[GH-ISSUE #23197] issue: cookie_expires NameError in OAuthManager.handle_callback #58583

Closed
opened 2026-05-05 23:28:54 -05:00 by GiteaMirror · 2 comments
Owner

Originally created by @soonlai814 on GitHub (Mar 29, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23197

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

v0.8.12

Ollama Version (if applicable)

No response

Operating System

macOS / Linux (affects all platforms — Python runtime error)

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

After a successful OAuth login, the server sets an oauth_session_id cookie containing the server-side session ID, allowing subsequent requests to look up and refresh OAuth tokens for MCP tool access.

Actual Behavior

A NameError is raised inside OAuthManager.handle_callback every time a user logs in via OAuth (when JWT_EXPIRES_IN is configured, which is the default). The variable cookie_expires is referenced but never defined in the method.

The exception is silently swallowed by the surrounding try/except block, logged as 'Failed to store OAuth session server-side', and the oauth_session_id cookie is never set. The user is redirected as if login succeeded, making this failure invisible.

Steps to Reproduce

  1. Start with a clean install of Open WebUI (git clone, latest main).
  2. Configure any OAuth provider (e.g. Google, GitHub) via OAUTH_PROVIDERS.
  3. Ensure JWT_EXPIRES_IN is set (it is by default).
  4. Open the browser and navigate to the login page.
  5. Click the OAuth login button and complete authentication with the provider.
  6. After the provider redirects back to Open WebUI's callback URL (/oauth/{provider}/callback), observe the server logs.
  7. The log will contain: Failed to store OAuth session server-side with a NameError: name 'cookie_expires' is not defined traceback.
  8. Inspect browser cookies — no oauth_session_id cookie is present.

Logs & Screenshots

Server-side log output:

ERROR - Failed to store OAuth session server-side
Traceback (most recent call last):
  File ".../open_webui/utils/oauth.py", line <N>, in handle_callback
    **({'max_age': cookie_max_age, 'expires': cookie_expires} if cookie_max_age is not None else {}),
NameError: name 'cookie_expires' is not defined

Affected code (backend/open_webui/utils/oauth.pyOAuthManager.handle_callback):

# Compute cookie expiry from JWT lifetime
expires_delta = parse_duration(auth_manager_config.JWT_EXPIRES_IN)
cookie_max_age = int(expires_delta.total_seconds()) if expires_delta else None
# cookie_expires is never defined here ↑

# ... later in the same method ...

if session:
    response.set_cookie(
        key='oauth_session_id',
        value=session.id,
        httponly=True,
        samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
        secure=WEBUI_AUTH_COOKIE_SECURE,
        **({'max_age': cookie_max_age, 'expires': cookie_expires} if cookie_max_age is not None else {}),
        #                                        ^^^^^^^^^^^^^^
        #                              NameError: name 'cookie_expires' is not defined
    )

Additional Information

Proposed fix — define cookie_expires immediately after cookie_max_age:

# Compute cookie expiry from JWT lifetime
expires_delta = parse_duration(auth_manager_config.JWT_EXPIRES_IN)
cookie_max_age = int(expires_delta.total_seconds()) if expires_delta else None
cookie_expires = int((datetime.now() + expires_delta).timestamp()) if expires_delta else None

datetime is already imported at the top of the file (from datetime import datetime, timedelta), so no import changes are needed.

Alternative fix — simply remove the 'expires': cookie_expires key from the oauth_session_id cookie kwargs to match the pattern of the other two cookies (token and oauth_id_token) in the same method, which use only max_age.

Note: The other two cookies (token, oauth_id_token) are not affected by this bug.

