github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 11:28:35 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #23669] Bug: OAuth session stores expires_at=None when token response omits expires_in, disabling refresh #58707

New Issue
Closed
opened 2026-05-05 23:44:21 -05:00 by GiteaMirror · 2 comments
GiteaMirror commented 2026-05-05 23:44:21 -05:00
Owner
Copy Link

Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23669

Summary

On the OAuth callback, expires_at is derived from expires_in:

if 'expires_in' in token and 'expires_at' not in token:
    token['expires_at'] = datetime.now().timestamp() + token['expires_in']

If the token response lacks expires_in (some providers return only expires_at, or omit expiration entirely for certain grant types), expires_at is never populated. The session is then persisted with expires_at=None:

'expires_at': token.get('expires_at'),   # models/oauth_sessions.py:125

Impact

  • get_oauth_token cannot evaluate datetime.fromtimestamp(session.expires_at) when it's None, causing either a TypeError or a silent skip.
  • Tokens are never proactively refreshed. The next tool invocation after the token actually expires (unknown to us) fails with a 401 from the resource.

Location

  • backend/open_webui/utils/oauth.py ~ lines 881–882 (callback normalisation)
  • backend/open_webui/models/oauth_sessions.py ~ line 125 (persistence)
  • backend/open_webui/utils/oauth.py ~ line 706 (proactive-refresh check)

Suggested fix

  • If the provider returns expires_at directly, trust it.
  • If neither expires_in nor expires_at is present, either (a) fall back to a conservative default (e.g. 1 hour) and log a warning, or (b) always attempt a silent refresh before using the token, and surface a clear re-auth error if refresh fails.
  • Guard the expiry comparison against None so it never throws.
Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23669 ### Summary On the OAuth callback, `expires_at` is derived from `expires_in`: ```python if 'expires_in' in token and 'expires_at' not in token: token['expires_at'] = datetime.now().timestamp() + token['expires_in'] ``` If the token response lacks `expires_in` (some providers return only `expires_at`, or omit expiration entirely for certain grant types), `expires_at` is never populated. The session is then persisted with `expires_at=None`: ```python 'expires_at': token.get('expires_at'), # models/oauth_sessions.py:125 ``` ### Impact - `get_oauth_token` cannot evaluate `datetime.fromtimestamp(session.expires_at)` when it's `None`, causing either a TypeError or a silent skip. - Tokens are never proactively refreshed. The next tool invocation after the token actually expires (unknown to us) fails with a 401 from the resource. ### Location - `backend/open_webui/utils/oauth.py` ~ lines 881–882 (callback normalisation) - `backend/open_webui/models/oauth_sessions.py` ~ line 125 (persistence) - `backend/open_webui/utils/oauth.py` ~ line 706 (proactive-refresh check) ### Suggested fix - If the provider returns `expires_at` directly, trust it. - If neither `expires_in` nor `expires_at` is present, either (a) fall back to a conservative default (e.g. 1 hour) and log a warning, or (b) always attempt a silent refresh before using the token, and surface a clear re-auth error if refresh fails. - Guard the expiry comparison against `None` so it never throws.
GiteaMirror commented 2026-05-05 23:44:26 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Apr 13, 2026):

Addressed in dev.

<!-- gh-comment-id:4239409497 --> @tjbck commented on GitHub (Apr 13, 2026): Addressed in dev.
GiteaMirror commented 2026-05-05 23:44:29 -05:00
Author
Owner
Copy Link

@dhruval-gupta commented on GitHub (Apr 13, 2026):

Addressed in dev.

i saw that but i am using dev docker image but due to client id and other issues with static oauth2.1 i cannot fully test it e2e.

<!-- gh-comment-id:4239437323 --> @dhruval-gupta commented on GitHub (Apr 13, 2026): > Addressed in dev. i saw that but i am using dev docker image but due to client id and other issues with static oauth2.1 i cannot fully test it e2e.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#58707
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?