issue: CSRF mismatch error with OIDC #5659

Closed
opened 2025-11-11 16:27:45 -06:00 by GiteaMirror · 12 comments
Owner

Originally created by @zachwalton on GitHub (Jun 28, 2025).

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

Tip of dev (bfd92ec4af)

Ollama Version (if applicable)

N/A

Operating System

MacOS Sequoia

Browser (if applicable)

Safari 18.5

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

I integrated Open WebUI with my company's OIDC server. I expected to be able to log in successfully.

Actual Behavior

2025-06-27 18:12:34.068 | WARNING | open_webui.utils.oauth:handle_callback:352 - OAuth callback error: mismatching_state: CSRF Warning! State not equal in request and response. - {}

I originally used v0.6.15 but switched to the tip of dev where I can confirm this is still an issue.

Digging into this, I found that the oui-session cookie is not being set when visiting /oauth/oidc/login before redirect, which results in the error reported above. I tried several things to correct this without success, and finally applied the below patch which probably is not advisable since it just constructs the request.session object and bypasses the need for the cookie (breaking CSRF protection).

I really have no idea why this is happening but this patch works for now.

diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py
index 53686c18f..2a58c47d2 100644
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@@ -352,6 +352,11 @@ class OAuthManager:
         if provider not in OAUTH_PROVIDERS:
             raise HTTPException(404)
         client = self.get_client(provider)
+        request.session[f"_state_oidc_{request.query_params.get("state")}"] = {
+          "data": {
+              "redirect_uri": "https://xxx/oauth/oidc/callback",
+          }
+        }
         try:
             token = await client.authorize_access_token(request)
         except Exception as e:

Steps to Reproduce

I tried many permutations of flags to get this working (various values for the cookie flags especially), currently using:

        - name: WEBUI_URL
          value: https://xxx
        - name: WEBUI_SESSION_COOKIE_SAME_SITE
          value: lax
        - name: WEBUI_AUTH_COOKIE_SAME_SITE
          value: lax
        - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
          value: "true"
        - name: OAUTH_CLIENT_ID
          value: xxx
        - name: ENABLE_OAUTH_GROUP_MANAGEMENT
          value: "true"
        - name: ENABLE_OAUTH_GROUP_CREATION
          value: "true"
        - name: ENABLE_OAUTH_SIGNUP
          value: "true"
        - name: OAUTH_SCOPES
          value: email profile
        - name: OPENID_PROVIDER_URL
          value: https://xxx/.well-known/openid-configuration
        - name: OAUTH_PROVIDER_NAME
          value: xxx
        - name: OAUTH_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: OAUTH_CLIENT_SECRET
              name: openwebui-oauth-client-secret
        - name: OFFLINE_MODE
          value: "true"
        - name: WEBUI_SECRET_KEY
          value: xxx

