[PR #19685] [MERGED] fix: Default Group ID assignment on SSO/OAUTH and LDAP #64164

Closed
opened 2026-05-06 09:31:41 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/19685
Author: @Classic298
Created: 12/2/2025
Status: Merged
Merged: 12/2/2025
Merged by: @tjbck

Base: devHead: patch-3


📝 Commits (10+)

📊 Changes

3 files changed (+49 additions, -6 deletions)

View changed files

📝 backend/open_webui/routers/auths.py (+18 -5)
backend/open_webui/utils/groups.py (+24 -0)
📝 backend/open_webui/utils/oauth.py (+7 -1)

📄 Description

  • Target branch: Verify that the pull request targets the dev branch. Not targeting the dev branch will lead to immediate closure of the PR.
  • Description: Provide a concise description of the changes made in this pull request down below.
  • Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Documentation: If necessary, update relevant documentation Open WebUI Docs like environment variables, the tutorials, or other documentation sources.
  • Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
  • Testing: Perform manual tests to verify the implemented fix/feature works as intended AND does not break any other functionality. Take this as an opportunity to make screenshots of the feature/fix and include it in the PR description.
  • Agentic AI Code: Confirm this Pull Request is not written by any AI Agent or has at least gone through additional human review AND manual testing. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR.
  • Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
  • Title Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
    • fix: Bug fix or error correction

Changelog Entry

Description

The DEFAULT_GROUP_ID admin setting (Admin Panel → Settings → General → Default Group) was only being applied to users who signed up via the email/password signup form. Users registering through OAuth/SSO (Azure AD, Google, GitHub, etc.), LDAP, or when manually created by an admin were not being added to the configured default group.

This fix ensures the default group setting is consistently applied across all user registration methods upon initial account creation.

Added

  • Default group assignment for OAuth/SSO users upon first registration
  • Default group assignment for LDAP users upon first registration
  • Default group assignment for users manually created by admins via the "Add User" endpoint
  • New utility function for default group assignment to eliminate code duplication

Changed

  • Refactored default group assignment logic into a single utility function to follow DRY principles
  • Default group is now only assigned during user creation, not re-applied during subsequent group synchronizations

Additional Information

Root Cause Analysis:

The original implementation only added default group assignment logic in the signup endpoint. The following registration flows were missing this logic:

Registration Method Status Before Status After
Email/Password Signup Working Working
OAuth/SSO Missing Fixed
LDAP Missing Fixed
Admin Add User Missing Fixed

Implementation Details:

  • Created a centralized utility function for default group assignment
  • Applied default group assignment at user creation in 4 locations: OAuth/SSO signup, LDAP creation, standard signup, and manual admin creation
  • Default group is assigned once at creation - subsequent group synchronization operations can modify group membership including removal from the default group if needed

Behavior:

The default group acts as an initial starting point for new users. After creation, group management systems have full control over group membership and may remove users from the default group during synchronization if it's not included in their external provider's group claims.

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/19685 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 12/2/2025 **Status:** ✅ Merged **Merged:** 12/2/2025 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `patch-3` --- ### 📝 Commits (10+) - [`d38aac2`](https://github.com/open-webui/open-webui/commit/d38aac215cc98bcb32e3bb702116bc0fe43bd0aa) fix (#99) - [`75dbcdd`](https://github.com/open-webui/open-webui/commit/75dbcdd47720ce52aba876c274a6db4b47d97cb9) Update auths.py - [`c33835c`](https://github.com/open-webui/open-webui/commit/c33835cf6d1db1a30378e9ba35e325e6af7e3ebe) unified logic - [`0b0a8bb`](https://github.com/open-webui/open-webui/commit/0b0a8bb0fea6dad0b8e3eb180400f274086e6764) PUSH - [`95540b1`](https://github.com/open-webui/open-webui/commit/95540b1c5bf74058e7674def4d207ed9aa2792e3) remove getattr - [`fc6c912`](https://github.com/open-webui/open-webui/commit/fc6c91230d6a96e0bd31915b7b3673fb41cdb948) rem getattr - [`9345783`](https://github.com/open-webui/open-webui/commit/93457835bd893aa04da475712378d4f9cb25c9ec) whitespace - [`ea6ad5e`](https://github.com/open-webui/open-webui/commit/ea6ad5ec38fbab2b2137696f236986b5023d50da) Update oauth.py - [`1597c9c`](https://github.com/open-webui/open-webui/commit/1597c9cbba2aa37a11dc078640f282a71e011e60) trusted header group sync - [`26f1666`](https://github.com/open-webui/open-webui/commit/26f1666518318d190ee53c6dc6934a691086287a) not apply after syncs ### 📊 Changes **3 files changed** (+49 additions, -6 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/auths.py` (+18 -5) ➕ `backend/open_webui/utils/groups.py` (+24 -0) 📝 `backend/open_webui/utils/oauth.py` (+7 -1) </details> ### 📄 Description - [x] **Target branch:** Verify that the pull request targets the `dev` branch. **Not targeting the `dev` branch will lead to immediate closure of the PR.** - [x] **Description:** Provide a concise description of the changes made in this pull request down below. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** If necessary, update relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs) like environment variables, the tutorials, or other documentation sources. - [X] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [ ] **Testing:** Perform manual tests to **verify the implemented fix/feature works as intended AND does not break any other functionality**. Take this as an opportunity to **make screenshots of the feature/fix and include it in the PR description**. - [x] **Agentic AI Code:** Confirm this Pull Request is **not written by any AI Agent** or has at least **gone through additional human review AND manual testing**. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR. - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Title Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **fix**: Bug fix or error correction --- # Changelog Entry ### Description The DEFAULT_GROUP_ID admin setting (Admin Panel → Settings → General → Default Group) was only being applied to users who signed up via the email/password signup form. Users registering through OAuth/SSO (Azure AD, Google, GitHub, etc.), LDAP, or when manually created by an admin were not being added to the configured default group. This fix ensures the default group setting is consistently applied across all user registration methods upon initial account creation. ### Added - Default group assignment for OAuth/SSO users upon first registration - Default group assignment for LDAP users upon first registration - Default group assignment for users manually created by admins via the "Add User" endpoint - New utility function for default group assignment to eliminate code duplication ### Changed - Refactored default group assignment logic into a single utility function to follow DRY principles - Default group is now only assigned during user creation, not re-applied during subsequent group synchronizations --- ### Additional Information Root Cause Analysis: The original implementation only added default group assignment logic in the signup endpoint. The following registration flows were missing this logic: | Registration Method | Status Before | Status After | |---------------------|---------------|--------------| | Email/Password Signup | Working | Working | | OAuth/SSO | Missing | Fixed | | LDAP | Missing | Fixed | | Admin Add User | Missing | Fixed | **Implementation Details:** - Created a centralized utility function for default group assignment - Applied default group assignment at user creation in 4 locations: OAuth/SSO signup, LDAP creation, standard signup, and manual admin creation - Default group is assigned once at creation - subsequent group synchronization operations can modify group membership including removal from the default group if needed Behavior: The default group acts as an initial starting point for new users. After creation, group management systems have full control over group membership and may remove users from the default group during synchronization if it's not included in their external provider's group claims. ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-06 09:31:41 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#64164