[PR #21666] [CLOSED] fix: preserve OAuth session on token refresh failure #49240

Closed
opened 2026-04-30 01:33:55 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21666
Author: @Classic298
Created: 2/20/2026
Status: Closed

Base: devHead: oauth


📝 Commits (1)

  • 1fb0306 fix: preserve OAuth session on token refresh failure

📊 Changes

1 file changed (+2 additions, -7 deletions)

View changed files

📝 backend/open_webui/utils/oauth.py (+2 -7)

📄 Description

Previously, when an OAuth token refresh failed (e.g., no refresh token available, IDP temporarily unreachable, or refresh token expired), the OAuth session was deleted from the database and None was returned.

This caused two problems:

  1. Tools accessing oauth_token would crash with a TypeError ("NoneType object is not subscriptable") instead of receiving a meaningful error from the downstream API.

  2. The session deletion was irreversible. Even if the refresh failure was transient (network blip, IDP maintenance), the session could never self-heal. Users had to fully log out and re-authenticate to restore the OAuth token, despite still being logged into Open WebUI via the separate JWT session. The fix removes the destructive session deletion in both OAuthManager.get_oauth_token and OAuthClientManager.get_oauth_token. On refresh failure, the existing token data is now returned instead of None. This means:

  • Tools receive the (possibly expired) token rather than crashing
    • Tools should handle this themselves now, gracefully, and informing the user of the expired session if necessary
    • This is better than before, because before, the tool only got back a None Type object with which it cannot do anything.
  • Transient IDP failures self-heal on the next request
  • No unnecessary HTTP calls are made when no refresh token exists, since _perform_token_refresh exits early in that case Fixes

Fixes #17678

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21666 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 2/20/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `oauth` --- ### 📝 Commits (1) - [`1fb0306`](https://github.com/open-webui/open-webui/commit/1fb030617e1f95fe2f2669c891fef3c8e449429c) fix: preserve OAuth session on token refresh failure ### 📊 Changes **1 file changed** (+2 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/utils/oauth.py` (+2 -7) </details> ### 📄 Description Previously, when an OAuth token refresh failed (e.g., no refresh token available, IDP temporarily unreachable, or refresh token expired), the OAuth session was deleted from the database **and None was returned.** This caused two problems: 1. Tools accessing __oauth_token__ would crash with a TypeError ("NoneType object is not subscriptable") instead of receiving a meaningful error from the downstream API. 2. The session deletion was irreversible. Even if the refresh failure was transient (network blip, IDP maintenance), **the session could never self-heal**. Users had to fully log out and re-authenticate to restore the OAuth token, **despite still being logged into Open WebUI via the separate JWT session**. The fix removes the destructive session deletion in both OAuthManager.get_oauth_token and OAuthClientManager.get_oauth_token. On refresh failure, the existing token data is now returned instead of None. This means: - **Tools receive the (possibly expired) token rather than crashing** - Tools should handle this themselves now, gracefully, and informing the user of the expired session if necessary - <ins>**This is better than before, because before, the tool only got back a None Type object with which it cannot do anything.**</ins> - Transient IDP failures self-heal on the next request - No unnecessary HTTP calls are made when no refresh token exists, since _perform_token_refresh exits early in that case Fixes Fixes #17678 ### Contributor License Agreement <!-- 🚨 DO NOT DELETE THE TEXT BELOW 🚨 Keep the "Contributor License Agreement" confirmation text intact. Deleting it will trigger the CLA-Bot to INVALIDATE your PR. --> By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-30 01:33:55 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#49240