Logs & Screenshots

Provided above

Additional Information

No response

Originally created by @zachwalton on GitHub (Jun 28, 2025). ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version Tip of dev (bfd92ec4afe7fb68f892b62817b271f765275660) ### Ollama Version (if applicable) N/A ### Operating System MacOS Sequoia ### Browser (if applicable) Safari 18.5 ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior I integrated Open WebUI with my company's OIDC server. I expected to be able to log in successfully. ### Actual Behavior `2025-06-27 18:12:34.068 | WARNING | open_webui.utils.oauth:handle_callback:352 - OAuth callback error: mismatching_state: CSRF Warning! State not equal in request and response. - {}` I originally used `v0.6.15` but switched to the tip of dev where I can confirm this is still an issue. Digging into this, I found that the `oui-session` cookie is not being set when visiting `/oauth/oidc/login` before redirect, which results in the error reported above. I tried several things to correct this without success, and finally applied the below patch which probably is not advisable since it just constructs the `request.session` object and bypasses the need for the cookie (breaking CSRF protection). I really have no idea why this is happening but this patch works for now. ``` diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py index 53686c18f..2a58c47d2 100644 --- a/backend/open_webui/utils/oauth.py +++ b/backend/open_webui/utils/oauth.py @@ -352,6 +352,11 @@ class OAuthManager: if provider not in OAUTH_PROVIDERS: raise HTTPException(404) client = self.get_client(provider) + request.session[f"_state_oidc_{request.query_params.get("state")}"] = { + "data": { + "redirect_uri": "https://xxx/oauth/oidc/callback", + } + } try: token = await client.authorize_access_token(request) except Exception as e: ``` ### Steps to Reproduce I tried many permutations of flags to get this working (various values for the cookie flags especially), currently using: ``` - name: WEBUI_URL value: https://xxx - name: WEBUI_SESSION_COOKIE_SAME_SITE value: lax - name: WEBUI_AUTH_COOKIE_SAME_SITE value: lax - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL value: "true" - name: OAUTH_CLIENT_ID value: xxx - name: ENABLE_OAUTH_GROUP_MANAGEMENT value: "true" - name: ENABLE_OAUTH_GROUP_CREATION value: "true" - name: ENABLE_OAUTH_SIGNUP value: "true" - name: OAUTH_SCOPES value: email profile - name: OPENID_PROVIDER_URL value: https://xxx/.well-known/openid-configuration - name: OAUTH_PROVIDER_NAME value: xxx - name: OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: key: OAUTH_CLIENT_SECRET name: openwebui-oauth-client-secret - name: OFFLINE_MODE value: "true" - name: WEBUI_SECRET_KEY value: xxx ``` ### Logs & Screenshots Provided above ### Additional Information _No response_
GiteaMirror added the bug label 2025-11-11 16:27:45 -06:00
Author
Owner

@Classic298 commented on GitHub (Jun 28, 2025):

please check for duplicate issues - can you test the dev branch? It might be fixed there.

ALso i think you are missing the env vars for redirect URI

@Classic298 commented on GitHub (Jun 28, 2025): please check for duplicate issues - can you test the dev branch? It might be fixed there. ALso i think you are missing the env vars for redirect URI
Author
Owner

@tjbck commented on GitHub (Jun 30, 2025):

@zachwalton could you confirm?

@tjbck commented on GitHub (Jun 30, 2025): @zachwalton could you confirm?
Author
Owner

@balazshasprai commented on GitHub (Jul 1, 2025):

I have the same issue, on the dev branch too.
I've followed https://github.com/open-webui/open-webui/discussions/4604 for some time, but so far nothing I've tried worked.
In the browser I get:

{"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."}

And in the logs it's:

2025-07-01 10:26:55.142 | INFO     | httpx._client:_send_single_request:1740 - HTTP Request: GET https://auth.domain.com/application/o/open-webui/.well-known/openid-configuration "HTTP/1.1 200 OK" - {}
2025-07-01 10:26:55.294 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - 172.30.30.175:0 - "GET /oauth/oidc/login HTTP/1.1" 302 - {}
2025-07-01 10:26:55.829 | WARNING  | open_webui.utils.oauth:handle_callback:352 - OAuth callback error: mismatching_state: CSRF Warning! State not equal in request and response. - {}
2025-07-01 10:26:55.831 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - 172.30.30.175:0 - "GET /oauth/oidc/callback?code=b46b5a2e677f47fca8b7061a083ec4c3&state=dm0IOPbqsNZn2gEoKmk1ED3TKoO0iL HTTP/1.1" 400 - {}
2025-07-01 10:27:44.747 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - 172.30.30.175:0 - "GET /_app/version.json HTTP/1.1" 200 - {}

My env vars:

  ENABLE_OAUTH_SIGNUP: "true"
  OAUTH_MERGE_ACCOUNTS_BY_EMAIL: "true"
  OAUTH_PROVIDER_NAME: authentik
  OAUTH_SCOPE: openid email profile
  OLLAMA_BASE_URL: https://ollama.domain.com
  OPENID_PROVIDER_URL: https://auth.domain.com/application/o/open-webui/.well-known/openid-configuration
  OPENID_REDIRECT_URI: https://ai.domain.com/oauth/oidc/callback
  WEBUI_AUTH_COOKIE_SAME_SITE: lax
  WEBUI_AUTH_TYPE: oidc
  WEBUI_ENABLE_SSO: "true"
  WEBUI_OIDC_CLIENT_ID: open-webui
  WEBUI_SESSION_COOKIE_SAME_SITE: lax
  WEBUI_URL: https://ai.domain.com

