[GH-ISSUE #24094] issue: Feishu OAuth env var names mismatch between code and docs #58849

New Issue

GiteaMirror · 2026-05-06T00:16:54-05:00

GiteaMirror commented

2026-05-06 00:16:54 -05:00

Originally created by @tuzkiyoung on GitHub (Apr 24, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/24094

Check Existing Issues

I have searched for any existing and/or related issues.
I have searched for any existing and/or related discussions.
I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
I am using the latest version of Open WebUI.

Installation Method

Other

Open WebUI Version

0.9.2

Ollama Version (if applicable)

No response

Operating System

k8s

Browser (if applicable)

No response

Confirmation

I have read and followed all instructions in README.md.
I am using the latest version of both Open WebUI and Ollama.
I have included the browser console logs.
I have included the Docker container logs.
I have provided every relevant configuration, setting, and environment variable used in my setup.
I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
Start with the initial platform/version/OS and dependencies used,
Specify exact install/launch/configure commands,
List URLs visited, user input (incl. example values/emails/passwords if needed),
Describe all options and toggles enabled or changed,
Include any files or environmental changes,
Identify the expected and actual result at each stage,
Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Setting the Feishu OAuth env variables exactly as documented at env-configuration#feishu — i.e. FEISHU_CLIENT_ID,
FEISHU_CLIENT_SECRET, FEISHU_CLIENT_SCOPE, FEISHU_CLIENT_REDIRECT_URI — should produce a working Feishu login flow, with the redirect_uri parameter sent to accounts.feishu.cn
matching the configured value.

Actual Behavior

The code reads two of those variables under different names than the docs use:

Documented (env-configuration#feishu)	Actually read by code
`FEISHU_CLIENT_REDIRECT_URI`	`FEISHU_REDIRECT_URI`
`FEISHU_CLIENT_SCOPE`	`FEISHU_OAUTH_SCOPE`
`FEISHU_CLIENT_ID`	`FEISHU_CLIENT_ID` ✅
`FEISHU_CLIENT_SECRET`	`FEISHU_CLIENT_SECRET` ✅

Code refs (v0.9.2, also present on main):

Because users following the docs set FEISHU_CLIENT_REDIRECT_URI, the value the code looks for (FEISHU_REDIRECT_URI) is empty. The Feishu provider is registered with
redirect_uri='', and authlib falls back to request.url_for(...) (utils/oauth.py
L1434).

When the reverse proxy in front of Open WebUI terminates TLS but does not forward X-Forwarded-Proto: https (e.g. Aliyun ALB with the default XForwardedForProtoEnabled: false listener
config), request.url_for() produces an http://... URL. Feishu then rejects the callback as a redirect_uri mismatch. The failure is silent from Open WebUI's side — no warning at
startup, no log entry pointing at the env var name.

The mismatch dates back to docs PR https://github.com/open-webui/docs/pull/685, which named the variables to follow the *_CLIENT_* pattern used by Google/Microsoft/GitHub providers,
while the code under config.py had shipped with the shorter FEISHU_REDIRECT_URI / FEISHU_OAUTH_SCOPE names. The related fix in PRs
https://github.com/open-webui/open-webui/pull/23129 / https://github.com/open-webui/open-webui/pull/23203 (resolving https://github.com/open-webui/open-webui/issues/23128) only takes
effect when the env var name matches what the code reads — which the docs currently get wrong.

Steps to Reproduce

Deploy Open WebUI v0.9.0 or later behind a reverse proxy that terminates TLS but does not forward X-Forwarded-Proto: https (e.g. Aliyun ALB with default listener config).

Configure Feishu OAuth exactly per the docs, including:

FEISHU_CLIENT_ID=<your client id>                                                                                                                                                      
FEISHU_CLIENT_SECRET=<your client secret>                                                                                                                                              
FEISHU_CLIENT_REDIRECT_URI=https://<your-host>/oauth/feishu/callback

Visit https://<your-host>/oauth/feishu/login and inspect the 302 response.

