github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 02:48:13 -05:00
Code Issues 1.1k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #22527] bug: Group membership is not updated for admin users #58402

New Issue
Closed
opened 2026-05-05 23:05:58 -05:00 by GiteaMirror · 2 comments
GiteaMirror commented 2026-05-05 23:05:58 -05:00
Owner
Copy Link

Originally created by @tomaszpuzio on GitHub (Mar 10, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/22527

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

v0.8.10

Ollama Version (if applicable)

No response

Operating System

macOS Tahoe

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Whenever an admin user’s group membership is updated on the OAuth side, the change should also be reflected in Open-WebUI.

Actual Behavior

Whenever an admin user’s group membership is updated on the OAuth side, the change is not Open-WebUI side. This is due to this conditional in the code:

if (
    auth_manager_config.ENABLE_OAUTH_GROUP_MANAGEMENT
    and user.role != "admin"
):
    self.update_user_groups(
        user=user,
        user_data=user_data,
        default_permissions=request.app.state.config.USER_PERMISSIONS,
        db=db,
    )

Steps to Reproduce

  1. Install Docker v24.0.5 and start the service.
  2. Clone the Open WebUI repo (git clone ...).
  3. Follow instructions in https://docs.openwebui.com/features/access-security/auth/sso/ to setup SSO with selected OAuth provider. Remember to set ENABLE_OAUTH_GROUP_MANAGEMENT to true.
  4. Use the Docker Compose file to run the container.
  5. Open the browser and go to http://localhost:3000/
  6. Login with SSO. As the first logged in user you should get an Admin role.
  7. Go to your OAuth provider platform, create a group and add the user to that group.
  8. Log out from Open-WebUI and log in again with SSO.
  9. Go to http://localhost:3000/admin/users/groups. The new group is not there.

Logs & Screenshots

No screenshots necessary

Additional Information

No response

Originally created by @tomaszpuzio on GitHub (Mar 10, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/22527 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version v0.8.10 ### Ollama Version (if applicable) _No response_ ### Operating System macOS Tahoe ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Whenever an admin user’s group membership is updated on the OAuth side, the change should also be reflected in Open-WebUI. ### Actual Behavior Whenever an admin user’s group membership is updated on the OAuth side, the change is not Open-WebUI side. This is due to this conditional in the code: ``` if ( auth_manager_config.ENABLE_OAUTH_GROUP_MANAGEMENT and user.role != "admin" ): self.update_user_groups( user=user, user_data=user_data, default_permissions=request.app.state.config.USER_PERMISSIONS, db=db, ) ``` ### Steps to Reproduce 1. Install Docker v24.0.5 and start the service. 2. Clone the Open WebUI repo (git clone ...). 3. Follow instructions in https://docs.openwebui.com/features/access-security/auth/sso/ to setup SSO with selected OAuth provider. Remember to set `ENABLE_OAUTH_GROUP_MANAGEMENT` to `true`. 5. Use the Docker Compose file to run the container. 6. Open the browser and go to http://localhost:3000/ 8. Login with SSO. As the first logged in user you should get an Admin role. 9. Go to your OAuth provider platform, create a group and add the user to that group. 10. Log out from Open-WebUI and log in again with SSO. 11. Go to http://localhost:3000/admin/users/groups. The new group is not there. ### Logs & Screenshots No screenshots necessary ### Additional Information _No response_
GiteaMirror added the bug label 2026-05-05 23:05:58 -05:00
GiteaMirror commented 2026-05-05 23:06:01 -05:00
Author
Owner
Copy Link

@pr-validator-bot commented on GitHub (Mar 10, 2026):

⚠️ Invalid Issue Title

Hey @tomaszpuzio, please provide a descriptive title for your issue. Titles that are empty, very short (under 10 characters), or generic (like "issue:" or "feat:") make it difficult for volunteer contributors to understand and triage issues.

Please update the title to reflect the content of your issue.

⚠️ Missing Issue Title Prefix

@tomaszpuzio, your issue title is missing a prefix (e.g., bug:, feat:, docs:).

Please update your issue title to include one of the following prefixes:

  • bug: Bug report or error you've encountered
  • feat: Feature request or enhancement suggestion
  • docs: Documentation issue or improvement request
  • question: Question about usage or functionality
  • help: Request for help or support

Example: bug: Login fails when using special characters in password

<!-- gh-comment-id:4031080792 --> @pr-validator-bot commented on GitHub (Mar 10, 2026): # ⚠️ Invalid Issue Title Hey @tomaszpuzio, please provide a descriptive title for your issue. Titles that are empty, very short (under 10 characters), or generic (like "issue:" or "feat:") make it difficult for volunteer contributors to understand and triage issues. Please update the title to reflect the content of your issue. --- # ⚠️ Missing Issue Title Prefix @tomaszpuzio, your issue title is missing a prefix (e.g., `bug:`, `feat:`, `docs:`). Please update your issue title to include one of the following prefixes: - **bug**: Bug report or error you've encountered - **feat**: Feature request or enhancement suggestion - **docs**: Documentation issue or improvement request - **question**: Question about usage or functionality - **help**: Request for help or support Example: `bug: Login fails when using special characters in password`
GiteaMirror commented 2026-05-05 23:06:02 -05:00
Author
Owner
Copy Link

@tomaszpuzio commented on GitHub (Mar 10, 2026):

Fixed in https://github.com/open-webui/open-webui/pull/22537

<!-- gh-comment-id:4032515545 --> @tomaszpuzio commented on GitHub (Mar 10, 2026): Fixed in https://github.com/open-webui/open-webui/pull/22537
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#58402
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?