I checked the requests in the browser, checked the cookies of two requests, login and /application/o/authorize/?response_type=code.....
login has an oui-session cookie, with the domain ai.domin.com

oui-session:
  httpOnly: true
  path: "/"
  samesite: "None"
  value: "base64"

And /application/o/authorize.. has an authentik_session cookie with the domain auth.domain.com

authentik_session:
  httpOnly: true
  path: "/"
  samesite: "None"
  value: "different base64"

I've checked the decoded base64 values, and they do differ. Both the _state_oidc_xyz and the &state=xyz parts.

oui-session has this

{
  "_state_oidc_0iIK2fzN433lXhLvos4yD7eeacgtts": {
    "data": {
      "redirect_uri": "https://ai.domain.com/oauth/oidc/callback",
      "nonce": "oWwblDM2KCDerN7QP2yw",
      "url": "https://auth.domain.com/application/o/authorize/?response_type=code&client_id=F4izFv2CISGmuJChi92dW1TNMqF2Ph9UF5KFAuGm&redirect_uri=https%3A%2F%2Fai.domain.com%2Foauth%2Foidc%2Fcallback&scope=openid+email+profile&state=0iIK2fzN433lXhLvos4yD7eeacgtts&nonce=oWwblDM2KCDerN7QP2yw"
    },
    "exp": 1751368607.7850423
  }
}

And authentik_session has this:

{
  "_state_oidc_dm0IOPbqsNZn2gEoKmk1ED3TKoO0iL": {
    "data": {
      "redirect_uri": "https://ai.domain.com/oauth/oidc/callback",
      "nonce": "lkHzYeQlaLuShEDlUq5T",
      "url": "https://auth.domain.com/application/o/authorize/?response_type=code&client_id=F4izFv2CISGmuJChi92dW1TNMqF2Ph9UF5KFAuGm&redirect_uri=https%3A%2F%2Fai.domain.com%2Foauth%2Foidc%2Fcallback&scope=openid+email+profile&state=dm0IOPbqsNZn2gEoKmk1ED3TKoO0iL&nonce=lkHzYeQlaLuShEDlUq5T"
    },
    "exp": 1751369215.2925036
  }
}
@balazshasprai commented on GitHub (Jul 1, 2025): I have the same issue, on the dev branch too. I've followed https://github.com/open-webui/open-webui/discussions/4604 for some time, but so far nothing I've tried worked. In the browser I get: ```json {"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."} ``` And in the logs it's: ```console 2025-07-01 10:26:55.142 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://auth.domain.com/application/o/open-webui/.well-known/openid-configuration "HTTP/1.1 200 OK" - {} 2025-07-01 10:26:55.294 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 172.30.30.175:0 - "GET /oauth/oidc/login HTTP/1.1" 302 - {} 2025-07-01 10:26:55.829 | WARNING | open_webui.utils.oauth:handle_callback:352 - OAuth callback error: mismatching_state: CSRF Warning! State not equal in request and response. - {} 2025-07-01 10:26:55.831 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 172.30.30.175:0 - "GET /oauth/oidc/callback?code=b46b5a2e677f47fca8b7061a083ec4c3&state=dm0IOPbqsNZn2gEoKmk1ED3TKoO0iL HTTP/1.1" 400 - {} 2025-07-01 10:27:44.747 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 172.30.30.175:0 - "GET /_app/version.json HTTP/1.1" 200 - {} ``` My env vars: ```yaml ENABLE_OAUTH_SIGNUP: "true" OAUTH_MERGE_ACCOUNTS_BY_EMAIL: "true" OAUTH_PROVIDER_NAME: authentik OAUTH_SCOPE: openid email profile OLLAMA_BASE_URL: https://ollama.domain.com OPENID_PROVIDER_URL: https://auth.domain.com/application/o/open-webui/.well-known/openid-configuration OPENID_REDIRECT_URI: https://ai.domain.com/oauth/oidc/callback WEBUI_AUTH_COOKIE_SAME_SITE: lax WEBUI_AUTH_TYPE: oidc WEBUI_ENABLE_SSO: "true" WEBUI_OIDC_CLIENT_ID: open-webui WEBUI_SESSION_COOKIE_SAME_SITE: lax WEBUI_URL: https://ai.domain.com ``` I checked the requests in the browser, checked the cookies of two requests, `login` and `/application/o/authorize/?response_type=code.....` `login` has an `oui-session` cookie, with the domain `ai.domin.com` ```yaml oui-session: httpOnly: true path: "/" samesite: "None" value: "base64" ``` And `/application/o/authorize..` has an `authentik_session` cookie with the domain `auth.domain.com` ```yaml authentik_session: httpOnly: true path: "/" samesite: "None" value: "different base64" ``` I've checked the decoded base64 values, and they do differ. Both the `_state_oidc_xyz` and the `&state=xyz` parts. `oui-session` has this ```json { "_state_oidc_0iIK2fzN433lXhLvos4yD7eeacgtts": { "data": { "redirect_uri": "https://ai.domain.com/oauth/oidc/callback", "nonce": "oWwblDM2KCDerN7QP2yw", "url": "https://auth.domain.com/application/o/authorize/?response_type=code&client_id=F4izFv2CISGmuJChi92dW1TNMqF2Ph9UF5KFAuGm&redirect_uri=https%3A%2F%2Fai.domain.com%2Foauth%2Foidc%2Fcallback&scope=openid+email+profile&state=0iIK2fzN433lXhLvos4yD7eeacgtts&nonce=oWwblDM2KCDerN7QP2yw" }, "exp": 1751368607.7850423 } } ``` And `authentik_session` has this: ```json { "_state_oidc_dm0IOPbqsNZn2gEoKmk1ED3TKoO0iL": { "data": { "redirect_uri": "https://ai.domain.com/oauth/oidc/callback", "nonce": "lkHzYeQlaLuShEDlUq5T", "url": "https://auth.domain.com/application/o/authorize/?response_type=code&client_id=F4izFv2CISGmuJChi92dW1TNMqF2Ph9UF5KFAuGm&redirect_uri=https%3A%2F%2Fai.domain.com%2Foauth%2Foidc%2Fcallback&scope=openid+email+profile&state=dm0IOPbqsNZn2gEoKmk1ED3TKoO0iL&nonce=lkHzYeQlaLuShEDlUq5T" }, "exp": 1751369215.2925036 } } ```
Author
Owner