Observed: the Location header contains redirect_uri=http%3A%2F%2F<your-host>%2Foauth%2Ffeishu%2Fcallback (note http, not https), and Feishu rejects the callback.

Workaround: rename the env var to FEISHU_REDIRECT_URI (and FEISHU_OAUTH_SCOPE if used) to match what the code actually reads. The redirect_uri then comes from the explicit value
and is unaffected by what the proxy forwards.

Logs & Screenshots

N/A

Additional Information

Option A — fix the docs (smallest change): rename FEISHU_CLIENT_REDIRECT_URI → FEISHU_REDIRECT_URI and FEISHU_CLIENT_SCOPE → FEISHU_OAUTH_SCOPE on the env-configuration page.
One PR to open-webui/docs.

Option B — fix the code (better consistency with sibling providers, but a behavior change): rename the env keys in config.py to FEISHU_CLIENT_REDIRECT_URI / FEISHU_CLIENT_SCOPE
while keeping the old names as a fallback for one or two releases so existing deployments don't break:

FEISHU_REDIRECT_URI = PersistentConfig(
    'FEISHU_CLIENT_REDIRECT_URI',      
    'oauth.feishu.redirect_uri', 
    os.environ.get('FEISHU_CLIENT_REDIRECT_URI',                                                                                                                                          
                   os.environ.get('FEISHU_REDIRECT_URI', '')),
)

Independent of A/B, it would help users a lot if FEISHU_CLIENT_ID being set while the redirect URI env var is empty produced a startup warning, so the silent fallback to http:// URLs
doesn't go unnoticed.

Happy to send a PR for whichever direction you prefer.