Originally created by @soonlai814 on GitHub (Mar 29, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23197 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version v0.8.12 ### Ollama Version (if applicable) _No response_ ### Operating System macOS / Linux (affects all platforms — Python runtime error) ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior After a successful OAuth login, the server sets an `oauth_session_id` cookie containing the server-side session ID, allowing subsequent requests to look up and refresh OAuth tokens for MCP tool access. ### Actual Behavior A `NameError` is raised inside `OAuthManager.handle_callback` every time a user logs in via OAuth (when `JWT_EXPIRES_IN` is configured, which is the default). The variable `cookie_expires` is referenced but **never defined** in the method. The exception is silently swallowed by the surrounding `try/except` block, logged as `'Failed to store OAuth session server-side'`, and the `oauth_session_id` cookie is never set. The user is redirected as if login succeeded, making this failure invisible. ### Steps to Reproduce 1. Start with a clean install of Open WebUI (git clone, latest `main`). 2. Configure any OAuth provider (e.g. Google, GitHub) via `OAUTH_PROVIDERS`. 3. Ensure `JWT_EXPIRES_IN` is set (it is by default). 4. Open the browser and navigate to the login page. 5. Click the OAuth login button and complete authentication with the provider. 6. After the provider redirects back to Open WebUI's callback URL (`/oauth/{provider}/callback`), observe the server logs. 7. The log will contain: `Failed to store OAuth session server-side` with a `NameError: name 'cookie_expires' is not defined` traceback. 8. Inspect browser cookies — no `oauth_session_id` cookie is present. ### Logs & Screenshots Server-side log output: ``` ERROR - Failed to store OAuth session server-side Traceback (most recent call last): File ".../open_webui/utils/oauth.py", line <N>, in handle_callback **({'max_age': cookie_max_age, 'expires': cookie_expires} if cookie_max_age is not None else {}), NameError: name 'cookie_expires' is not defined ``` **Affected code** (`backend/open_webui/utils/oauth.py` — `OAuthManager.handle_callback`): ```python # Compute cookie expiry from JWT lifetime expires_delta = parse_duration(auth_manager_config.JWT_EXPIRES_IN) cookie_max_age = int(expires_delta.total_seconds()) if expires_delta else None # cookie_expires is never defined here ↑ # ... later in the same method ... if session: response.set_cookie( key='oauth_session_id', value=session.id, httponly=True, samesite=WEBUI_AUTH_COOKIE_SAME_SITE, secure=WEBUI_AUTH_COOKIE_SECURE, **({'max_age': cookie_max_age, 'expires': cookie_expires} if cookie_max_age is not None else {}), # ^^^^^^^^^^^^^^ # NameError: name 'cookie_expires' is not defined ) ``` ### Additional Information **Proposed fix** — define `cookie_expires` immediately after `cookie_max_age`: ```python # Compute cookie expiry from JWT lifetime expires_delta = parse_duration(auth_manager_config.JWT_EXPIRES_IN) cookie_max_age = int(expires_delta.total_seconds()) if expires_delta else None cookie_expires = int((datetime.now() + expires_delta).timestamp()) if expires_delta else None ``` `datetime` is already imported at the top of the file (`from datetime import datetime, timedelta`), so no import changes are needed. **Alternative fix** — simply remove the `'expires': cookie_expires` key from the `oauth_session_id` cookie kwargs to match the pattern of the other two cookies (`token` and `oauth_id_token`) in the same method, which use only `max_age`. Note: The other two cookies (`token`, `oauth_id_token`) are not affected by this bug.
GiteaMirror added the bug label 2026-05-05 23:28:54 -05:00
Author
Owner

@tjbck commented on GitHub (Apr 1, 2026):

Addressed in dev.

<!-- gh-comment-id:4169003800 --> @tjbck commented on GitHub (Apr 1, 2026): Addressed in dev.
Author
Owner

@Classic298 commented on GitHub (Apr 1, 2026):

18f6ec68b9

<!-- gh-comment-id:4169362247 --> @Classic298 commented on GitHub (Apr 1, 2026): https://github.com/open-webui/open-webui/commit/18f6ec68b9fdbb0ad702a45383a741d38ff922ee
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#58583