github-starred/open-webui

Fork 0

You've already forked open-webui

mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00

Code Issues 1.2k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #21072] issue: PWA 500 Error instead of redirecting to login after session expires with Trusted Header Auth / Forward Auth from Authentik #58040

New Issue

Closed

opened 2026-05-05 22:14:13 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented

2026-05-05 22:14:13 -05:00

Owner

Copy Link

Originally created by @wm-ek on GitHub (Jan 31, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21072

Check Existing Issues

I have searched for any existing and/or related issues.
I have searched for any existing and/or related discussions.
I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.7.2

Ollama Version (if applicable)

No response

Operating System

Android 16

Browser (if applicable)

Chrome 144.0

Confirmation

I have read and followed all instructions in README.md.
I am using the latest version of both Open WebUI and Ollama.
I have included the browser console logs.
I have included the Docker container logs.
I have provided every relevant configuration, setting, and environment variable used in my setup.
I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
Start with the initial platform/version/OS and dependencies used,
Specify exact install/launch/configure commands,
List URLs visited, user input (incl. example values/emails/passwords if needed),
Describe all options and toggles enabled or changed,
Include any files or environmental changes,
Identify the expected and actual result at each stage,
Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When launching the Open WebUI PWA after the user's session has expired (e.g., after logging out), the application should detect that the user is unauthenticated and seamlessly redirect to the external login page provided by the forward authentication provider.

Actual Behavior

When the PWA is launched after the session has expired, it does not redirect to the login page. Instead, it displays a "500 Internal Server Error" oder "Open WebUI Backend Required" in some cases (could not identify yet when exactly)

Steps to Reproduce

Configure Open WebUI to use an external forward authentication provider (e.g., Authentik via Traefik).
Key environment variables are set as follows
- ENABLE_SIGNUP=False
- ENABLE_LOGIN_FORM=False
- ENABLE_OAUTH_SIGNUP=False
- WEBUI_AUTH_TRUSTED_EMAIL_HEADER=X-authentik-email
- WEBUI_AUTH_TRUSTED_NAME_HEADER=X-authentik-name
- 'WEBUI_AUTH_SIGNOUT_REDIRECT_URL=https://auth.domain.tld/flows/-/default/invalidation/'
On an android smartphone, install the Open WebUI application as a PWA ("Add to Home Screen").
Log in successfully via the external authenticator. The app works as expected.
Just log out.
Close the PWA .
Relaunch the PWA using the app icon.
Observe the "500 Internal Server Error" page.

Logs & Screenshots

The server logs remain clean and show no errors. The issue appears to be entirely on the client side.

Browser Console Logs: When the PWA starts in an unauthenticated state, it makes background API requests (e.g., to /api/config). These requests are correctly intercepted by the reverse proxy, which issues a redirect to the external login page. However, the browser blocks this redirect and logs the following errors:

Access to fetch at 'https://auth.example.com/...' (redirected from 'https://app.example.com/api/config') has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
The request ultimately fails with net::ERR_FAILED.

Additional Information

The root cause appears to be a client-side handling issue. The PWA's frontend JavaScript makes a background fetch request upon startup. When the user is unauthenticated, the reverse proxy correctly issues a redirect to the external login page. Browsers block redirects for background fetch requests for security reasons (CORS). The Open WebUI frontend does not handle this specific network failure gracefully and instead falls back to displaying a generic (and incorrect) 500 error page.

