mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-17 08:21:12 -05:00
[GH-ISSUE #23197] issue: cookie_expires NameError in OAuthManager.handle_callback
#58583
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @soonlai814 on GitHub (Mar 29, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23197
Check Existing Issues
Installation Method
Git Clone
Open WebUI Version
v0.8.12
Ollama Version (if applicable)
No response
Operating System
macOS / Linux (affects all platforms — Python runtime error)
Browser (if applicable)
No response
Confirmation
README.md.Expected Behavior
After a successful OAuth login, the server sets an
oauth_session_idcookie containing the server-side session ID, allowing subsequent requests to look up and refresh OAuth tokens for MCP tool access.Actual Behavior
A
NameErroris raised insideOAuthManager.handle_callbackevery time a user logs in via OAuth (whenJWT_EXPIRES_INis configured, which is the default). The variablecookie_expiresis referenced but never defined in the method.The exception is silently swallowed by the surrounding
try/exceptblock, logged as'Failed to store OAuth session server-side', and theoauth_session_idcookie is never set. The user is redirected as if login succeeded, making this failure invisible.Steps to Reproduce
main).OAUTH_PROVIDERS.JWT_EXPIRES_INis set (it is by default)./oauth/{provider}/callback), observe the server logs.Failed to store OAuth session server-sidewith aNameError: name 'cookie_expires' is not definedtraceback.oauth_session_idcookie is present.Logs & Screenshots
Server-side log output:
Affected code (
backend/open_webui/utils/oauth.py—OAuthManager.handle_callback):Additional Information
Proposed fix — define
cookie_expiresimmediately aftercookie_max_age:datetimeis already imported at the top of the file (from datetime import datetime, timedelta), so no import changes are needed.Alternative fix — simply remove the
'expires': cookie_expireskey from theoauth_session_idcookie kwargs to match the pattern of the other two cookies (tokenandoauth_id_token) in the same method, which use onlymax_age.Note: The other two cookies (
token,oauth_id_token) are not affected by this bug.@tjbck commented on GitHub (Apr 1, 2026):
Addressed in dev.
@Classic298 commented on GitHub (Apr 1, 2026):
18f6ec68b9