github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-22 14:13:08 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

issue: Microsoft Entra ID (OIDC) login results in a redirect loop #5957

New Issue
Closed
opened 2025-11-11 16:40:06 -06:00 by GiteaMirror · 9 comments
GiteaMirror commented 2025-11-11 16:40:06 -06:00
Owner
Copy Link

Originally created by @josem-vexcel on GitHub (Aug 4, 2025).

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.6.18

Ollama Version (if applicable)

No response

Operating System

Ubuntu 22.04

Browser (if applicable)

Brave without extensions

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

The user should be logged in and redirected to the main chat interface.

Actual Behavior

When attempting to log in using Microsoft Entra ID (Azure AD) OIDC, the
authentication flow redirects back to the login page after successful
authentication with Microsoft. The browser console shows a Not found:
/oauth/callback/microsoft error, indicating the backend is not handling the
callback route.

Steps to Reproduce

To Reproduce

  1. Deploy using docker-compose.yml
  2. Configure Open WebUI for Microsoft OIDC authentication.
  3. Attempt to log in via the Microsoft SSO button.
  4. After successful authentication with Microsoft, the browser is redirected back to the Open WebUI login page.

Logs & Screenshots

The backend logs show a successful GET /oauth/callback/microsoft?code=... request
with an HTTP 200 status code, but no subsequent token exchange or user creation
logs. There are no errors in the backend logs.

1 2025-08-04 10:49:48.442 | INFO |
uvicorn.protocols.http.httptools_impl:send:476 - 10.9.2.4:0 - "GET
/oauth/microsoft/login HTTP/1.1" 302 - {}
2 2025-08-04 10:49:49.501 | INFO |
uvicorn.protocols.http.httptools_impl:send:476 - 10.9.2.4:0 - "GET
/oauth/callback/microsoft?code=... HTTP/1.1" 200 - {}
3 2025-08-04 10:49:49.886 | INFO |
uvicorn.protocols.http.httptools_impl:send:476 - 10.9.2.4:0 - "GET
/manifest.json HTTP/1.1" 200 - {}
4 2025-08-04 10:49:50.401 | INFO |
uvicorn.protocols.http.httptools_impl:send:476 - 10.9.2.4:0 - "GET
/api/config HTTP/1.1" 200 - {}

The browser console shows the following error after being redirected to the
callback URL:
Ie: Not found: /oauth/callback/microsoft

The /api/config endpoint confirms that enable_signup is true:

1 {
2 "features": {
3 "auth": true,
4 "enable_signup": true,
5 ...
6 }
7 }

Configuration

  • Open WebUI Version: v0.6.18 (also tested with :main)
  • Deployment: Docker Compose
  • Reverse Proxy: Nginx Proxy Manager

docker-compose.yml:

1 services:
2   open-webui:
3     image: ghcr.io/open-webui/open-webui:v0.6.18
4     container_name: open-webui
5     ports:
6       - "8080:8080"
7     volumes:
8       - open_webui_data:/app/backend/data
9     environment:

10 - WEBUI_NAME=Vexcel AI
11 - WEBUI_URL=https://chat.openai.vdp-prod.local
12 - WEBUI_AUTH=true
13 - ENABLE_OAUTH_SIGNUP=true
14 - MICROSOFT_CLIENT_ID=...
15 - MICROSOFT_CLIENT_SECRET=...
16 - MICROSOFT_CLIENT_TENANT_ID=...
17 -
MICROSOFT_REDIRECT_URI=https://chat.openai.vdp-prod.local/oauth/callback/m
icrosoft
18 - MICROSOFT_OAUTH_SCOPE="openid User.Read email profile"
19 -
OPENID_PROVIDER_URL=https://login.microsoftonline.com/{TENANT_ID}/v2.0
20 - WEBUI_SECRET_KEY=...
21 restart: always
22 networks:
23 - ai-network

Additional Information

Troubleshooting Steps Taken

  • Verified all MICROSOFT_* and WEBUI_URL environment variables match the Azure App
    Registration.
  • Hardcoded all environment variables directly in docker-compose.yml to rule out
    .env parsing issues.
  • Confirmed Nginx Proxy Manager is configured with Websockets Support and forwards
    Host and X-Forwarded-Proto headers. Also have the same issue from localhost:3000
  • Switched from :main tag to stable v0.6.18.
  • Completely deleted the Docker volume and restarted to ensure ENABLE_SIGNUP=true
    was loaded from a fresh database.
  • Generated a new WEBUI_SECRET_KEY.

Despite all configuration being correct, the backend consistently fails to handle
the callback route.