@balazshasprai commented on GitHub (Jul 1, 2025):

Good news, for me at least. It started working once I set ENABLE_PERSISTENT_CONFIG: "False".
It seems I might have mistyped some of the OIDC variables on the first run, and since they are PersistentConfig it didn't re-read the env vars.
It does work with a fresh install too. But it would be nice if you could change the OIDC vars in the WebUI.

@balazshasprai commented on GitHub (Jul 1, 2025): Good news, for me at least. It started working once I set `ENABLE_PERSISTENT_CONFIG: "False"`. It seems I might have mistyped some of the OIDC variables on the first run, and since they are `PersistentConfig` it didn't re-read the env vars. It does work with a fresh install too. But it would be nice if you could change the OIDC vars in the WebUI.
Author
Owner

@zachwalton commented on GitHub (Jul 1, 2025):

please check for duplicate issues - can you test the dev branch? It might be fixed there.

This was from the dev branch; commit is in the bug description.

ALso i think you are missing the env vars for redirect URI

Added. I also tried adding ENABLE_PERSISTENT_CONFIG: false, still the same issue for me.

Quick unrelated note: OPENID_REDIRECT_URI isn't listed in this section which is why I missed it (it is however further down for Authentik-specific config and listed in the main env vars docs)

@zachwalton commented on GitHub (Jul 1, 2025): > please check for duplicate issues - can you test the dev branch? It might be fixed there. This was from the dev branch; commit is in the bug description. > ALso i think you are missing the env vars for redirect URI Added. I also tried adding `ENABLE_PERSISTENT_CONFIG: false`, still the same issue for me. Quick unrelated note: `OPENID_REDIRECT_URI` isn't listed in [this section](https://docs.openwebui.com/features/sso/#oauth) which is why I missed it (it is however further down for Authentik-specific config and listed in the main env vars docs)
Author
Owner

@tjbck commented on GitHub (Jul 2, 2025):

@jackthgu could you update the docs?