Originally created by @wm-ek on GitHub (Jan 31, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21072 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.7.2 ### Ollama Version (if applicable) _No response_ ### Operating System Android 16 ### Browser (if applicable) Chrome 144.0 ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior When launching the Open WebUI PWA after the user's session has expired (e.g., after logging out), the application should detect that the user is unauthenticated and seamlessly redirect to the external login page provided by the forward authentication provider. ### Actual Behavior When the PWA is launched after the session has expired, it does not redirect to the login page. Instead, it displays a "500 Internal Server Error" oder "Open WebUI Backend Required" in some cases (could not identify yet when exactly) ### Steps to Reproduce Steps to Reproduce 1. Configure Open WebUI to use an external forward authentication provider (e.g., Authentik via Traefik). Key environment variables are set as follows - ENABLE_SIGNUP=False - ENABLE_LOGIN_FORM=False - ENABLE_OAUTH_SIGNUP=False - WEBUI_AUTH_TRUSTED_EMAIL_HEADER=X-authentik-email - WEBUI_AUTH_TRUSTED_NAME_HEADER=X-authentik-name - 'WEBUI_AUTH_SIGNOUT_REDIRECT_URL=https://auth.domain.tld/flows/-/default/invalidation/' 2. On an android smartphone, install the Open WebUI application as a PWA ("Add to Home Screen"). 3. Log in successfully via the external authenticator. The app works as expected. 4. Just log out. 5. Close the PWA . 6. Relaunch the PWA using the app icon. 7. Observe the "500 Internal Server Error" page. ### Logs & Screenshots The server logs remain clean and show no errors. The issue appears to be entirely on the client side. Browser Console Logs: When the PWA starts in an unauthenticated state, it makes background API requests (e.g., to /api/config). These requests are correctly intercepted by the reverse proxy, which issues a redirect to the external login page. However, the browser blocks this redirect and logs the following errors: Access to fetch at 'https://auth.example.com/...' (redirected from 'https://app.example.com/api/config') has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. The request ultimately fails with net::ERR_FAILED. <img width="919" height="2048" alt="Image" src="https://github.com/user-attachments/assets/f76d6115-83ff-4efe-a4cc-0dd85c7d39c8" /> ### Additional Information The root cause appears to be a client-side handling issue. The PWA's frontend JavaScript makes a background fetch request upon startup. When the user is unauthenticated, the reverse proxy correctly issues a redirect to the external login page. Browsers block redirects for background fetch requests for security reasons (CORS). The Open WebUI frontend does not handle this specific network failure gracefully and instead falls back to displaying a generic (and incorrect) 500 error page.

GiteaMirror added the bug label 2026-05-05 22:14:13 -05:00

GiteaMirror closed this issue

2026-05-05 22:14:14 -05:00

GiteaMirror commented

2026-05-05 22:14:17 -05:00

Author

Owner

Copy Link

@owui-terminator[bot] commented on GitHub (Jan 31, 2026):

🔍 Similar Issues Found

I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions:

#21016 issue:Trusted Header Authentication does not automatically register new users after the first login
by FHaggs • Jan 28, 2026 • bug
#20842 issue: Critical Security Issue - JWT Token Authentication Bypass for API Endpoints
by HarukenM123 • Jan 21, 2026 • bug

💡 Tips:

If this is a duplicate, please consider closing this issue and adding any additional details to the existing one
If you found a solution in any of these issues, please share it here to help others

This comment was generated automatically by a bot. Please react with a 👍 if this comment was helpful, or a 👎 if it was not.

@owui-terminator[bot] commented on GitHub (Jan 31, 2026): 🔍 **Similar Issues Found** I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions: 1. [#21016](https://github.com/open-webui/open-webui/issues/21016) **issue:Trusted Header Authentication does not automatically register new users after the first login** *by FHaggs • Jan 28, 2026 • `bug`* 2. [#20842](https://github.com/open-webui/open-webui/issues/20842) **issue: Critical Security Issue - JWT Token Authentication Bypass for API Endpoints** *by HarukenM123 • Jan 21, 2026 • `bug`* --- 💡 **Tips:** - If this is a duplicate, please consider closing this issue and adding any additional details to the existing one - If you found a solution in any of these issues, please share it here to help others *This comment was generated automatically by a bot.* Please react with a 👍 if this comment was helpful, or a 👎 if it was not.

GiteaMirror commented

2026-05-05 22:14:18 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Mar 25, 2026):

Should be addressed in dev.

@tjbck commented on GitHub (Mar 25, 2026): Should be addressed in dev.

No Branch/Tag Specified

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror

ninjasurge

No Assignees

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#58040

Reference in New Issue

Repository

github-starred/open-webui

Title

Body

Block a user

Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.

User to block:

Optional note:

The note is not visible to the blocked user.

Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?