Originally created by @josem-vexcel on GitHub (Aug 4, 2025). ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.6.18 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 22.04 ### Browser (if applicable) Brave without extensions ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior The user should be logged in and redirected to the main chat interface. ### Actual Behavior When attempting to log in using Microsoft Entra ID (Azure AD) OIDC, the authentication flow redirects back to the login page after successful authentication with Microsoft. The browser console shows a Not found: /oauth/callback/microsoft error, indicating the backend is not handling the callback route. ### Steps to Reproduce To Reproduce 1. Deploy using docker-compose.yml 2. Configure Open WebUI for Microsoft OIDC authentication. 3. Attempt to log in via the Microsoft SSO button. 4. After successful authentication with Microsoft, the browser is redirected back to the Open WebUI login page. ### Logs & Screenshots The backend logs show a successful GET /oauth/callback/microsoft?code=... request with an HTTP 200 status code, but no subsequent token exchange or user creation logs. There are no errors in the backend logs. 1 2025-08-04 10:49:48.442 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.9.2.4:0 - "GET /oauth/microsoft/login HTTP/1.1" 302 - {} 2 2025-08-04 10:49:49.501 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.9.2.4:0 - "GET /oauth/callback/microsoft?code=... HTTP/1.1" 200 - {} 3 2025-08-04 10:49:49.886 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.9.2.4:0 - "GET /manifest.json HTTP/1.1" 200 - {} 4 2025-08-04 10:49:50.401 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.9.2.4:0 - "GET /api/config HTTP/1.1" 200 - {} The browser console shows the following error after being redirected to the callback URL: Ie: Not found: /oauth/callback/microsoft The /api/config endpoint confirms that enable_signup is true: 1 { 2 "features": { 3 "auth": true, 4 "enable_signup": true, 5 ... 6 } 7 } Configuration * Open WebUI Version: v0.6.18 (also tested with :main) * Deployment: Docker Compose * Reverse Proxy: Nginx Proxy Manager `docker-compose.yml`: 1 services: 2 open-webui: 3 image: ghcr.io/open-webui/open-webui:v0.6.18 4 container_name: open-webui 5 ports: 6 - "8080:8080" 7 volumes: 8 - open_webui_data:/app/backend/data 9 environment: 10 - WEBUI_NAME=Vexcel AI 11 - WEBUI_URL=https://chat.openai.vdp-prod.local 12 - WEBUI_AUTH=true 13 - ENABLE_OAUTH_SIGNUP=true 14 - MICROSOFT_CLIENT_ID=... 15 - MICROSOFT_CLIENT_SECRET=... 16 - MICROSOFT_CLIENT_TENANT_ID=... 17 - MICROSOFT_REDIRECT_URI=https://chat.openai.vdp-prod.local/oauth/callback/m icrosoft 18 - MICROSOFT_OAUTH_SCOPE="openid User.Read email profile" 19 - OPENID_PROVIDER_URL=https://login.microsoftonline.com/{TENANT_ID}/v2.0 20 - WEBUI_SECRET_KEY=... 21 restart: always 22 networks: 23 - ai-network ### Additional Information Troubleshooting Steps Taken - Verified all MICROSOFT_* and WEBUI_URL environment variables match the Azure App Registration. - Hardcoded all environment variables directly in docker-compose.yml to rule out .env parsing issues. - Confirmed Nginx Proxy Manager is configured with Websockets Support and forwards Host and X-Forwarded-Proto headers. Also have the same issue from localhost:3000 - Switched from :main tag to stable v0.6.18. - Completely deleted the Docker volume and restarted to ensure ENABLE_SIGNUP=true was loaded from a fresh database. - Generated a new WEBUI_SECRET_KEY. Despite all configuration being correct, the backend consistently fails to handle the callback route.
GiteaMirror added the bug label 2025-11-11 16:40:06 -06:00
GiteaMirror commented 2025-11-11 16:40:08 -06:00
Author
Owner
Copy Link

@nielsq commented on GitHub (Aug 8, 2025):

I had a similar issue.
downgrade to v0.6.10
see if that works
in v0.6.10 release notes they said:

🧩 Admin Settings: OAuth Redirects Now Use WEBUI_URL: The OAuth redirect URL is now based on the explicitly set WEBUI_URL, ensuring single sign-on and identity provider integrations always send users to the correct frontend.

let me know if that works. I don´t remember how i resolved it but lets see

@nielsq commented on GitHub (Aug 8, 2025): I had a similar issue. downgrade to [v0.6.10](https://github.com/open-webui/open-webui/releases/tag/v0.6.10) see if that works in [v0.6.10](https://github.com/open-webui/open-webui/releases/tag/v0.6.10) release notes they said: > 🧩 Admin Settings: OAuth Redirects Now Use WEBUI_URL: The OAuth redirect URL is now based on the explicitly set WEBUI_URL, ensuring single sign-on and identity provider integrations always send users to the correct frontend. let me know if that works. I don´t remember how i resolved it but lets see
GiteaMirror commented 2025-11-11 16:40:08 -06:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Aug 8, 2025):

did you set the WEBUI_URL or not? this is a required variable to be set in the admin panel.