@tjbck commented on GitHub (Jul 2, 2025): @jackthgu could you update the docs?
Author
Owner

@olevitt commented on GitHub (Jul 3, 2025):

Hi !
We are facing the same issue when running with more than 1 replica of open-webui

@olevitt commented on GitHub (Jul 3, 2025): Hi ! We are facing the same issue when running with more than 1 replica of open-webui
Author
Owner

@Classic298 commented on GitHub (Jul 3, 2025):

@olevitt what setup?
env vars pls

@Classic298 commented on GitHub (Jul 3, 2025): @olevitt what setup? env vars pls
Author
Owner

@olevitt commented on GitHub (Jul 3, 2025):

Sure, here you go :
We are installing it using the Helm chart, with postgresql & redis-cluster enabled.
It works fine with a single open-webui replica but we get the OAuth callback error: mismatching_state: CSRF Warning! State not equal in request and response. error when setting multiple replicas.
Note : we added ENABLE_PERSISTENT_CONFIG, WEBUI_SESSION_COOKIE_SAME_SITE, WEBUI_AUTH_COOKIE_SAME_SITE and OPENID_REDIRECT_URI after reading this thread but it does not change the behaviour.

extraEnvVars:
    - name: ENABLE_PERSISTENT_CONFIG
      value: "False"
    - name: WEBUI_SESSION_COOKIE_SAME_SITE
      value: lax
    - name: WEBUI_AUTH_COOKIE_SAME_SITE
      value: lax
    - name: OPENID_REDIRECT_URI
      value: https://<redacted>/oauth/oidc/callback
    - name: UVICORN_WORKERS
      value: "10"
    - name: OAUTH_CLIENT_ID
      value: ollama
    - name: OAUTH_CLIENT_SECRET
      value: <redacted>
    - name: OPENID_PROVIDER_URL
      value: https://<redacted>/.well-known/openid-configuration
    - name: OAUTH_PROVIDER_NAME
      value: SSO
    - name: ENABLE_OAUTH_ROLE_MANAGEMENT
      value: "true"
    - name: OAUTH_ROLES_CLAIM
      value: roles
    - name: OAUTH_ALLOWED_ROLES
      value: vip
    - name: OAUTH_ADMIN_ROLES
      value: admin-ollama
    - name: ENABLE_OAUTH_SIGNUP
      value: "true"
    - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
      value: "true"
    - name: ENABLE_LOGIN_FORM
      value: "false"
    - name: ENABLE_ADMIN_CHAT_ACCESS
      value: "false"
    - name: DEFAULT_USER_ROLE
      value: "user"
    - name: STORAGE_PROVIDER
      value: "s3"
    - name: S3_ACCESS_KEY_ID
      value: "open-webui"
    - name: S3_SECRET_ACCESS_KEY
      value: "<redacted>"
    - name: S3_ENDPOINT_URL
      value: "<redacted>"
    - name: S3_REGION_NAME
      value: "us-east-1"
    - name: S3_BUCKET_NAME
      value: "open-webui"
@olevitt commented on GitHub (Jul 3, 2025): Sure, here you go : We are installing it using the Helm chart, with postgresql & redis-cluster enabled. It works fine with a single open-webui replica but we get the `OAuth callback error: mismatching_state: CSRF Warning! State not equal in request and response.` error when setting multiple replicas. Note : we added `ENABLE_PERSISTENT_CONFIG`, `WEBUI_SESSION_COOKIE_SAME_SITE`, `WEBUI_AUTH_COOKIE_SAME_SITE` and `OPENID_REDIRECT_URI` after reading this thread but it does not change the behaviour. ``` extraEnvVars: - name: ENABLE_PERSISTENT_CONFIG value: "False" - name: WEBUI_SESSION_COOKIE_SAME_SITE value: lax - name: WEBUI_AUTH_COOKIE_SAME_SITE value: lax - name: OPENID_REDIRECT_URI value: https://<redacted>/oauth/oidc/callback - name: UVICORN_WORKERS value: "10" - name: OAUTH_CLIENT_ID value: ollama - name: OAUTH_CLIENT_SECRET value: <redacted> - name: OPENID_PROVIDER_URL value: https://<redacted>/.well-known/openid-configuration - name: OAUTH_PROVIDER_NAME value: SSO - name: ENABLE_OAUTH_ROLE_MANAGEMENT value: "true" - name: OAUTH_ROLES_CLAIM value: roles - name: OAUTH_ALLOWED_ROLES value: vip - name: OAUTH_ADMIN_ROLES value: admin-ollama - name: ENABLE_OAUTH_SIGNUP value: "true" - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL value: "true" - name: ENABLE_LOGIN_FORM value: "false" - name: ENABLE_ADMIN_CHAT_ACCESS value: "false" - name: DEFAULT_USER_ROLE value: "user" - name: STORAGE_PROVIDER value: "s3" - name: S3_ACCESS_KEY_ID value: "open-webui" - name: S3_SECRET_ACCESS_KEY value: "<redacted>" - name: S3_ENDPOINT_URL value: "<redacted>" - name: S3_REGION_NAME value: "us-east-1" - name: S3_BUCKET_NAME value: "open-webui" ```
Author
Owner

