[PR #15077] feat: Add Google Cloud Identity API support for OAuth group-based roles #62562

New Issue

Open

opened 2026-05-06 06:46:10 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-06 06:46:10 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/15077
Author: @bdruth
Created: 6/17/2025
Status: 🔄 Open

Base: dev ← Head: feat/google-oauth-groups-dev

---

📝 Commits (10+)

• a909fd9 feat: Add Google Cloud Identity API support for OAuth group-based roles
• 64ce040 fix google cloud identity query string
• cc6a1a7 update tests for adjusted query string & payload
• 8d6cf35 feat: Add Google Cloud Identity API support for OAuth group-based roles
• 30f4950 fix google cloud identity query string
• 04811dd update tests for adjusted query string & payload
• 6dbc01c - resolve merge conflicts
• 6c86ff7 Merge pull request #1 from lgarceau768/feat/google-groups
• d277696 Merge branch 'main' into main
• fe6783c Merge pull request #19030 from open-webui/dev

📊 Changes

3 files changed (+595 additions, -63 deletions)

View changed files

➕ backend/open_webui/test/test_oauth_google_groups.py (+266 -0)
📝 backend/open_webui/utils/oauth.py (+234 -63)
➕ docs/oauth-google-groups.md (+95 -0)

📄 Description

Pull Request Checklist

Before submitting, make sure you've checked the following:

• Target branch: Please verify that the pull request targets the dev branch.
• Description: Provide a concise description of the changes made in this pull request.
• Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
• Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
• Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
• Testing: Have you written and run sufficient tests to validate the changes?
• Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards.
• Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
  • feat: Introduces a new feature or enhancement to the codebase

Changelog Entry

Description

• Added Google Cloud Identity API support for OAuth role assignment since Google SSO does not include group or role claims in JWT tokens like other OAuth2 identity providers

Added

• Google Cloud Identity API integration to fetch user groups for role assignment
• Support for https://www.googleapis.com/auth/cloud-identity.groups.readonly scope in Google OAuth
• Automatic fallback to traditional claims-based authentication for non-Google providers
• Enhanced role assignment logic that works with Google Cloud Identity API groups
• Comprehensive test coverage for Google Cloud Identity API integration
• Documentation for configuring Google OAuth with Cloud Identity groups

Changed

• Modified OAuth role determination to fetch groups via Google Cloud Identity API when Google OAuth is used with the appropriate scope
• Updated group management to support both traditional OAuth claims and Google Cloud Identity API groups

Fixed

• Enabled proper role assignment for Google SSO users by fetching groups via API instead of relying on missing JWT claims

Security

• Added proper URL encoding for Google Cloud Identity API queries
• Implemented secure token handling for Google Cloud Identity API requests

Breaking Changes

• BREAKING CHANGE: None - feature is fully backward compatible with existing OAuth configurations

---

Additional Information

This enhancement enables proper role assignment for Google SSO by addressing the fact that Google OAuth does not include group or role claims in JWT tokens like other OAuth2 identity providers.

Why this is needed:

• Google OAuth JWT tokens do not contain group membership information in claims
• Other OAuth providers (like Azure AD, Auth0, etc.) typically include group/role information in JWT claims
• Without group information, Google SSO users cannot be properly assigned roles based on their group membership

How it works:

• When Google OAuth is configured with cloud-identity.groups.readonly scope, the system fetches user groups via Google Cloud Identity API
• For other OAuth providers, the system continues to use traditional claims-based role assignment
• Graceful fallback ensures compatibility with existing configurations

Configuration Requirements:

• Add https://www.googleapis.com/auth/cloud-identity.groups.readonly to GOOGLE_OAUTH_SCOPE
• Configure OAUTH_ADMIN_ROLES with Google group email addresses
• Ensure OAuth client has necessary permissions for Cloud Identity API

