[GH-ISSUE #23670] Bug: AddToolServerModal sends tool server ID as client_id during OAuth 2.1 static registration #58708

New Issue

Closed

opened 2026-05-05 23:44:35 -05:00 by GiteaMirror · 1 comment

GiteaMirror commented 2026-05-05 23:44:35 -05:00

Owner

Copy Link

Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23670

Summary

When an admin registers an MCP tool server with auth_type: oauth_2.1_static, the frontend POSTs the tool server's internal ID (the value bound to id in the form) as client_id instead of the OAuth Client ID entered into the "Client ID" input (oauthClientId). The correct client_secret is sent, but the client_id is wrong.

Location

src/lib/components/AddToolServerModal.svelte, registerOAuthClientHandler():

// lines 81–94
const formData: { url: string; client_id: string; client_secret?: string } = {
    url: url,
    client_id: id          // <-- tool server id, not the OAuth client id
};

if (auth_type === 'oauth_2.1_static') {
    if (!oauthClientId || !oauthClientSecret) {
        toast.error($i18n.t('Please enter Client ID and Client Secret'));
        return;
    }
    formData.client_id = id;            // <-- line 92: still the tool server id
    formData.client_secret = oauthClientSecret;
}

The correct binding exists just a few lines down — when building info for the save payload (line ~340):

...(auth_type === 'oauth_2.1_static'
    ? { oauth_client_id: oauthClientId, oauth_client_secret: oauthClientSecret }
    : {})

So the UI state has the right value; it just isn't used at registration time.

Impact

• Registration against the IdP is attempted with the wrong client_id, which the IdP rejects (or, worse, silently accepts and stores a useless record).
• Users entering valid Entra AD / M365 client credentials see "Registration failed" even though the credentials are correct.

Suggested fix

Line 92:

- formData.client_id = id;
+ formData.client_id = oauthClientId;

Originally created by @dhruvalgupta2003 on GitHub (Apr 13, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23670 ### Summary When an admin registers an MCP tool server with `auth_type: oauth_2.1_static`, the frontend POSTs the tool server's internal ID (the value bound to `id` in the form) as `client_id` instead of the OAuth Client ID entered into the "Client ID" input (`oauthClientId`). The correct `client_secret` is sent, but the `client_id` is wrong. ### Location `src/lib/components/AddToolServerModal.svelte`, `registerOAuthClientHandler()`: ```ts // lines 81–94 const formData: { url: string; client_id: string; client_secret?: string } = { url: url, client_id: id // <-- tool server id, not the OAuth client id }; if (auth_type === 'oauth_2.1_static') { if (!oauthClientId || !oauthClientSecret) { toast.error($i18n.t('Please enter Client ID and Client Secret')); return; } formData.client_id = id; // <-- line 92: still the tool server id formData.client_secret = oauthClientSecret; } ``` The correct binding exists just a few lines down — when building `info` for the save payload (line ~340): ```ts ...(auth_type === 'oauth_2.1_static' ? { oauth_client_id: oauthClientId, oauth_client_secret: oauthClientSecret } : {}) ``` So the UI state has the right value; it just isn't used at registration time. ### Impact - Registration against the IdP is attempted with the wrong `client_id`, which the IdP rejects (or, worse, silently accepts and stores a useless record). - Users entering valid Entra AD / M365 client credentials see "Registration failed" even though the credentials are correct. ### Suggested fix Line 92: ```diff - formData.client_id = id; + formData.client_id = oauthClientId; ```

GiteaMirror closed this issue 2026-05-05 23:44:36 -05:00

GiteaMirror commented 2026-05-05 23:44:38 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Apr 13, 2026):

Addressed in dev.

<!-- gh-comment-id:4240228737 --> @tjbck commented on GitHub (Apr 13, 2026): Addressed in dev.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#58708