@Hisma commented on GitHub (Jul 14, 2025):

check the environment vars required for the OIDC provider you're using and make sure they match the expected payload being sent by owui. I ran into this same issue setting up Microsoft Azure Entra ID - ie the {"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."} error went away when I set the right parameters in my owui environment variables. If any are missing or wrong it won't work.
For MS Azure Entra ID to work you need -
MICROSOFT_CLIENT_ID=${OAUTH_CLIENT_ID}
MICROSOFT_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
MICROSOFT_CLIENT_TENANT_ID=${AZURE_TENANT_ID}
MICROSOFT_REDIRECT_URI=${MICROSOFT_REDIRECT_URI}
ENABLE_OAUTH_SIGNUP=true
ENABLE_LOGIN_FORM=false (optional unless you want users to be able to have a non-SSO login option)
WEBUI_AUTH_SIGNOUT_REDIRECT_URL=${WEBUI_AUTH_SIGNOUT_REDIRECT_URL}

@Hisma commented on GitHub (Jul 14, 2025): check the environment vars required for the OIDC provider you're using and make sure they match the expected payload being sent by owui. I ran into this same issue setting up Microsoft Azure Entra ID - ie the ```{"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."}``` error went away when I set the right parameters in my owui environment variables. If any are missing or wrong it won't work. For MS Azure Entra ID to work you need - MICROSOFT_CLIENT_ID=${OAUTH_CLIENT_ID} MICROSOFT_CLIENT_SECRET=${OAUTH_CLIENT_SECRET} MICROSOFT_CLIENT_TENANT_ID=${AZURE_TENANT_ID} MICROSOFT_REDIRECT_URI=${MICROSOFT_REDIRECT_URI} ENABLE_OAUTH_SIGNUP=true ENABLE_LOGIN_FORM=false (optional unless you want users to be able to have a non-SSO login option) WEBUI_AUTH_SIGNOUT_REDIRECT_URL=${WEBUI_AUTH_SIGNOUT_REDIRECT_URL}
Author
Owner

@allen-yan-1 commented on GitHub (Jul 23, 2025):

@olevitt have you tried to enable Redis for session pool management? I faced the same issue with multi-replica setup, and solved by set up all Redis environment variables

@allen-yan-1 commented on GitHub (Jul 23, 2025): @olevitt have you tried to enable Redis for session pool management? I faced the same issue with multi-replica setup, and solved by set up all Redis environment variables
Author
Owner

@cableman commented on GitHub (Sep 5, 2025):

I have tried looking through the current code base and do not see that session (OIDC state) is handled by redis? And in an multi pod k8s setup this error comes up alot.

@cableman commented on GitHub (Sep 5, 2025): I have tried looking through the current code base and do not see that session (OIDC state) is handled by redis? And in an multi pod k8s setup this error comes up alot.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#5659