github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 19:08:59 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #15254] issue:WEBUI_AUTH=False doesn't fully disable login; frontend still attempts signin #56175

New Issue
Closed
opened 2026-05-05 18:53:32 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-05-05 18:53:32 -05:00
Owner
Copy Link

Originally created by @anilrajrimal1 on GitHub (Jun 24, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/15254

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

main

Ollama Version (if applicable)

latest

Operating System

Ubuntu 22.04

Browser (if applicable)

Brave

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When the environment variable WEBUI_AUTH is set to False, the application should completely disable all authentication mechanisms. This means:

  • The frontend does not prompt for login.
  • No authentication-related API calls (e.g., POST requests to /api/v1/auths/signin) are made.
  • Users can access the interface and features directly without entering credentials.
  • The user experience is seamless, with no login errors or interruptions.

Actual Behavior

Despite setting WEBUI_AUTH=False, the login screen is hidden, but the frontend still attempts to authenticate by automatically sending a POST request to /api/v1/auths/signin. Because no valid credentials are provided, the server returns a 400 Bad Request error. This results in:

  • Confusing error messages in the UI.
  • Users being unable to use the application without credentials.
  • The frontend ignoring or not properly handling the disabled authentication flag at runtime.

Steps to Reproduce

  1. Set WEBUI_AUTH=False in the environment variables.
  2. Run the Open WebUI in Docker compose stack.
  3. Open the app in a browser.
  4. Observe the frontend sending a POST /api/v1/auths/signin request which fails.

Logs & Screenshots

Web Image:
Image

Browser Console:
Image

Additional Information

This behavior suggests the frontend does not fully respect the WEBUI_AUTH setting at runtime. It seems like this flag disables backend auth but not frontend login attempts, which causes confusion and broken usage without credentials.

Originally created by @anilrajrimal1 on GitHub (Jun 24, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/15254 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version main ### Ollama Version (if applicable) latest ### Operating System Ubuntu 22.04 ### Browser (if applicable) Brave ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior When the environment variable `WEBUI_AUTH` is set to `False`, the application should completely disable all authentication mechanisms. This means: - The frontend does **not** prompt for login. - No authentication-related API calls (e.g., POST requests to `/api/v1/auths/signin`) are made. - Users can access the interface and features directly without entering credentials. - The user experience is seamless, with no login errors or interruptions. ### Actual Behavior Despite setting `WEBUI_AUTH=False`, the login screen is hidden, but the frontend still attempts to authenticate by automatically sending a `POST` request to `/api/v1/auths/signin`. Because no valid credentials are provided, the server returns a `400 Bad Request` error. This results in: - Confusing error messages in the UI. - Users being unable to use the application without credentials. - The frontend ignoring or not properly handling the disabled authentication flag at runtime. ### Steps to Reproduce 1. Set `WEBUI_AUTH=False` in the environment variables. 2. Run the Open WebUI in Docker compose stack. 3. Open the app in a browser. 4. Observe the frontend sending a `POST /api/v1/auths/signin` request which fails. ### Logs & Screenshots Web Image: ![Image](https://github.com/user-attachments/assets/72f5903b-8eee-498b-9c2c-b2de4233634b) Browser Console: ![Image](https://github.com/user-attachments/assets/33dd727e-b214-4d0b-b051-90088d5b1306) ### Additional Information This behavior suggests the frontend does not fully respect the `WEBUI_AUTH` setting at runtime. It seems like this flag disables backend auth but not frontend login attempts, which causes confusion and broken usage without credentials.
GiteaMirror added the bug label 2026-05-05 18:53:32 -05:00
GiteaMirror commented 2026-05-05 18:53:35 -05:00
Author
Owner
Copy Link

@rgaricano commented on GitHub (Jun 24, 2025):

did you set any other auth method?

<!-- gh-comment-id:2999323092 --> @rgaricano commented on GitHub (Jun 24, 2025): did you set any other auth method?
GiteaMirror commented 2026-05-05 18:53:36 -05:00
Author
Owner
Copy Link

@anilrajrimal1 commented on GitHub (Jun 24, 2025):

No, I didn’t set any other authentication method. Just WEBUI_AUTH=False to disable auth completely.

<!-- gh-comment-id:2999666134 --> @anilrajrimal1 commented on GitHub (Jun 24, 2025): No, I didn’t set any other authentication method. Just WEBUI_AUTH=False to disable auth completely.
GiteaMirror commented 2026-05-05 18:53:37 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Jun 25, 2025):

Unable to reproduce, @ayanahye @jackthgu double check wanted here.

<!-- gh-comment-id:3003498412 --> @tjbck commented on GitHub (Jun 25, 2025): Unable to reproduce, @ayanahye @jackthgu double check wanted here.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#56175
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?