github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #24138] issue: MCP OAuth 2.1 tool server token endpoint ignores OAUTH_TIMEOUT — httpx.ReadTimeout for slow providers (regression from #15366) #58872

New Issue
Open
opened 2026-05-06 00:19:05 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-05-06 00:19:05 -05:00
Owner
Copy Link

Originally created by @dennis-vanstrien on GitHub (Apr 25, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/24138

Check Existing Issues

I have searched the existing issues and discussions.
I am using the latest version of Open WebUI.

Open WebUI Version

0.9.2 (latest as of April 2026)

Installation Method

Docker

Description

PR #15366 added OAUTH_TIMEOUT to fix httpx.ReadTimeout for OIDC SSO login flows. However, the fix was not applied to the MCP tool server OAuth 2.1 path. The add_client() function in oauth.py (used for MCP tool connections) still has a hardcoded default httpx timeout with no env var override.

Expected Behavior

OAUTH_TIMEOUT should control the timeout for all OAuth flows, including MCP tool server OAuth 2.1 token exchanges.

Actual Behavior

When connecting an MCP tool server that uses OAuth 2.1 (e.g. Lucid: https://mcp.lucid.app/mcp), the token endpoint at https://mcp.lucid.app/oauth/token takes ~5.71 seconds to respond. The default httpx timeout of 5 seconds causes the callback to fail:

httpx.ReadTimeout
OAuth callback failed: ReadTimeout

Setting OAUTH_TIMEOUT=60 in the environment has no effect on the MCP path — confirmed by inspecting the source: OAUTH_TIMEOUT has 0 references in add_client() in v0.9.2.

Root Cause

In backend/open_webui/utils/oauth.py, the add_client() method builds client_kwargs without reading OAUTH_TIMEOUT:

'client_kwargs': {
    'follow_redirects': True,
    # OAUTH_TIMEOUT is NOT applied here — unlike the OIDC path fixed by #15366
},

Workaround

Manually adding 'timeout': 60.0 to client_kwargs in add_client() resolves the issue.

Suggested Fix

Apply OAUTH_TIMEOUT to the client_kwargs in add_client(), consistent with how #15366 fixed the OIDC path:

'client_kwargs': {
    'follow_redirects': True,
    'timeout': OAUTH_TIMEOUT,
},

Steps to Reproduce

  1. Add an MCP tool server with OAuth 2.1 auth (e.g. https://mcp.lucid.app/mcp)
  2. Complete the OAuth authorization flow (login + consent)
  3. Observe "OAuth callback failed: ReadTimeout" in the UI
  4. Check container logs for httpx.ReadTimeout when POSTing to the token endpoint

Additional Information

Originally created by @dennis-vanstrien on GitHub (Apr 25, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/24138 ### Check Existing Issues I have searched the existing issues and discussions. I am using the latest version of Open WebUI. ### Open WebUI Version 0.9.2 (latest as of April 2026) ### Installation Method Docker ### Description PR #15366 added `OAUTH_TIMEOUT` to fix `httpx.ReadTimeout` for OIDC SSO login flows. However, the fix was **not applied** to the MCP tool server OAuth 2.1 path. The `add_client()` function in `oauth.py` (used for MCP tool connections) still has a hardcoded default httpx timeout with no env var override. ### Expected Behavior `OAUTH_TIMEOUT` should control the timeout for all OAuth flows, including MCP tool server OAuth 2.1 token exchanges. ### Actual Behavior When connecting an MCP tool server that uses OAuth 2.1 (e.g. Lucid: `https://mcp.lucid.app/mcp`), the token endpoint at `https://mcp.lucid.app/oauth/token` takes ~5.71 seconds to respond. The default httpx timeout of 5 seconds causes the callback to fail: ``` httpx.ReadTimeout OAuth callback failed: ReadTimeout ``` Setting `OAUTH_TIMEOUT=60` in the environment has **no effect** on the MCP path — confirmed by inspecting the source: `OAUTH_TIMEOUT` has 0 references in `add_client()` in v0.9.2. ### Root Cause In `backend/open_webui/utils/oauth.py`, the `add_client()` method builds `client_kwargs` without reading `OAUTH_TIMEOUT`: ```python 'client_kwargs': { 'follow_redirects': True, # OAUTH_TIMEOUT is NOT applied here — unlike the OIDC path fixed by #15366 }, ``` ### Workaround Manually adding `'timeout': 60.0` to `client_kwargs` in `add_client()` resolves the issue. ### Suggested Fix Apply `OAUTH_TIMEOUT` to the `client_kwargs` in `add_client()`, consistent with how #15366 fixed the OIDC path: ```python 'client_kwargs': { 'follow_redirects': True, 'timeout': OAUTH_TIMEOUT, }, ``` ### Steps to Reproduce 1. Add an MCP tool server with OAuth 2.1 auth (e.g. `https://mcp.lucid.app/mcp`) 2. Complete the OAuth authorization flow (login + consent) 3. Observe "OAuth callback failed: ReadTimeout" in the UI 4. Check container logs for `httpx.ReadTimeout` when POSTing to the token endpoint ### Additional Information - Related issue: #15365 - Related PR: #15366 (fixed OIDC SSO path but missed the MCP `add_client()` path in the same file) - Token endpoint latency confirmed at ~5.71s from container via direct `httpx` test - `OAUTH_TIMEOUT=60` env var has 0 references in `add_client()` — it has no effect on the MCP OAuth path
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#58872
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?