[GH-ISSUE #23582] issue: [Bug] OIDC Authentication fails after Identity Provider Key Rotation (bad_signature)

Originally created by @IRScorpio on GitHub (Apr 10, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23582 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Pip Install ### Open WebUI Version v0.6.32 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 22.04 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior When a "bad_signature" error is encountered during the OAuth callback validation, Open WebUI should not immediately fail. Instead, it should proactively re-fetch the latest JWKS (public keys) from the provider's jwks_uri to check if the keys have been updated, and then retry the validation once more before returning an error. ### Actual Behavior Currently, when the Identity Provider rotates its keys, Open WebUI continues to use the old cached keys to validate new tokens. This results in a persistent "bad_signature" error for all login attempts. The system remains in this broken state until the service is manually restarted, which is the only way to force a refresh of the OIDC public keys. ### Steps to Reproduce 1. Configure OIDC with a provider that has a frequent Key Rotation policy (e.g., rotating keys every 24 hours). 2. Log in successfully once to establish a session and initial key cache. 3. Wait for the Identity Provider (IdP) to rotate its signing keys. 4. Attempt to log in again after the rotation. 5. The login fails, and a "bad_signature" error appears in the backend logs. ### Logs & Screenshots DEBUG | httpcore._trace:atrace:87 - receive_response_headers.started request=<Request [b'POST']> INFO | uvicorn.protocols.http.httptools_impl:send:476 - [CLIENT_IP] - "GET /oauth/oidc/login HTTP/1.1" 302 DEBUG | httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 200, b'OK', [(b'Server', b'Apache'), (b'Set-Cookie', 'REDACTED'), (b'Content-Type', b'application/json')]) INFO | httpx._client:_send_single_request:1740 - HTTP Request: POST https://[IDP_DOMAIN]/oauth2/token "HTTP/1.1 200 OK" DEBUG | httpcore._trace:atrace:87 - receive_response_body.complete WARNING | open_webui.utils.oauth:handle_callback:1073 - OAuth callback error: bad_signature: ERROR | open_webui.utils.oauth:handle_callback:1266 - Error during OAuth process: 400: The email or password provided is incorrect. INFO | uvicorn.protocols.http.httptools_impl:send:476 - [CLIENT_IP] - "GET /oauth/oidc/callback?code=[REDACTED]&state=[REDACTED] HTTP/1.1" 307 INFO | uvicorn.protocols.http.httptools_impl:send:476 - [CLIENT_IP] - "GET /auth?error=The%20email%20or%20password%20provided%20is%20incorrect. HTTP/1.1" 200 ### Additional Information - Open WebUI Version: v0.6.32 - Deployment: Native Systemd Service on Ubuntu 22.04 - Context: This issue occurs because the OIDC Provider (a University IdP) rotates its signing keys daily for security. Open WebUI seems to cache the OIDC configuration/keys at startup and does not refresh them dynamically upon signature failure, requiring a full service restart to allow new logins.

GiteaMirror commented

2026-05-05 23:42:05 -05:00

Owner

Originally created by @IRScorpio on GitHub (Apr 10, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23582

Check Existing Issues

I have searched for any existing and/or related issues.
I have searched for any existing and/or related discussions.
I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
I am using the latest version of Open WebUI.

Installation Method

Pip Install

Open WebUI Version

v0.6.32

Ollama Version (if applicable)

No response

Operating System

Ubuntu 22.04

Browser (if applicable)

Confirmation

I have read and followed all instructions in README.md.
I am using the latest version of both Open WebUI and Ollama.
I have included the browser console logs.
I have included the Docker container logs.
I have provided every relevant configuration, setting, and environment variable used in my setup.
I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
Start with the initial platform/version/OS and dependencies used,
Specify exact install/launch/configure commands,
List URLs visited, user input (incl. example values/emails/passwords if needed),
Describe all options and toggles enabled or changed,
Include any files or environmental changes,
Identify the expected and actual result at each stage,
Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When a "bad_signature" error is encountered during the OAuth callback validation, Open WebUI should not immediately fail. Instead, it should proactively re-fetch the latest JWKS (public keys) from the provider's jwks_uri to check if the keys have been updated, and then retry the validation once more before returning an error.

Actual Behavior

Currently, when the Identity Provider rotates its keys, Open WebUI continues to use the old cached keys to validate new tokens. This results in a persistent "bad_signature" error for all login attempts. The system remains in this broken state until the service is manually restarted, which is the only way to force a refresh of the OIDC public keys.

Steps to Reproduce

Configure OIDC with a provider that has a frequent Key Rotation policy (e.g., rotating keys every 24 hours).
Log in successfully once to establish a session and initial key cache.
Wait for the Identity Provider (IdP) to rotate its signing keys.
Attempt to log in again after the rotation.
The login fails, and a "bad_signature" error appears in the backend logs.

Logs & Screenshots

DEBUG | httpcore._trace:atrace:87 - receive_response_headers.started request=<Request [b'POST']>
INFO | uvicorn.protocols.http.httptools_impl:send:476 - [CLIENT_IP] - "GET /oauth/oidc/login HTTP/1.1" 302
DEBUG | httpcore._trace:atrace:87 - receive_response_headers.complete return_value=(b'HTTP/1.1', 200, b'OK', [(b'Server', b'Apache'), (b'Set-Cookie', 'REDACTED'), (b'Content-Type', b'application/json')])
INFO | httpx._client:_send_single_request:1740 - HTTP Request: POST https://[IDP_DOMAIN]/oauth2/token "HTTP/1.1 200 OK"
DEBUG | httpcore._trace:atrace:87 - receive_response_body.complete
WARNING | open_webui.utils.oauth:handle_callback:1073 - OAuth callback error: bad_signature:
ERROR | open_webui.utils.oauth:handle_callback:1266 - Error during OAuth process: 400: The email or password provided is incorrect.
INFO | uvicorn.protocols.http.httptools_impl:send:476 - [CLIENT_IP] - "GET /oauth/oidc/callback?code=[REDACTED]&state=[REDACTED] HTTP/1.1" 307
INFO | uvicorn.protocols.http.httptools_impl:send:476 - [CLIENT_IP] - "GET /auth?error=The%20email%20or%20password%20provided%20is%20incorrect. HTTP/1.1" 200

Additional Information

Open WebUI Version: v0.6.32
Deployment: Native Systemd Service on Ubuntu 22.04
Context: This issue occurs because the OIDC Provider (a University IdP) rotates its signing keys daily for security. Open WebUI seems to cache the OIDC configuration/keys at startup and does not refresh them dynamically upon signature failure, requiring a full service restart to allow new logins.

GiteaMirror added the bug label 2026-05-05 23:42:05 -05:00

GiteaMirror closed this issue

2026-05-05 23:42:06 -05:00

[GH-ISSUE #23582] issue: [Bug] OIDC Authentication fails after Identity Provider Key Rotation (bad_signature) #58684