github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #23074] issue: v0.8.11 - OpenAI Responses API - oAuth Token sent to backend not refreshed #58548

New Issue
Closed
opened 2026-05-05 23:23:46 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-05-05 23:23:46 -05:00
Owner
Copy Link

Originally created by @com98 on GitHub (Mar 26, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23074

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.8.11

Ollama Version (if applicable)

No response

Operating System

Ubuntu 24.04.4 LTS

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

I am using a custom built OpenAI Responses API wrapper with FastAPI which does RAG and forwards the request to an Ollama Instance. This FastAPI relies on an JSON Web Token (JWT) being passed to my API. This process was working perfectly fine in v0.8.10 - OpenWebUI sent a request to my API and included the JWT as a HTTP Header. I could verify that JWT and make sure the request is authenticated. The token was always valid and did not expire.

I am expecting Open Web UI v0.8.11 to also pass a valid JWT to my backend in order to validate the request.

I tried to check the changelog as well to see if there's any configuration change or similar, but I couldn't find any information on that. If I've missed something, please feel free to let me know!

Actual Behavior

In Open Web UI v0.8.11 the behaviour seems to have changed. The JWT is no longer forwarded as a HTTP header, but as a Cookie. I did not change any configuration.

I changed my backend to extract the JWT from the cookie oauth_id_token

Steps to Reproduce

Steps to reproduce are simple, simply set up an OpenWebUI instance connected to oAuth:

My Docker compose file:

services: 
  openwebui:
    image: ghcr.io/open-webui/open-webui:v0.8.11
    volumes:
      - openwebui:/app/backend/data
    environment:
        - WEBUI_URL=https://example.com
        - CORS_ALLOW_ORIGIN=https://example.com
        - DATABASE_URL=postgresql://openwebui:XXXX@postgres:5432/openwebui
        - GLOBAL_LOG_LEVEL=DEBUG
        - ENABLE_OAUTH_SIGNUP=true
        - ENABLE_LOGIN_FORM=false
        - OAUTH_CLIENT_ID=myclientid
        - OAUTH_CLIENT_SECRET=mysecret
        - OPENID_PROVIDER_URL=https://keycloak.example.com/realms/my-realm/.well-known/openid-configuration
        - OPENID_REDIRECT_URI=https://example.com/oauth/oidc/callback
        - OAUTH_SCOPES=openid email profile
        - OAUTH_PROVIDER_NAME=Keycloak
  1. Set up a simple Python FastAPI Endpoint checking the tokens. The endpoint is OpenAI compatible with the Responses API:
import ssl
import jwt
import requests
import uvicorn

from fastapi import Depends, HTTPException, Request, status, FastAPI
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from starlette.responses import Response, JSONResponse

security = HTTPBearer(auto_error=False)

app = FastAPI()


def decode_jwt(token: str) -> dict:
    try:
        oidc_config_ = requests.get(
            "https://keycloak.example.com/realms/My-Realm/.well-known/openid-configuration"
        ).json()

        jwks_client = jwt.PyJWKClient(
            oidc_config_["jwks_uri"], ssl_context=ssl._create_unverified_context()
        )

        signing_algos = oidc_config_["id_token_signing_alg_values_supported"]

        signing_key = jwks_client.get_signing_key_from_jwt(token).key

        decode_result = jwt.decode(
            token,
            options={"verify_signature": True},
            algorithms=signing_algos,
            issuer="hhttps://keycloak.example.com/realms/My-Realm",
            key=signing_key,
            audience="account",
        )

        return decode_result
    except Exception as e:
        print(f"Error: {e}")
        return {}


def validate_oauth_request(
    request: Request,
    credentials: HTTPAuthorizationCredentials | None = Depends(security),
):
    jwt = None

    # This used to work with old OpenWebUI version, getting the token via. HTTP Header
    if credentials:
        if not credentials.scheme == "Bearer":
            print("ERROR: Invalid authentication scheme")
            raise HTTPException(status_code=401)
        jwt = credentials.credentials

    # Now we fetch it through the cookie
    token = request.cookies.get("oauth_id_token")
    if not jwt and token:
        jwt = token
    elif not jwt:
        print("ERROR: No Auth Token provided at all")
        raise HTTPException(status_code=401)

    payload = decode_jwt(jwt)

    if not payload:
        print("ERROR: Invalid or expired token!")
        raise HTTPException(status_code=401)

    print("OK: Auth successful!")


@app.post("/responses")
async def generate_chat_completion(
    roles=Depends(validate_oauth_request),
) -> Response:
    return JSONResponse(
        status_code=status.HTTP_201_CREATED, content={"message": "success"}
    )


@app.get("/models")
async def list_models():
    return JSONResponse(
        status_code=status.HTTP_200_OK,
        content=[
            {
                "id": "sample_model",
                "created": 10000000,
                "object": "model",
                "owned_by": "org",
            },
        ],
    )


uvicorn.run(app, host="0.0.0.0", port=8080)

When adding this endpoint as OpenAI compatible endpoint in OpenWebUI and then signing into OpenWebUI this call will pass the authentication until initially fetched token expires, afterwards you'll receive the error:

Error: Signature has expired

Hence the token is not refreshed and an old token is sent to the backend API.

