[PR #23251] [CLOSED] fix: remove undefined cookie_expires from oauth_session_id set_cookie #50150

New Issue

GiteaMirror · 2026-04-30T02:43:37-05:00

GiteaMirror commented

2026-04-30 02:43:37 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23251
Author: @pennycoders
Created: 3/31/2026
Status: ❌ Closed

Base: dev ← Head: fix/oauth-session-cookie-expires

📝 Commits (1)

a3c07ee fix: remove undefined cookie_expires from oauth_session_id set_cookie

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 backend/open_webui/utils/oauth.py (+1 -1)

📄 Description

Pull Request Checklist

Target branch: Verify that the pull request targets the dev branch.
Description: Provided below.
Changelog: Included below.
Documentation: No user-facing docs needed — this is an internal bug fix.
Dependencies: No new dependencies.
Testing: Manually tested with Authentik OIDC provider. Before fix: oauth_session_id cookie missing, logs show NameError: name 'cookie_expires' is not defined. After fix: cookie is set correctly and system_oauth auth_type forwards the access token.
Agentic AI Code: This fix was identified through manual debugging and the one-line change was human-reviewed and manually tested.
Code review: Self-reviewed. The fix follows the exact same pattern as the two other set_cookie calls in the same function.
Design & Architecture: No design changes — single variable reference removal.
Git Hygiene: Single atomic commit, one logical change.
Title Prefix: fix:

Description

Fixes #23250

The oauth_session_id cookie is never set after OIDC login because cookie_expires is referenced but never defined in handle_callback(). This breaks the system_oauth auth_type for OpenAI API connections.

Root cause: Line 1686 of backend/open_webui/utils/oauth.py passes 'expires': cookie_expires to set_cookie(), but cookie_expires is never assigned. The variable cookie_max_age IS defined (line 1627), and the other two set_cookie calls in the same function (lines 1637, 1648) correctly use only max_age.

Fix: Remove 'expires': cookie_expires from the kwargs dict, matching the pattern of the other set_cookie calls. Browsers prefer max_age over expires per RFC 6265 §5.3, so max_age alone is sufficient.

Before:

**({'max_age': cookie_max_age, 'expires': cookie_expires} if cookie_max_age is not None else {}),

After:

**({'max_age': cookie_max_age} if cookie_max_age is not None else {}),

Changelog Entry

Fixed

Fixed oauth_session_id cookie not being set after OIDC login due to undefined cookie_expires variable, which broke system_oauth auth_type for OpenAI API connections

Breaking Changes

None

Additional Information

Fixes [PR #13631] [CLOSED] fix: Detect Cloudflare R2 endpoint and skip object tagging. Merge S3 upload and tagging operations for better permissions handling. (#23250)
The bug exists on both main (v0.8.12) and dev branches
One-line change, zero risk of side effects

Screenshots or Videos

Before fix — error on every OIDC login:

ERROR | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined

After fix — session stored successfully:

INFO | open_webui.utils.oauth:handle_callback:1689 - Stored OAuth session server-side for user <uuid>, provider oidc

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23251 **Author:** [@pennycoders](https://github.com/pennycoders) **Created:** 3/31/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/oauth-session-cookie-expires` --- ### 📝 Commits (1) - [`a3c07ee`](https://github.com/open-webui/open-webui/commit/a3c07ee3ec241b6f2d622a397f6a641bbd5d06f1) fix: remove undefined cookie_expires from oauth_session_id set_cookie ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/utils/oauth.py` (+1 -1) </details> ### 📄 Description  # Pull Request Checklist - [X] **Target branch:** Verify that the pull request targets the `dev` branch. - [X] **Description:** Provided below. - [X] **Changelog:** Included below. - [X] **Documentation:** No user-facing docs needed — this is an internal bug fix. - [X] **Dependencies:** No new dependencies. - [X] **Testing:** Manually tested with Authentik OIDC provider. Before fix: `oauth_session_id` cookie missing, logs show `NameError: name 'cookie_expires' is not defined`. After fix: cookie is set correctly and `system_oauth` auth_type forwards the access token. - [X] **Agentic AI Code:** This fix was identified through manual debugging and the one-line change was human-reviewed and manually tested. - [X] **Code review:** Self-reviewed. The fix follows the exact same pattern as the two other `set_cookie` calls in the same function. - [X] **Design & Architecture:** No design changes — single variable reference removal. - [X] **Git Hygiene:** Single atomic commit, one logical change. - [X] **Title Prefix:** `fix:` ## Description Fixes #23250 The `oauth_session_id` cookie is never set after OIDC login because `cookie_expires` is referenced but never defined in `handle_callback()`. This breaks the `system_oauth` auth_type for OpenAI API connections. **Root cause:** Line 1686 of `backend/open_webui/utils/oauth.py` passes `'expires': cookie_expires` to `set_cookie()`, but `cookie_expires` is never assigned. The variable `cookie_max_age` IS defined (line 1627), and the other two `set_cookie` calls in the same function (lines 1637, 1648) correctly use only `max_age`. **Fix:** Remove `'expires': cookie_expires` from the kwargs dict, matching the pattern of the other `set_cookie` calls. Browsers prefer `max_age` over `expires` per RFC 6265 §5.3, so `max_age` alone is sufficient. **Before:** ```python **({'max_age': cookie_max_age, 'expires': cookie_expires} if cookie_max_age is not None else {}), ``` **After:** ```python **({'max_age': cookie_max_age} if cookie_max_age is not None else {}), ``` ### Changelog Entry ### Fixed - Fixed `oauth_session_id` cookie not being set after OIDC login due to undefined `cookie_expires` variable, which broke `system_oauth` auth_type for OpenAI API connections ### Breaking Changes - None ### Additional Information - Fixes #23250 - The bug exists on both `main` (v0.8.12) and `dev` branches - One-line change, zero risk of side effects ### Screenshots or Videos **Before fix — error on every OIDC login:** ``` ERROR | open_webui.utils.oauth:handle_callback:1693 - Failed to store OAuth session server-side: name 'cookie_expires' is not defined ``` **After fix — session stored successfully:** ``` INFO | open_webui.utils.oauth:handle_callback:1689 - Stored OAuth session server-side for user <uuid>, provider oidc ``` ### Contributor License Agreement  - [X] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-30 02:43:37 -05:00

GiteaMirror closed this issue

2026-04-30 02:43:39 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#50150