[PR #9456] [MERGED] fix: check for email claim before skipping userinfo endpoint #61230

Closed
opened 2026-05-06 04:39:08 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/9456
Author: @mitomac
Created: 2/6/2025
Status: Merged
Merged: 2/6/2025
Merged by: @tjbck

Base: devHead: fix-oidc-email-claim-new


📝 Commits (1)

  • 34b62e7 fix: check for email claim before skipping userinfo endpoint

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 backend/open_webui/utils/oauth.py (+1 -1)

📄 Description

Fixes #9452

Description

Fixes an issue where OIDC authentication fails when the email claim is only available via the userinfo endpoint but not in the token's userinfo data. This affects OIDC providers (like Duke) that follow the pattern of providing complete user information through the userinfo endpoint rather than in the token response.

Changelog

Fixed

  • OIDC authentication now properly fetches email claim from userinfo endpoint when not present in token data
  • Prevents authentication failures with OIDC providers that separate token and userinfo responses

Changed

  • Modified the userinfo data fetch logic to check specifically for required email claim

Implementation Details

The fix modifies the OIDC authentication flow to check not just for the presence of userinfo data in the token, but specifically for the required email claim. If the email claim is missing, it will make a call to the userinfo endpoint to fetch complete user data.

Code Changes

In /app/backend/open_webui/utils/oauth.py:

# Before
user_data: UserInfo = token.get("userinfo")
if not user_data:
    user_data: UserInfo = await client.userinfo(token=token)

# After
user_data: UserInfo = token.get("userinfo")
if not user_data or "email" not in user_data:
    user_data: UserInfo = await client.userinfo(token=token)

---

<sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/9456 **Author:** [@mitomac](https://github.com/mitomac) **Created:** 2/6/2025 **Status:** ✅ Merged **Merged:** 2/6/2025 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `fix-oidc-email-claim-new` --- ### 📝 Commits (1) - [`34b62e7`](https://github.com/open-webui/open-webui/commit/34b62e71cc1b0c3d98e7bc2b9d1091e2fbf1f0d2) fix: check for email claim before skipping userinfo endpoint ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/utils/oauth.py` (+1 -1) </details> ### 📄 Description # Fixes #9452 ## Description Fixes an issue where OIDC authentication fails when the email claim is only available via the userinfo endpoint but not in the token's userinfo data. This affects OIDC providers (like Duke) that follow the pattern of providing complete user information through the userinfo endpoint rather than in the token response. ## Changelog ### Fixed - OIDC authentication now properly fetches email claim from userinfo endpoint when not present in token data - Prevents authentication failures with OIDC providers that separate token and userinfo responses ### Changed - Modified the userinfo data fetch logic to check specifically for required email claim ## Implementation Details The fix modifies the OIDC authentication flow to check not just for the presence of userinfo data in the token, but specifically for the required email claim. If the email claim is missing, it will make a call to the userinfo endpoint to fetch complete user data. ### Code Changes In `/app/backend/open_webui/utils/oauth.py`: ```python # Before user_data: UserInfo = token.get("userinfo") if not user_data: user_data: UserInfo = await client.userinfo(token=token) # After user_data: UserInfo = token.get("userinfo") if not user_data or "email" not in user_data: user_data: UserInfo = await client.userinfo(token=token) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-06 04:39:08 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#61230