More details (I don't consider these to be relevant for that issue)

In front of OpenWebUI I do have a Nginx Reverse Proxy in place:


    server {
        listen       443;
        server_name  example.com;

      # SSL Config omitted

        location / {
            proxy_pass         http://openwebui;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_http_version 1.1;
            
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }

In OpenWebUI I have selected oAuth as auth method

Logs & Screenshots

The Python API is stating Signature has expired

Additional Information

No response

Originally created by @com98 on GitHub (Mar 26, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23074 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.8.11 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 24.04.4 LTS ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior I am using a custom built OpenAI Responses API wrapper with FastAPI which does RAG and forwards the request to an Ollama Instance. This FastAPI relies on an JSON Web Token (JWT) being passed to my API. This process was working perfectly fine in v0.8.10 - OpenWebUI sent a request to my API and included the JWT as a HTTP Header. I could verify that JWT and make sure the request is authenticated. The token was always valid and did not expire. I am expecting Open Web UI v0.8.11 to also pass a valid JWT to my backend in order to validate the request. I tried to check the changelog as well to see if there's any configuration change or similar, but I couldn't find any information on that. If I've missed something, please feel free to let me know! ### Actual Behavior In Open Web UI v0.8.11 the behaviour seems to have changed. The JWT is no longer forwarded as a HTTP header, but as a Cookie. I did not change any configuration. I changed my backend to extract the JWT from the cookie `oauth_id_token` ### Steps to Reproduce Steps to reproduce are simple, simply set up an OpenWebUI instance connected to oAuth: My Docker compose file: ```yaml services: openwebui: image: ghcr.io/open-webui/open-webui:v0.8.11 volumes: - openwebui:/app/backend/data environment: - WEBUI_URL=https://example.com - CORS_ALLOW_ORIGIN=https://example.com - DATABASE_URL=postgresql://openwebui:XXXX@postgres:5432/openwebui - GLOBAL_LOG_LEVEL=DEBUG - ENABLE_OAUTH_SIGNUP=true - ENABLE_LOGIN_FORM=false - OAUTH_CLIENT_ID=myclientid - OAUTH_CLIENT_SECRET=mysecret - OPENID_PROVIDER_URL=https://keycloak.example.com/realms/my-realm/.well-known/openid-configuration - OPENID_REDIRECT_URI=https://example.com/oauth/oidc/callback - OAUTH_SCOPES=openid email profile - OAUTH_PROVIDER_NAME=Keycloak ``` 2. Set up a simple Python FastAPI Endpoint checking the tokens. The endpoint is OpenAI compatible with the Responses API: ```python import ssl import jwt import requests import uvicorn from fastapi import Depends, HTTPException, Request, status, FastAPI from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer from starlette.responses import Response, JSONResponse security = HTTPBearer(auto_error=False) app = FastAPI() def decode_jwt(token: str) -> dict: try: oidc_config_ = requests.get( "https://keycloak.example.com/realms/My-Realm/.well-known/openid-configuration" ).json() jwks_client = jwt.PyJWKClient( oidc_config_["jwks_uri"], ssl_context=ssl._create_unverified_context() ) signing_algos = oidc_config_["id_token_signing_alg_values_supported"] signing_key = jwks_client.get_signing_key_from_jwt(token).key decode_result = jwt.decode( token, options={"verify_signature": True}, algorithms=signing_algos, issuer="hhttps://keycloak.example.com/realms/My-Realm", key=signing_key, audience="account", ) return decode_result except Exception as e: print(f"Error: {e}") return {} def validate_oauth_request( request: Request, credentials: HTTPAuthorizationCredentials | None = Depends(security), ): jwt = None # This used to work with old OpenWebUI version, getting the token via. HTTP Header if credentials: if not credentials.scheme == "Bearer": print("ERROR: Invalid authentication scheme") raise HTTPException(status_code=401) jwt = credentials.credentials # Now we fetch it through the cookie token = request.cookies.get("oauth_id_token") if not jwt and token: jwt = token elif not jwt: print("ERROR: No Auth Token provided at all") raise HTTPException(status_code=401) payload = decode_jwt(jwt) if not payload: print("ERROR: Invalid or expired token!") raise HTTPException(status_code=401) print("OK: Auth successful!") @app.post("/responses") async def generate_chat_completion( roles=Depends(validate_oauth_request), ) -> Response: return JSONResponse( status_code=status.HTTP_201_CREATED, content={"message": "success"} ) @app.get("/models") async def list_models(): return JSONResponse( status_code=status.HTTP_200_OK, content=[ { "id": "sample_model", "created": 10000000, "object": "model", "owned_by": "org", }, ], ) uvicorn.run(app, host="0.0.0.0", port=8080) ``` When adding this endpoint as OpenAI compatible endpoint in OpenWebUI and then signing into OpenWebUI this call will pass the authentication until initially fetched token expires, afterwards you'll receive the error: ``` Error: Signature has expired ``` Hence the token is not refreshed and an old token is sent to the backend API. ---- More details (I don't consider these to be relevant for that issue) In front of OpenWebUI I do have a Nginx Reverse Proxy in place: ``` server { listen 443; server_name example.com; # SSL Config omitted location / { proxy_pass http://openwebui; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } ``` In OpenWebUI I have selected `oAuth` as auth method ### Logs & Screenshots The Python API is stating `Signature has expired` ### Additional Information _No response_
GiteaMirror added the bug label 2026-05-05 23:23:47 -05:00
GiteaMirror commented 2026-05-05 23:23:54 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Mar 26, 2026):

Nothings changed from our end, I'd suggest you double check any configuration issues from your end.

<!-- gh-comment-id:4138848226 --> @tjbck commented on GitHub (Mar 26, 2026): Nothings changed from our end, I'd suggest you double check any configuration issues from your end.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#58548
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?