mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 06:03:26 -05:00
issue: CSRF mismatch error with OIDC #5659
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @zachwalton on GitHub (Jun 28, 2025).
Check Existing Issues
Installation Method
Git Clone
Open WebUI Version
Tip of dev (
bfd92ec4af)Ollama Version (if applicable)
N/A
Operating System
MacOS Sequoia
Browser (if applicable)
Safari 18.5
Confirmation
README.md.Expected Behavior
I integrated Open WebUI with my company's OIDC server. I expected to be able to log in successfully.
Actual Behavior
2025-06-27 18:12:34.068 | WARNING | open_webui.utils.oauth:handle_callback:352 - OAuth callback error: mismatching_state: CSRF Warning! State not equal in request and response. - {}I originally used
v0.6.15but switched to the tip of dev where I can confirm this is still an issue.Digging into this, I found that the
oui-sessioncookie is not being set when visiting/oauth/oidc/loginbefore redirect, which results in the error reported above. I tried several things to correct this without success, and finally applied the below patch which probably is not advisable since it just constructs therequest.sessionobject and bypasses the need for the cookie (breaking CSRF protection).I really have no idea why this is happening but this patch works for now.
Steps to Reproduce
I tried many permutations of flags to get this working (various values for the cookie flags especially), currently using:
Logs & Screenshots
Provided above
Additional Information
No response
@Classic298 commented on GitHub (Jun 28, 2025):
please check for duplicate issues - can you test the dev branch? It might be fixed there.
ALso i think you are missing the env vars for redirect URI
@tjbck commented on GitHub (Jun 30, 2025):
@zachwalton could you confirm?
@balazshasprai commented on GitHub (Jul 1, 2025):
I have the same issue, on the dev branch too.
I've followed https://github.com/open-webui/open-webui/discussions/4604 for some time, but so far nothing I've tried worked.
In the browser I get:
And in the logs it's:
My env vars:
I checked the requests in the browser, checked the cookies of two requests,
loginand/application/o/authorize/?response_type=code.....loginhas anoui-sessioncookie, with the domainai.domin.comAnd
/application/o/authorize..has anauthentik_sessioncookie with the domainauth.domain.comI've checked the decoded base64 values, and they do differ. Both the
_state_oidc_xyzand the&state=xyzparts.oui-sessionhas thisAnd
authentik_sessionhas this:@balazshasprai commented on GitHub (Jul 1, 2025):
Good news, for me at least. It started working once I set
ENABLE_PERSISTENT_CONFIG: "False".It seems I might have mistyped some of the OIDC variables on the first run, and since they are
PersistentConfigit didn't re-read the env vars.It does work with a fresh install too. But it would be nice if you could change the OIDC vars in the WebUI.
@zachwalton commented on GitHub (Jul 1, 2025):
This was from the dev branch; commit is in the bug description.
Added. I also tried adding
ENABLE_PERSISTENT_CONFIG: false, still the same issue for me.Quick unrelated note:
OPENID_REDIRECT_URIisn't listed in this section which is why I missed it (it is however further down for Authentik-specific config and listed in the main env vars docs)@tjbck commented on GitHub (Jul 2, 2025):
@jackthgu could you update the docs?
@olevitt commented on GitHub (Jul 3, 2025):
Hi !
We are facing the same issue when running with more than 1 replica of open-webui
@Classic298 commented on GitHub (Jul 3, 2025):
@olevitt what setup?
env vars pls
@olevitt commented on GitHub (Jul 3, 2025):
Sure, here you go :
We are installing it using the Helm chart, with postgresql & redis-cluster enabled.
It works fine with a single open-webui replica but we get the
OAuth callback error: mismatching_state: CSRF Warning! State not equal in request and response.error when setting multiple replicas.Note : we added
ENABLE_PERSISTENT_CONFIG,WEBUI_SESSION_COOKIE_SAME_SITE,WEBUI_AUTH_COOKIE_SAME_SITEandOPENID_REDIRECT_URIafter reading this thread but it does not change the behaviour.@Hisma commented on GitHub (Jul 14, 2025):
check the environment vars required for the OIDC provider you're using and make sure they match the expected payload being sent by owui. I ran into this same issue setting up Microsoft Azure Entra ID - ie the
{"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."}error went away when I set the right parameters in my owui environment variables. If any are missing or wrong it won't work.For MS Azure Entra ID to work you need -
MICROSOFT_CLIENT_ID=${OAUTH_CLIENT_ID}
MICROSOFT_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
MICROSOFT_CLIENT_TENANT_ID=${AZURE_TENANT_ID}
MICROSOFT_REDIRECT_URI=${MICROSOFT_REDIRECT_URI}
ENABLE_OAUTH_SIGNUP=true
ENABLE_LOGIN_FORM=false (optional unless you want users to be able to have a non-SSO login option)
WEBUI_AUTH_SIGNOUT_REDIRECT_URL=${WEBUI_AUTH_SIGNOUT_REDIRECT_URL}
@allen-yan-1 commented on GitHub (Jul 23, 2025):
@olevitt have you tried to enable Redis for session pool management? I faced the same issue with multi-replica setup, and solved by set up all Redis environment variables
@cableman commented on GitHub (Sep 5, 2025):
I have tried looking through the current code base and do not see that session (OIDC state) is handled by redis? And in an multi pod k8s setup this error comes up alot.