Originally created by @tuzkiyoung on GitHub (Apr 24, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/24094 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Other ### Open WebUI Version 0.9.2 ### Ollama Version (if applicable) _No response_ ### Operating System k8s ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Setting the Feishu OAuth env variables exactly as documented at [env-configuration#feishu](https://docs.openwebui.com/reference/env-configuration/#feishu) — i.e. `FEISHU_CLIENT_ID`, `FEISHU_CLIENT_SECRET`, `FEISHU_CLIENT_SCOPE`, `FEISHU_CLIENT_REDIRECT_URI` — should produce a working Feishu login flow, with the `redirect_uri` parameter sent to `accounts.feishu.cn` matching the configured value. ### Actual Behavior The code reads two of those variables under different names than the docs use: | Documented (env-configuration#feishu) | Actually read by code | |---|---| | `FEISHU_CLIENT_REDIRECT_URI` | **`FEISHU_REDIRECT_URI`** | | `FEISHU_CLIENT_SCOPE` | **`FEISHU_OAUTH_SCOPE`** | | `FEISHU_CLIENT_ID` | `FEISHU_CLIENT_ID` ✅ | | `FEISHU_CLIENT_SECRET` | `FEISHU_CLIENT_SECRET` ✅ | Code refs (v0.9.2, also present on `main`): - https://github.com/open-webui/open-webui/blob/v0.9.2/backend/open_webui/config.py#L626-L635 - https://github.com/open-webui/open-webui/blob/v0.9.2/backend/open_webui/config.py#L866-L869 Because users following the docs set `FEISHU_CLIENT_REDIRECT_URI`, the value the code looks for (`FEISHU_REDIRECT_URI`) is empty. The Feishu provider is registered with `redirect_uri=''`, and authlib falls back to `request.url_for(...)` ([utils/oauth.py L1434](https://github.com/open-webui/open-webui/blob/v0.9.2/backend/open_webui/utils/oauth.py#L1434)). When the reverse proxy in front of Open WebUI terminates TLS but does not forward `X-Forwarded-Proto: https` (e.g. Aliyun ALB with the default `XForwardedForProtoEnabled: false` listener config), `request.url_for()` produces an `http://...` URL. Feishu then rejects the callback as a `redirect_uri` mismatch. The failure is silent from Open WebUI's side — no warning at startup, no log entry pointing at the env var name. The mismatch dates back to docs PR https://github.com/open-webui/docs/pull/685, which named the variables to follow the `*_CLIENT_*` pattern used by Google/Microsoft/GitHub providers, while the code under `config.py` had shipped with the shorter `FEISHU_REDIRECT_URI` / `FEISHU_OAUTH_SCOPE` names. The related fix in PRs https://github.com/open-webui/open-webui/pull/23129 / https://github.com/open-webui/open-webui/pull/23203 (resolving https://github.com/open-webui/open-webui/issues/23128) only takes effect when the env var name matches what the code reads — which the docs currently get wrong. ### Steps to Reproduce 1. Deploy Open WebUI v0.9.0 or later behind a reverse proxy that terminates TLS but does **not** forward `X-Forwarded-Proto: https` (e.g. Aliyun ALB with default listener config). 2. Configure Feishu OAuth exactly per the docs, including: ``` FEISHU_CLIENT_ID=<your client id> FEISHU_CLIENT_SECRET=<your client secret> FEISHU_CLIENT_REDIRECT_URI=https://<your-host>/oauth/feishu/callback ``` 3. Visit `https://<your-host>/oauth/feishu/login` and inspect the 302 response. Observed: the `Location` header contains `redirect_uri=http%3A%2F%2F<your-host>%2Foauth%2Ffeishu%2Fcallback` (note `http`, not `https`), and Feishu rejects the callback. Workaround: rename the env var to `FEISHU_REDIRECT_URI` (and `FEISHU_OAUTH_SCOPE` if used) to match what the code actually reads. The `redirect_uri` then comes from the explicit value and is unaffected by what the proxy forwards. ### Logs & Screenshots N/A ### Additional Information **Option A — fix the docs** (smallest change): rename `FEISHU_CLIENT_REDIRECT_URI` → `FEISHU_REDIRECT_URI` and `FEISHU_CLIENT_SCOPE` → `FEISHU_OAUTH_SCOPE` on the env-configuration page. One PR to [open-webui/docs](https://github.com/open-webui/docs). **Option B — fix the code** (better consistency with sibling providers, but a behavior change): rename the env keys in `config.py` to `FEISHU_CLIENT_REDIRECT_URI` / `FEISHU_CLIENT_SCOPE` while keeping the old names as a fallback for one or two releases so existing deployments don't break: ```python FEISHU_REDIRECT_URI = PersistentConfig( 'FEISHU_CLIENT_REDIRECT_URI', 'oauth.feishu.redirect_uri', os.environ.get('FEISHU_CLIENT_REDIRECT_URI', os.environ.get('FEISHU_REDIRECT_URI', '')), ) ``` Independent of A/B, it would help users a lot if `FEISHU_CLIENT_ID` being set while the redirect URI env var is empty produced a startup warning, so the silent fallback to `http://` URLs doesn't go unnoticed. Happy to send a PR for whichever direction you prefer.

GiteaMirror added the bug label 2026-05-06 00:16:54 -05:00

GiteaMirror commented

2026-05-06 00:16:56 -05:00

@Ansh1372 commented on GitHub (Apr 27, 2026):

Hi! I'm a first-time contributor and would love to work on this.

I'd like to go with Option A — fixing the docs to match what
the code actually reads (renaming FEISHU_CLIENT_REDIRECT_URI
→ FEISHU_REDIRECT_URI and FEISHU_CLIENT_SCOPE → FEISHU_OAUTH_SCOPE).

Could a maintainer confirm this is the preferred approach
before I open a PR? Thank you!

@Ansh1372 commented on GitHub (Apr 27, 2026): Hi! I'm a first-time contributor and would love to work on this. I'd like to go with Option A — fixing the docs to match what the code actually reads (renaming FEISHU_CLIENT_REDIRECT_URI → FEISHU_REDIRECT_URI and FEISHU_CLIENT_SCOPE → FEISHU_OAUTH_SCOPE). Could a maintainer confirm this is the preferred approach before I open a PR? Thank you!

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#58849