github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #20138] [CLOSED] fix: resolve MCP OAuth 2.1 token refresh failure after access token expiration #64335

New Issue
Closed
opened 2026-05-06 09:51:13 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-05-06 09:51:13 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/20138
Author: @imsamurai
Created: 12/23/2025
Status: Closed

Base: devHead: dev

📝 Commits (1)

  • ac7f87c Fix mcp oauth token refresh

📊 Changes

1 file changed (+4 additions, -4 deletions)

View changed files

📝 backend/open_webui/utils/oauth.py (+4 -4)

📄 Description

Description

This pull request fixes an OAuth 2.1 token refresh issue for MCP integrations in Open WebUI.

When an MCP access token expires, Open WebUI fails to refresh it due to an incorrect client resolution inside the OpenID metadata lookup logic. This results in an exception during token refresh and prevents MCP usage in chat after token expiration.

The issue was caused by outdated logic in get_server_metadata_url, which attempted to resolve OpenID configuration without using the proper client retrieval mechanism.

This PR updates the implementation to consistently use get_client when resolving the OpenID metadata URL, ensuring the correct client configuration is used during token refresh.

How to Reproduce

  1. Add an MCP integration configured with OAuth 2.1 and complete registration
  2. Authorize the MCP integration
  3. Wait until the access token expires
  4. Attempt to add or use the MCP in chat

Observed Error

ERROR | open_webui.utils.oauth:_perform_token_refresh:764 - Exception during token refresh for client_id mcp:mcp_name: Constructor parameter should be str
ERROR | open_webui.utils.oauth:_refresh_token:669 - Failed to refresh token for session xxx

Root Cause

Before performing a token refresh, Open WebUI resolves the OpenID configuration URL to determine the refresh endpoint.

The function get_server_metadata_url used outdated logic and did not retrieve the OAuth client in the same way as the rest of the OAuth flow. This caused an invalid client configuration to be used, leading to a runtime exception during token refresh.

Solution

  • Updated get_server_metadata_url to retrieve the OAuth client via get_client
  • Ensured consistent and correct client resolution for OpenID metadata lookup
  • Prevented invalid constructor parameters during token refresh

Manual Testing

After applying the fix:

  • Token refresh is triggered correctly after access token expiration
  • MCP can be added and used in chat without errors

Result

Successfully refreshed token for session

Changelog Entry

Description

Fix OAuth 2.1 token refresh failure for MCP integrations caused by incorrect OpenID client resolution.

Fixed

  • Fixed exception during MCP OAuth token refresh after access token expiration
  • Restored ability to use MCP integrations in chat after token expiry

Additional Information

  • Affects MCP integrations using OAuth 2.1
  • No new dependencies introduced
  • No documentation changes required

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/20138 **Author:** [@imsamurai](https://github.com/imsamurai) **Created:** 12/23/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `dev` --- ### 📝 Commits (1) - [`ac7f87c`](https://github.com/open-webui/open-webui/commit/ac7f87c4765c88245e1a5a440f1da8f0f59c785a) Fix mcp oauth token refresh ### 📊 Changes **1 file changed** (+4 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/utils/oauth.py` (+4 -4) </details> ### 📄 Description ## Description This pull request fixes an OAuth 2.1 token refresh issue for MCP integrations in Open WebUI. When an MCP access token expires, Open WebUI fails to refresh it due to an incorrect client resolution inside the OpenID metadata lookup logic. This results in an exception during token refresh and prevents MCP usage in chat after token expiration. The issue was caused by outdated logic in `get_server_metadata_url`, which attempted to resolve OpenID configuration without using the proper client retrieval mechanism. This PR updates the implementation to consistently use `get_client` when resolving the OpenID metadata URL, ensuring the correct client configuration is used during token refresh. --- ## How to Reproduce 1. Add an MCP integration configured with OAuth 2.1 and complete registration 2. Authorize the MCP integration 3. Wait until the access token expires 4. Attempt to add or use the MCP in chat ### Observed Error ``` ERROR | open_webui.utils.oauth:_perform_token_refresh:764 - Exception during token refresh for client_id mcp:mcp_name: Constructor parameter should be str ERROR | open_webui.utils.oauth:_refresh_token:669 - Failed to refresh token for session xxx ``` --- ## Root Cause Before performing a token refresh, Open WebUI resolves the OpenID configuration URL to determine the refresh endpoint. The function `get_server_metadata_url` used outdated logic and did not retrieve the OAuth client in the same way as the rest of the OAuth flow. This caused an invalid client configuration to be used, leading to a runtime exception during token refresh. --- ## Solution * Updated `get_server_metadata_url` to retrieve the OAuth client via `get_client` * Ensured consistent and correct client resolution for OpenID metadata lookup * Prevented invalid constructor parameters during token refresh --- ## Manual Testing After applying the fix: * Token refresh is triggered correctly after access token expiration * MCP can be added and used in chat without errors ### Result ``` Successfully refreshed token for session ``` --- # Changelog Entry ### Description Fix OAuth 2.1 token refresh failure for MCP integrations caused by incorrect OpenID client resolution. ### Fixed * Fixed exception during MCP OAuth token refresh after access token expiration * Restored ability to use MCP integrations in chat after token expiry --- ### Additional Information * Affects MCP integrations using OAuth 2.1 * No new dependencies introduced * No documentation changes required --- ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-06 09:51:13 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#64335
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?