github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-09 23:35:09 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

issue: HTTPX timeout for SSO #5656

New Issue
Closed
opened 2025-11-11 16:27:38 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-11 16:27:38 -06:00
Owner
Copy Link

Originally created by @akiraro on GitHub (Jun 27, 2025).

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

0.6.15

Ollama Version (if applicable)

No response

Operating System

Ubuntu 22.04

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

The OIDC SSO authentication flow should complete successfully from end-to-end. After the user authenticates with the external provider, OpenWebUI should be able to complete the authorization code and token exchange, establishing a valid, authenticated session for the user

Actual Behavior

After the user authenticates with the OIDC provider and is redirected back, the OpenWebUI backend attempts to exchange the authorization code for a token. This back-channel request to the OIDC provider consistently hangs and fails with an httpx.ReadTimeout error in the server logs.

As a result of this backend timeout, the login process aborts, and the user is ultimately presented with a misleading error in the UI:

{"detail": "The email or password provided is incorrect. Please check for typos and try logging in again."}

Steps to Reproduce

Steps:

  1. Run the provided mock OIDC server (slow_oidc_server.py) which has been configured with a 15-second delay on its /token endpoint.
  2. Configure OpenWebUI's backend/.env to use this mock server as its OIDC provider (e.g., OPENID_PROVIDER_URL=http://localhost:9090/...).
  3. Start the OpenWebUI backend and frontend servers.
  4. Initiate the SSO login flow from the user interface.

Verification:

  • The backend logs will show an httpx.ReadTimeout exception.
  • The frontend will subsequently display a generic "incorrect email or password" error.

This behavior indicates the fixed timeout in the backend's HTTP client is too short to handle providers with higher latency

Logs & Screenshots

When the OIDC callback fails, the server log displays a generic 400 Bad Request without specific details about the cause:

2025-06-27 19:25:29.537 | WARNING  | open_webui.utils.oauth:handle_callback:353 - OAuth callback error:  - {}
2025-06-27 19:25:29.538 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - 115.135.24.232:43110 - "GET /oauth/oidc/callback?... HTTP/1.1" 400 - {}

By placing a breakpoint inside the handle_callback function, the true underlying exception was captured. The application hangs on the authorize_access_token call and fails with a read timeout.

# Location: /home/user/open-webui/backend/open_webui/utils/oauth.py

> /home/user/open-webui/backend/open_webui/utils/oauth.py(351)handle_callback()
-> token = await client.authorize_access_token(request)

(Pdb) # Stepping over this line results in the following exception:
httpx.ReadTimeout

Additional Information

During local debugging, I was able to confirm that the httpx.ReadTimeout is the root cause. I successfully worked around the issue by modifying the source code to pass a longer timeout value to the AsyncOAuth2Client constructor in backend/open_webui/utils/oauth.py.

This confirms that the bug specifically affects integrations with OIDC providers that exhibit high latency during the token exchange process. A permanent solution would likely involve making this HTTP client timeout configurable via an environment variable.

Originally created by @akiraro on GitHub (Jun 27, 2025). ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version 0.6.15 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 22.04 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior The OIDC SSO authentication flow should complete successfully from end-to-end. After the user authenticates with the external provider, OpenWebUI should be able to complete the authorization code and token exchange, establishing a valid, authenticated session for the user ### Actual Behavior After the user authenticates with the OIDC provider and is redirected back, the OpenWebUI backend attempts to exchange the authorization code for a token. This back-channel request to the OIDC provider consistently hangs and fails with an httpx.ReadTimeout error in the server logs. As a result of this backend timeout, the login process aborts, and the user is ultimately presented with a misleading error in the UI: ``` {"detail": "The email or password provided is incorrect. Please check for typos and try logging in again."} ``` ### Steps to Reproduce **Steps:** 1. Run the provided mock OIDC server (`slow_oidc_server.py`) which has been configured with a 15-second delay on its `/token` endpoint. 2. Configure OpenWebUI's `backend/.env` to use this mock server as its OIDC provider (e.g., `OPENID_PROVIDER_URL=http://localhost:9090/...`). 3. Start the OpenWebUI backend and frontend servers. 4. Initiate the SSO login flow from the user interface. **Verification:** * The backend logs will show an `httpx.ReadTimeout` exception. * The frontend will subsequently display a generic "incorrect email or password" error. This behavior indicates the fixed timeout in the backend's HTTP client is too short to handle providers with higher latency ### Logs & Screenshots When the OIDC callback fails, the server log displays a generic `400 Bad Request` without specific details about the cause: ```log 2025-06-27 19:25:29.537 | WARNING | open_webui.utils.oauth:handle_callback:353 - OAuth callback error: - {} 2025-06-27 19:25:29.538 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 115.135.24.232:43110 - "GET /oauth/oidc/callback?... HTTP/1.1" 400 - {} ``` By placing a breakpoint inside the handle_callback function, the true underlying exception was captured. The application hangs on the authorize_access_token call and fails with a read timeout. ``` # Location: /home/user/open-webui/backend/open_webui/utils/oauth.py > /home/user/open-webui/backend/open_webui/utils/oauth.py(351)handle_callback() -> token = await client.authorize_access_token(request) (Pdb) # Stepping over this line results in the following exception: httpx.ReadTimeout ``` ### Additional Information During local debugging, I was able to confirm that the `httpx.ReadTimeout` is the root cause. I successfully worked around the issue by modifying the source code to pass a longer `timeout` value to the `AsyncOAuth2Client` constructor in `backend/open_webui/utils/oauth.py`. This confirms that the bug specifically affects integrations with OIDC providers that exhibit high latency during the token exchange process. A permanent solution would likely involve making this HTTP client timeout configurable via an environment variable.
GiteaMirror added the bug label 2025-11-11 16:27:38 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#5656
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?