@Classic298 commented on GitHub (Aug 8, 2025): did you set the WEBUI_URL or not? this is a required variable to be set in the admin panel.
GiteaMirror commented 2025-11-11 16:40:08 -06:00
Author
Owner
Copy Link

@josem-vexcel commented on GitHub (Aug 11, 2025):

@nielsq, unfortunately, I experience the same behavior in v0.6.10

@Classic298 I did set the value in the .env file
docker compose exec open-webui env | grep WEBUI_URL
WEBUI_URL=https://chat.openai.my-domain.tld
Also, I can see the same value via the WebUI in the admin panel settings

Right now, I'm using v0.6.21 and still in a redirect loop.

@josem-vexcel commented on GitHub (Aug 11, 2025): @nielsq, unfortunately, I experience the same behavior in v0.6.10 @Classic298 I did set the value in the .env file `docker compose exec open-webui env | grep WEBUI_URL` `WEBUI_URL=https://chat.openai.my-domain.tld` Also, I can see the same value via the WebUI in the admin panel settings Right now, I'm using v0.6.21 and still in a redirect loop.
GiteaMirror commented 2025-11-11 16:40:08 -06:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Aug 11, 2025):

@josem-vexcel 0.6.10 is very old can you try a newer version

Did you disable all caching on your reverse proxy?

@Classic298 commented on GitHub (Aug 11, 2025): @josem-vexcel 0.6.10 is very old can you try a newer version Did you disable all caching on your reverse proxy?
GiteaMirror commented 2025-11-11 16:40:08 -06:00
Author
Owner
Copy Link

@josem-vexcel commented on GitHub (Aug 12, 2025):

@josem-vexcel 0.6.10 is very old can you try a newer version

Did you disable all caching on your reverse proxy?

I am using v0.6.21, and today I tried latest version (0.6.22) with no luck.

I don't think it's related to the proxy server because I had the same issue from http://localhost. Also cleared cache and cookies before each attempt.

I use nginx-proxy-manager in production, only have enabled "Websockets Support" and "Force SSL" with a self signed certificate

@josem-vexcel commented on GitHub (Aug 12, 2025): > [@josem-vexcel](https://github.com/josem-vexcel) 0.6.10 is very old can you try a newer version > > Did you disable all caching on your reverse proxy? I am using v0.6.21, and today I tried latest version (0.6.22) with no luck. I don't think it's related to the proxy server because I had the same issue from http://localhost. Also cleared cache and cookies before each attempt. I use nginx-proxy-manager in production, only have enabled "Websockets Support" and "Force SSL" with a self signed certificate
GiteaMirror commented 2025-11-11 16:40:08 -06:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Aug 12, 2025):

@josem-vexcel

can you please confirm your OPENID_PROVIDER_URL is correct?

the one you provided in the issue description seems incorrect, at least when comparing it to my own config.

To me it looks like the path is generally wrong

after the tenant_id/

there should be /.well-known/openid-configuration

also, personally, I do not even have the MICROSOFT_REDIRECT_URI configured (the default value the env var would be set to, should match anyways)

Please attempt to correct the OPENID_PROVIDER_URL and temporarily comment out the redirect uri env var and see if that changes the behaviour.

@Classic298 commented on GitHub (Aug 12, 2025): @josem-vexcel can you please confirm your OPENID_PROVIDER_URL is correct? the one you provided in the issue description seems incorrect, at least when comparing it to my own config. To me it looks like the path is generally wrong after the tenant_id/ there should be /.well-known/openid-configuration also, personally, I do not even have the MICROSOFT_REDIRECT_URI configured (the default value the env var would be set to, should match anyways) Please attempt to correct the OPENID_PROVIDER_URL and temporarily comment out the redirect uri env var and see if that changes the behaviour.
GiteaMirror commented 2025-11-11 16:40:08 -06:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Aug 12, 2025):

If all that didn't help, I am a bit lost and can only advise you to additionally check the (recently updated) troubleshooting section in the docs

https://docs.openwebui.com/troubleshooting/sso/

https://docs.openwebui.com/features/sso/

@Classic298 commented on GitHub (Aug 12, 2025): If all that didn't help, I am a bit lost and can only advise you to additionally check the (recently updated) troubleshooting section in the docs https://docs.openwebui.com/troubleshooting/sso/ https://docs.openwebui.com/features/sso/
GiteaMirror commented 2025-11-11 16:40:09 -06:00
Author
Owner
Copy Link

@josem-vexcel commented on GitHub (Aug 12, 2025):

@Classic298
I commented out MICROSOFT_REDIRECT_URI and applied your change to OPENID_PROVIDER_URL and now it works!

Thanks a lot, feel free to close the issue. Otherwise I'll do it. Thanks again.

@josem-vexcel commented on GitHub (Aug 12, 2025): @Classic298 I commented out MICROSOFT_REDIRECT_URI and applied your change to OPENID_PROVIDER_URL and now it works! Thanks a lot, feel free to close the issue. Otherwise I'll do it. Thanks again.
GiteaMirror commented 2025-11-11 16:40:09 -06:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Aug 12, 2025):

please do close it. I have yet to receive the permission here to close issues haha- maybe one day

@Classic298 commented on GitHub (Aug 12, 2025): please do close it. I have yet to receive the permission here to close issues haha- maybe one day
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#5957
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?