github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #21634] [CLOSED] feat: add SSO custom logout URI support #49220

New Issue
Closed
opened 2026-04-30 01:32:49 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-30 01:32:49 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21634
Author: @hztBUAA
Created: 2/20/2026
Status: Closed

Base: mainHead: feat/sso-custom-logout-uri

📝 Commits (1)

  • 9ae0e91 feat: add OAUTH_LOGOUT_URI for custom SSO logout redirection

📊 Changes

2 files changed (+21 additions, -1 deletions)

View changed files

📝 backend/open_webui/config.py (+7 -1)
📝 backend/open_webui/routers/auths.py (+14 -0)

📄 Description

Summary

Fixes #19182

  • Added OAUTH_LOGOUT_URI environment variable (PersistentConfig) to allow configuring a custom logout URL for SSO providers
  • When OAUTH_LOGOUT_URI is set and an OAuth session exists, the signout handler redirects to it directly, bypassing the standard OIDC end_session_endpoint discovery flow
  • Updated the startup warning to not fire when OAUTH_LOGOUT_URI is configured (since logout will work without OPENID_PROVIDER_URL in that case)

Motivation

SSO providers like AWS Cognito do not support the standard OIDC logout flow (end_session_endpoint with id_token_hint / post_logout_redirect_uri). They require provider-specific logout URLs with different parameters. This change allows administrators to set the full logout URI upfront, which is sufficient when all values are known at configuration time.

Example usage (AWS Cognito)

OAUTH_LOGOUT_URI=https://<domain>.auth.<region>.amazoncognito.com/logout?client_id=<client_id>&logout_uri=https://<your-app-url>

Changes

  • backend/open_webui/config.py: Added OAUTH_LOGOUT_URI PersistentConfig; updated startup warning logic
  • backend/open_webui/routers/auths.py: Imported OAUTH_LOGOUT_URI; added early return in signout handler when custom URI is configured

Test plan

  • Verified Python syntax validity of both changed files
  • Set OAUTH_LOGOUT_URI to a custom URL and verify signout redirects to it
  • Leave OAUTH_LOGOUT_URI unset and verify existing OIDC logout flow still works
  • Set OAUTH_LOGOUT_URI without OPENID_PROVIDER_URL and verify no startup warning

🤖 Generated with Claude Code

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21634 **Author:** [@hztBUAA](https://github.com/hztBUAA) **Created:** 2/20/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `feat/sso-custom-logout-uri` --- ### 📝 Commits (1) - [`9ae0e91`](https://github.com/open-webui/open-webui/commit/9ae0e917725a4e072c8579aef14217539e8c4488) feat: add OAUTH_LOGOUT_URI for custom SSO logout redirection ### 📊 Changes **2 files changed** (+21 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+7 -1) 📝 `backend/open_webui/routers/auths.py` (+14 -0) </details> ### 📄 Description ## Summary Fixes #19182 - Added `OAUTH_LOGOUT_URI` environment variable (PersistentConfig) to allow configuring a custom logout URL for SSO providers - When `OAUTH_LOGOUT_URI` is set and an OAuth session exists, the signout handler redirects to it directly, bypassing the standard OIDC `end_session_endpoint` discovery flow - Updated the startup warning to not fire when `OAUTH_LOGOUT_URI` is configured (since logout will work without `OPENID_PROVIDER_URL` in that case) ## Motivation SSO providers like AWS Cognito do not support the standard OIDC logout flow (`end_session_endpoint` with `id_token_hint` / `post_logout_redirect_uri`). They require provider-specific logout URLs with different parameters. This change allows administrators to set the full logout URI upfront, which is sufficient when all values are known at configuration time. ### Example usage (AWS Cognito) ``` OAUTH_LOGOUT_URI=https://<domain>.auth.<region>.amazoncognito.com/logout?client_id=<client_id>&logout_uri=https://<your-app-url> ``` ## Changes - `backend/open_webui/config.py`: Added `OAUTH_LOGOUT_URI` PersistentConfig; updated startup warning logic - `backend/open_webui/routers/auths.py`: Imported `OAUTH_LOGOUT_URI`; added early return in signout handler when custom URI is configured ## Test plan - [x] Verified Python syntax validity of both changed files - [ ] Set `OAUTH_LOGOUT_URI` to a custom URL and verify signout redirects to it - [ ] Leave `OAUTH_LOGOUT_URI` unset and verify existing OIDC logout flow still works - [ ] Set `OAUTH_LOGOUT_URI` without `OPENID_PROVIDER_URL` and verify no startup warning 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-30 01:32:49 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#49220
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?