github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.2k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #21183] Regression: MCP OAuth 2.1 discovery fails when authorization_servers URL path doesn't match well-known endpoint location #58079

New Issue
Closed
opened 2026-05-05 22:18:15 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-05-05 22:18:15 -05:00
Owner
Copy Link

Originally created by @ashavolian on GitHub (Feb 5, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21183

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

v0.7.2

Ollama Version (if applicable)

No response

Operating System

ubuntu

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

MCP OAuth 2.1 client registration should succeed when connecting to an MCP server that implements the Protected Resource discovery chain, even when the authorization_servers URL contains a path component (e.g., https://example.com/oauth) but the OAuth metadata is served at the domain root (https://example.com/.well-known/oauth-authorization-server).
In my case I'm trying to connect an enterprise glean mcp

Actual Behavior

OAuth client registration fails because OpenWebUI strictly appends /.well-known/oauth-authorization-server to the authorization_servers URL from Protected Resource metadata, without falling back to the domain root when that fails.

Steps to Reproduce

Logs & Screenshots

Root Cause in Code

File: backend/open_webui/utils/oauth.py (lines 294-301)

for auth_server in authorization_servers:
    auth_server = auth_server.rstrip("/")
    discovery_urls.extend(
        [
            f"{auth_server}/.well-known/oauth-authorization-server",
            f"{auth_server}/.well-known/openid-configuration",
        ]
    )

When authorization_servers is ["https://example.com/oauth"], OpenWebUI only tries:

  • https://example.com/oauth/.well-known/oauth-authorization-server (returns 307/404)

It does not fall back to:

  • https://example.com/.well-known/oauth-authorization-server (where metadata actually exists)

Verification via curl

# Protected Resource metadata says authorization server is at /oauth path
$ curl -s https://example.com/.well-known/oauth-protected-resource/mcp
{"authorization_servers": ["https://example.com/oauth"]}

# OpenWebUI tries this URL (FAILS - returns redirect)
$ curl -s -w "%{http_code}" https://example.com/oauth/.well-known/oauth-authorization-server
307

# But metadata actually exists at root (WORKS)
$ curl -s https://example.com/.well-known/oauth-authorization-server
{"issuer": "https://example.com/oauth", "registration_endpoint": "https://example.com/oauth/register", ...}

Additional Information

This issue affects MCP servers where:

  1. The authorization_servers value includes a path (e.g., /oauth)
  2. But the OAuth metadata is served at the domain root, not relative to that path

The OAuth 2.1 spec (RFC 8414) is somewhat ambiguous here. Some implementations serve metadata at the root .well-known regardless of the issuer path.

Suggested Fix

When building discovery URLs from authorization_servers, also include fallback URLs at the domain root:

for auth_server in authorization_servers:
    auth_server = auth_server.rstrip("/")
    parsed = urllib.parse.urlparse(auth_server)
    base_url = f"{parsed.scheme}://{parsed.netloc}"
    
    discovery_urls.extend([
        f"{auth_server}/.well-known/oauth-authorization-server",
        f"{auth_server}/.well-known/openid-configuration",
        # Fallback to root if auth_server has a path
        f"{base_url}/.well-known/oauth-authorization-server",
        f"{base_url}/.well-known/openid-configuration",
    ])

Related issues: #19794, #20138, #20291

Originally created by @ashavolian on GitHub (Feb 5, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21183 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version v0.7.2 ### Ollama Version (if applicable) _No response_ ### Operating System ubuntu ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior MCP OAuth 2.1 client registration should succeed when connecting to an MCP server that implements the Protected Resource discovery chain, even when the authorization_servers URL contains a path component (e.g., https://example.com/oauth) but the OAuth metadata is served at the domain root (https://example.com/.well-known/oauth-authorization-server). In my case I'm trying to connect an enterprise glean mcp ### Actual Behavior OAuth client registration fails because OpenWebUI strictly appends /.well-known/oauth-authorization-server to the authorization_servers URL from Protected Resource metadata, without falling back to the domain root when that fails. ### Steps to Reproduce - Go to Admin Settings → External Tools → Add Server - Add an MCP server with OAuth 2.1 authentication where: - The MCP endpoint returns 401 with WWW-Authenticate: Bearer resource_metadata="https://example.com/.well-known/oauth-protected-resource/mcp" - The Protected Resource metadata returns: { "resource": "https://example.com/mcp", "authorization_servers": ["https://example.com/oauth"] } - The OAuth Authorization Server metadata is served at https://example.com/.well-known/oauth-authorization-server (NOT at https://example.com/oauth/.well-known/oauth-authorization-server) ### Logs & Screenshots ## Root Cause in Code **File:** `backend/open_webui/utils/oauth.py` (lines 294-301) ```python for auth_server in authorization_servers: auth_server = auth_server.rstrip("/") discovery_urls.extend( [ f"{auth_server}/.well-known/oauth-authorization-server", f"{auth_server}/.well-known/openid-configuration", ] ) ``` When `authorization_servers` is `["https://example.com/oauth"]`, OpenWebUI only tries: - `https://example.com/oauth/.well-known/oauth-authorization-server` ❌ (returns 307/404) It does not fall back to: - `https://example.com/.well-known/oauth-authorization-server` ✅ (where metadata actually exists) ## Verification via curl ```bash # Protected Resource metadata says authorization server is at /oauth path $ curl -s https://example.com/.well-known/oauth-protected-resource/mcp {"authorization_servers": ["https://example.com/oauth"]} # OpenWebUI tries this URL (FAILS - returns redirect) $ curl -s -w "%{http_code}" https://example.com/oauth/.well-known/oauth-authorization-server 307 # But metadata actually exists at root (WORKS) $ curl -s https://example.com/.well-known/oauth-authorization-server {"issuer": "https://example.com/oauth", "registration_endpoint": "https://example.com/oauth/register", ...} ``` ### Additional Information This issue affects MCP servers where: 1. The `authorization_servers` value includes a path (e.g., `/oauth`) 2. But the OAuth metadata is served at the domain root, not relative to that path The OAuth 2.1 spec (RFC 8414) is somewhat ambiguous here. Some implementations serve metadata at the root `.well-known` regardless of the issuer path. ## Suggested Fix When building discovery URLs from `authorization_servers`, also include fallback URLs at the domain root: ```python for auth_server in authorization_servers: auth_server = auth_server.rstrip("/") parsed = urllib.parse.urlparse(auth_server) base_url = f"{parsed.scheme}://{parsed.netloc}" discovery_urls.extend([ f"{auth_server}/.well-known/oauth-authorization-server", f"{auth_server}/.well-known/openid-configuration", # Fallback to root if auth_server has a path f"{base_url}/.well-known/oauth-authorization-server", f"{base_url}/.well-known/openid-configuration", ]) ``` **Related issues:** #19794, #20138, #20291
GiteaMirror added the bug label 2026-05-05 22:18:15 -05:00
GiteaMirror commented 2026-05-05 22:18:17 -05:00
Author
Owner
Copy Link