Screenshots or Videos

• N/A - Backend API enhancement

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/15077 **Author:** [@bdruth](https://github.com/bdruth) **Created:** 6/17/2025 **Status:** 🔄 Open **Base:** `dev` ← **Head:** `feat/google-oauth-groups-dev` --- ### 📝 Commits (10+) - [`a909fd9`](https://github.com/open-webui/open-webui/commit/a909fd92968e60ba5b89b4627e8e8b26318a92c6) feat: Add Google Cloud Identity API support for OAuth group-based roles - [`64ce040`](https://github.com/open-webui/open-webui/commit/64ce0403885ede55cae632bad2a73dbf6b3a4127) fix google cloud identity query string - [`cc6a1a7`](https://github.com/open-webui/open-webui/commit/cc6a1a7d9f45fe35185b9fb3a74cd67157e99ad5) update tests for adjusted query string & payload - [`8d6cf35`](https://github.com/open-webui/open-webui/commit/8d6cf357aafacbbecf49d4b86046c867e1c71078) feat: Add Google Cloud Identity API support for OAuth group-based roles - [`30f4950`](https://github.com/open-webui/open-webui/commit/30f4950c5cb699e0fe84b17442e030c9797481df) fix google cloud identity query string - [`04811dd`](https://github.com/open-webui/open-webui/commit/04811dd15d3712cefed250921d30701ad5169fbc) update tests for adjusted query string & payload - [`6dbc01c`](https://github.com/open-webui/open-webui/commit/6dbc01c31b519f56aa32b33a262367250a525274) - resolve merge conflicts - [`6c86ff7`](https://github.com/open-webui/open-webui/commit/6c86ff7d2eb540b0702797ad30dc8688582e509a) Merge pull request #1 from lgarceau768/feat/google-groups - [`d277696`](https://github.com/open-webui/open-webui/commit/d2776965dc1cd15e2cb45622f20451f2753acdc0) Merge branch 'main' into main - [`fe6783c`](https://github.com/open-webui/open-webui/commit/fe6783c16699911c7be17392596d579333fb110c) Merge pull request #19030 from open-webui/dev ### 📊 Changes **3 files changed** (+595 additions, -63 deletions) <details> <summary>View changed files</summary> ➕ `backend/open_webui/test/test_oauth_google_groups.py` (+266 -0) 📝 `backend/open_webui/utils/oauth.py` (+234 -63) ➕ `docs/oauth-google-groups.md` (+95 -0) </details> ### 📄 Description # Pull Request Checklist **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [x] **Testing:** Have you written and run sufficient tests to validate the changes? - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards. - [x] **Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **feat**: Introduces a new feature or enhancement to the codebase # Changelog Entry ### Description - Added Google Cloud Identity API support for OAuth role assignment since Google SSO does not include group or role claims in JWT tokens like other OAuth2 identity providers ### Added - Google Cloud Identity API integration to fetch user groups for role assignment - Support for `https://www.googleapis.com/auth/cloud-identity.groups.readonly` scope in Google OAuth - Automatic fallback to traditional claims-based authentication for non-Google providers - Enhanced role assignment logic that works with Google Cloud Identity API groups - Comprehensive test coverage for Google Cloud Identity API integration - Documentation for configuring Google OAuth with Cloud Identity groups ### Changed - Modified OAuth role determination to fetch groups via Google Cloud Identity API when Google OAuth is used with the appropriate scope - Updated group management to support both traditional OAuth claims and Google Cloud Identity API groups ### Fixed - Enabled proper role assignment for Google SSO users by fetching groups via API instead of relying on missing JWT claims ### Security - Added proper URL encoding for Google Cloud Identity API queries - Implemented secure token handling for Google Cloud Identity API requests ### Breaking Changes - **BREAKING CHANGE**: None - feature is fully backward compatible with existing OAuth configurations --- ### Additional Information This enhancement enables proper role assignment for Google SSO by addressing the fact that Google OAuth does not include group or role claims in JWT tokens like other OAuth2 identity providers. **Why this is needed:** - Google OAuth JWT tokens do not contain group membership information in claims - Other OAuth providers (like Azure AD, Auth0, etc.) typically include group/role information in JWT claims - Without group information, Google SSO users cannot be properly assigned roles based on their group membership **How it works:** - When Google OAuth is configured with `cloud-identity.groups.readonly` scope, the system fetches user groups via Google Cloud Identity API - For other OAuth providers, the system continues to use traditional claims-based role assignment - Graceful fallback ensures compatibility with existing configurations **Configuration Requirements:** - Add `https://www.googleapis.com/auth/cloud-identity.groups.readonly` to `GOOGLE_OAUTH_SCOPE` - Configure `OAUTH_ADMIN_ROLES` with Google group email addresses - Ensure OAuth client has necessary permissions for Cloud Identity API ### Screenshots or Videos - N/A - Backend API enhancement ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-05-06 06:46:10 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#62562