mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 14:39:31 -05:00
[GH-ISSUE #19730] feat: oauth allow for custom query parameters in call to authorize_redirect() for auth0 audience and jwt access_tokens #57637
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @bitsofinfo on GitHub (Dec 3, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/19730
Check Existing Issues
Verify Feature Scope
Problem Description
Using open-webui: 0.6.40
Have OIDC setup and working fine w/ Auth0. User gets redirected to auth0, login, redirected back with a valid token. The issue is that the access_token is an opaque auth0 token and not a JWT. This token is encrypted and stored fine in the open-webui db.
In order to get JWT access_tokens from Auth0, on authorize the query parameter
audiencemust be passed.I have the "OAuth" passthrough configured as the authorization for a particular model. We need this model's /v1/chat/completions call to receive the the access_token for the user, as configured. It does received the token, but because the token is not a jwt (but an auth0 opaque token), downstream systems cannot just decode it on the fly and it makes interoperability with oauth resource endpoints expecting a jwt to fail.
The reason for this is because the
oauth.py(handle_loginmethod) does not permit any customization of query parameters during the call to authlib'sclient.authorize_redirect():6f1486ffd0/backend/open_webui/utils/oauth.py (L1263)authlib's
authorize_redirect()does allow extra parameters to be passed in kwargs butoauth.pyisn't doing this:260d04edee/authlib/integrations/starlette_client/apps.py (L25)authlib's
create_authorization_url()also has anauthorization_paramsthat it will seed into the kwargs, but not sure if openweb-ui is setting that on the client instantiation:260d04edee/authlib/integrations/base_client/sync_app.py (L143)260d04edee/authlib/integrations/base_client/async_app.py (L21)Would be great to add a configuration to customize the parameters for the authorize redirect call.
Desired Solution you'd like
see above
Alternatives Considered
see above
Additional Context
No response
@owui-terminator[bot] commented on GitHub (Dec 3, 2025):
🔍 Similar Issues Found
I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions:
#19708 feat: Keycloak authentication support
by fux-dev • Dec 03, 2025
#18924 feat: Allow authorization code flow with SSO logins
by pllopis • Nov 04, 2025
#17183 feat: Allow Passing OAuth Token to Tool Calls
by koflerm • Sep 03, 2025
#19313 feat: User specific MCP headers
by patrykkozuch • Nov 20, 2025
#18045 feat: openid login without email scope
by itsHenry35 • Oct 04, 2025
Show 2 more related issues
#15239 feat: Enable Oauth Popup flow
by Ardakilic • Jun 23, 2025
#19460 feat: Support Role Assignment via LDAP or OAuth Groups in OpenWebUI
by PrinzMichiDE • Nov 25, 2025
💡 Tips:
This comment was generated automatically by a bot. Please react with a 👍 if this comment was helpful, or a 👎 if it was not.