@owui-terminator[bot] commented on GitHub (Feb 5, 2026):

🔍 Similar Issues Found

I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions:

  1. #20847 issue: MCP OAuth2.1 initial auth doesn't work when a tool is enabled by default for a model
    by Lemmons • Jan 21, 2026 • bug

  2. #20808 issue: mcp oauth 2.1 callback always ends in 401 not authenticated
    by bk-lg • Jan 20, 2026 • bug

  3. #19823 Issue: MCP with OAuth 2.1 Authorization/Token retrival is broken in v0.6.41
    by mllab-nl • Dec 08, 2025 • bug

  4. #20828 issue: OAuth2.1 MCP Tool Server Verification Error - Failed to connect to the tool server: 'coroutine' object is not iterable
    by Lemmons • Jan 20, 2026 • bug

  5. #19116 issue: MCP OAuth 2.1 client registration fails when policy_uri, client_uri, logo_uri or tos_uri are not set
    by xqqp • Nov 11, 2025 • bug

Show 3 more related issues

  1. #19148 issue: Verify OAuth mcp server sends incorrect authorization header
    by Oleg52 • Nov 12, 2025 • bug

  2. #20629 issue: MCP server response fails
    by thrasher • Jan 12, 2026 • bug

  3. #21179 issue: [Bug] Web UI Trims Trailing Slash from MCP Server URL, Causing 301 Redirect and Broken Authorization
    by ianohin • Feb 05, 2026 • bug

💡 Tips:

  • If this is a duplicate, please consider closing this issue and adding any additional details to the existing one
  • If you found a solution in any of these issues, please share it here to help others

This comment was generated automatically by a bot. Please react with a 👍 if this comment was helpful, or a 👎 if it was not.

<!-- gh-comment-id:3854965084 --> @owui-terminator[bot] commented on GitHub (Feb 5, 2026): 🔍 **Similar Issues Found** I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions: 1. [#20847](https://github.com/open-webui/open-webui/issues/20847) **issue: MCP OAuth2.1 initial auth doesn't work when a tool is enabled by default for a model** *by Lemmons • Jan 21, 2026 • `bug`* 2. [#20808](https://github.com/open-webui/open-webui/issues/20808) **issue: mcp oauth 2.1 callback always ends in 401 not authenticated** *by bk-lg • Jan 20, 2026 • `bug`* 3. [#19823](https://github.com/open-webui/open-webui/issues/19823) **Issue: MCP with OAuth 2.1 Authorization/Token retrival is broken in v0.6.41** *by mllab-nl • Dec 08, 2025 • `bug`* 4. [#20828](https://github.com/open-webui/open-webui/issues/20828) **issue: OAuth2.1 MCP Tool Server Verification Error - Failed to connect to the tool server: 'coroutine' object is not iterable** *by Lemmons • Jan 20, 2026 • `bug`* 5. [#19116](https://github.com/open-webui/open-webui/issues/19116) **issue: MCP OAuth 2.1 client registration fails when policy_uri, client_uri, logo_uri or tos_uri are not set** *by xqqp • Nov 11, 2025 • `bug`* <details> <summary>Show 3 more related issues</summary> 6. [#19148](https://github.com/open-webui/open-webui/issues/19148) **issue: Verify OAuth mcp server sends incorrect authorization header** *by Oleg52 • Nov 12, 2025 • `bug`* 7. [#20629](https://github.com/open-webui/open-webui/issues/20629) **issue: MCP server response fails** *by thrasher • Jan 12, 2026 • `bug`* 8. [#21179](https://github.com/open-webui/open-webui/issues/21179) **issue: [Bug] Web UI Trims Trailing Slash from MCP Server URL, Causing 301 Redirect and Broken Authorization** *by ianohin • Feb 05, 2026 • `bug`* </details> --- 💡 **Tips:** - If this is a duplicate, please consider closing this issue and adding any additional details to the existing one - If you found a solution in any of these issues, please share it here to help others *This comment was generated automatically by a bot.* Please react with a 👍 if this comment was helpful, or a 👎 if it was not.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#58079
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?