAuth provider registration uses these settings when configuring the OIDC provider - [`690a3ab`](https://github.com/open-webui/open-webui/commit/690a3aba7b2fd47b4a5c98c6e8e13c35c182801c) fix config init - [`5c4e46a`](https://github.com/open-webui/open-webui/commit/5c4e46ab71dfadc305e7e2f8c73b3ccebc9f40a1) Properly initializing the OAuth config variables in config.py with correct paths - [`2eea797`](https://github.com/open-webui/open-webui/commit/2eea7970753f59c8da039122ab9b7440144e2ada) Added the missing imports for these OAuth config variables - [`4024db6`](https://github.com/open-webui/open-webui/commit/4024db6b5cb4a6a2a69ddc6202fe29e97f6a30ed) working great hell yeah + improve input styling ### 📊 Changes **5 files changed** (+539 additions, -135 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+102 -79) 📝 `backend/open_webui/main.py` (+31 -0) 📝 `backend/open_webui/routers/auths.py` (+182 -53) 📝 `backend/open_webui/utils/oauth.py` (+11 -3) 📝 `src/lib/components/admin/Settings/General.svelte` (+213 -0) </details> ### 📄 Description # Pull Request Checklist **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [x] **Testing:** Have you written and run sufficient tests to validate the changes? - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **feat** --- # Pull Request Title **feat: Comprehensive OAuth/OIDC Identity Management in Admin UI and Backend** --- ## Description This PR introduces a comprehensive set of features for managing OAuth/OIDC identity provider settings through the administrative interface and backend. It enables dynamic configuration of OAuth parameters—including client ID/secret, provider name, OIDC URLs, claim mappings, and access role/group logic—directly from the admin UI, with full persistence and immediate effect in the backend authentication system. OAuth provider configuration can now be fully managed through persistent config, ensuring a smoother, more flexible SSO/identity integration workflow for admins and deployments. --- # Changelog Entry ## Description - Added, exposed, and persistently stored all major OAuth/OIDC configuration options, allowing for identity management settings (claims mapping, allowed domains/roles/groups, client details, and provider endpoints) to be set from the frontend admin UI panel and stored via the API and backend. - Reviewed and improved the state mapping between Svelte admin UI, backend FastAPI models, and persisted configuration files. ## Added - OAuth/OIDC settings section in the Admin UI (frontend/Svelte) to manage: - OAuth sign-up enablement - Account merging by email - Group and role mapping toggle - Claim mapping fields (email, username, picture, roles, groups) - Allowed roles, admin roles, domains - Client ID, secret, provider name, OIDC URL - New PersistentConfig fields in `config.py` for all option keys (including correct key paths). - Corresponding import and registration in FastAPI's app state for all OAuth variables. - Full round-trip support in `/admin/config` PATCH API for all OAuth/OIDC fields with correct branching to `CONFIG_DATA`. - Updated backend utility modules (`utils/oauth.py`) and model definitions for new config fields. - Mapping from frontend admin OAuth input fields through to config persistence. - Safety checks and validation for claim paths and role/group value formats. ## Changed - Consolidated OAuth configuration initialization and eliminated duplicate or ambiguous settings. - Switched all legacy OIDC prefixed keys to a unified path under `oauth.<key>`. - Refactored config save logic to handle nested OAuth and provider structures. - Clarified backend-to-frontend admin config sync to include all identity management fields. ## Deprecated ## Removed ## Fixed - Ensured consistent synchronization of OAuth settings between the frontend admin panel, backend config objects, and the authentication runtime. - Fixed improper/ambiguous initialization or override of some OAuth config fields (client/group/role mapping, claims, etc). ## Security - Allowed secret configuration and storage of client secrets and OIDC issuer URLs only for admin users. - Reinforced correct validation of claims and sensitive OAuth settings. --- ## Additional Information - Closes feature gap for enterprise/SSO deployments requiring on-the-fly OAuth/OIDC config changes post-deployment and makes it significantly easier to configure SSO for users with clear guided flow that only displays required fields when the appropriate parent feature is enabled. Better validation in general. - Spun self-testing of configuration round-trips, UI responsiveness, and backend authentication behavior performed - would also like others to test, will ping on discord. --- ## Screenshots or Videos **New section with no OAuth/OIDC configured, everything collapsed:** <img width="1527" alt="Screenshot 2025-04-16 at 6 55 38 PM" src="https://github.com/user-attachments/assets/cb0baec4-9912-4fe1-b2d5-94bb565af9d5" /> **Expanded Admin UI Section for OAuth/OIDC Settings:** <img width="1535" alt="Screenshot 2025-04-16 at 4 50 20 PM" src="https://github.com/user-attachments/assets/6e51d3ad-d804-412f-bc6b-18f7516681e7" /> **Conditional display for groups input:** <img width="1339" alt="Screenshot 2025-04-16 at 6 29 43 PM" src="https://github.com/user-attachments/assets/fecad8f6-5a01-4a49-9667-a411b0e92469" /> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-29 20:46:37 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#46106