issue: OAuth token after some time missing in tool calls #6478

New Issue

GiteaMirror · 2025-11-11T16:56:27-06:00

GiteaMirror commented

2025-11-11 16:56:27 -06:00

Originally created by @koflerm on GitHub (Sep 23, 2025).

Check Existing Issues

I have searched for any existing and/or related issues.
I have searched for any existing and/or related discussions.
I am using the latest version of Open WebUI.

Installation Method

Other

Open WebUI Version

v0.6.30

Ollama Version (if applicable)

No response

Operating System

Red Hat CoreOS (Kubernetes Cluster Installation)

Browser (if applicable)

No response

Confirmation

I have read and followed all instructions in README.md.
I am using the latest version of both Open WebUI and Ollama.
I have included the browser console logs.
I have included the Docker container logs.
I have provided every relevant configuration, setting, and environment variable used in my setup.
I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
Start with the initial platform/version/OS and dependencies used,
Specify exact install/launch/configure commands,
List URLs visited, user input (incl. example values/emails/passwords if needed),
Describe all options and toggles enabled or changed,
Include any files or environmental changes,
Identify the expected and actual result at each stage,
Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

The oauth token should be always provided by the new tool call parameter __oauth_token__. If the token is expired, the token should either be refreshed or the user should be logged out.

Actual Behavior

We are using the following code in a test tool to print the OAuth token, provided via a parameter in the new Open WebUI version:

def get_oauth_token(
        self, __user__: dict = {}, __oauth_token__: Optional[dict] = None
    ) -> str:
        """
        Return the current user's oauth token
        """

        print(__oauth_token__["access_token"])

However, after the user is logged in for some time, this parameter is no longer set. I get then the following error:

'NoneType' object is not subscriptable

So it seems after some time the session for the user is lost, but the user is then not automatically logged out or the token is not refreshed.

Any idea what could be wrong here?

Steps to Reproduce

Import the following tool in your Open WebUI instance:

def get_oauth_token(
        self, __user__: dict = {}, __oauth_token__: Optional[dict] = None
    ) -> str:
        """
        Return the current user's oauth token
        """

        print(__oauth_token__["access_token"])

After direct login, the variable will be set.

If you try to re-execute the tool after some hours, the parameter will no longer be set (NoneType)

Logs & Screenshots

When querying the logs, I found at a different point in time (not when using the described tool) the following log messages:

/app/backend/open_webui/main.py:1478: RuntimeWarning: coroutine 'OAuthManager._refresh_token' was never awaited
form_data, metadata, events = await process_chat_payload(
RuntimeWarning: Enable tracemalloc to get the object allocation traceback

When a user is performing a login, the following logs are written:

2025-09-23 07:52:44.420 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://sso.example.com/.well-known/openid-configuration "HTTP/1.1 200 OK"
2025-09-23 07:52:44.456 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /oauth/oidc/login HTTP/1.1" 302
2025-09-23 07:52:45.771 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: POST https://sso.example.com/as/token.oauth2 "HTTP/1.1 200 OK"
2025-09-23 07:52:45.865 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://sso.example.com/pf/JWKS "HTTP/1.1 200 OK"
2025-09-23 07:52:45.892 | INFO | open_webui.utils.oauth:handle_callback:853 - Stored OAuth session server-side for user 34a363e7-3629-4ace-aeb3-101812fc9ccc, provider oidc
2025-09-23 07:52:45.893 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /oauth/oidc/callback?code=uzKujWQgms7F1jFqdp2aS44jUtJn3Q4tW-w5DIFa&state=UPVQmqvUFExoYxmQR31KaC7eKZRU0h HTTP/1.1" 307
2025-09-23 07:52:46.021 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /manifest.json HTTP/1.1" 200

Additional Information

No response

Originally created by @koflerm on GitHub (Sep 23, 2025). ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Other ### Open WebUI Version v0.6.30 ### Ollama Version (if applicable) _No response_ ### Operating System Red Hat CoreOS (Kubernetes Cluster Installation) ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior The oauth token should be always provided by the new tool call parameter `__oauth_token__`. If the token is expired, the token should either be refreshed or the user should be logged out. ### Actual Behavior We are using the following code in a test tool to print the OAuth token, provided via a parameter in the new Open WebUI version: ``` def get_oauth_token( self, __user__: dict = {}, __oauth_token__: Optional[dict] = None ) -> str: """ Return the current user's oauth token """ print(__oauth_token__["access_token"]) ``` However, after the user is logged in for some time, this parameter is no longer set. I get then the following error: `'NoneType' object is not subscriptable` So it seems after some time the session for the user is lost, but the user is then not automatically logged out or the token is not refreshed. Any idea what could be wrong here? ### Steps to Reproduce Import the following tool in your Open WebUI instance: ``` def get_oauth_token( self, __user__: dict = {}, __oauth_token__: Optional[dict] = None ) -> str: """ Return the current user's oauth token """ print(__oauth_token__["access_token"]) ``` After direct login, the variable will be set. If you try to re-execute the tool after some hours, the parameter will no longer be set (NoneType) ### Logs & Screenshots When querying the logs, I found at a different point in time (not when using the described tool) the following log messages: ``` /app/backend/open_webui/main.py:1478: RuntimeWarning: coroutine 'OAuthManager._refresh_token' was never awaited form_data, metadata, events = await process_chat_payload( RuntimeWarning: Enable tracemalloc to get the object allocation traceback ``` When a user is performing a login, the following logs are written: ``` 2025-09-23 07:52:44.420 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://sso.example.com/.well-known/openid-configuration "HTTP/1.1 200 OK" 2025-09-23 07:52:44.456 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /oauth/oidc/login HTTP/1.1" 302 2025-09-23 07:52:45.771 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: POST https://sso.example.com/as/token.oauth2 "HTTP/1.1 200 OK" 2025-09-23 07:52:45.865 | INFO | httpx._client:_send_single_request:1740 - HTTP Request: GET https://sso.example.com/pf/JWKS "HTTP/1.1 200 OK" 2025-09-23 07:52:45.892 | INFO | open_webui.utils.oauth:handle_callback:853 - Stored OAuth session server-side for user 34a363e7-3629-4ace-aeb3-101812fc9ccc, provider oidc 2025-09-23 07:52:45.893 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /oauth/oidc/callback?code=uzKujWQgms7F1jFqdp2aS44jUtJn3Q4tW-w5DIFa&state=UPVQmqvUFExoYxmQR31KaC7eKZRU0h HTTP/1.1" 307 2025-09-23 07:52:46.021 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.161.6.196:0 - "GET /manifest.json HTTP/1.1" 200 ``` ### Additional Information _No response_

GiteaMirror added the bug label 2025-11-11 16:56:27 -06:00

GiteaMirror closed this issue

2025-11-11 16:56:28 -06:00

GiteaMirror commented

2025-11-11 16:56:29 -06:00

@tjbck commented on GitHub (Sep 23, 2025):

This has been addressed in dev, please check for duplicate issues.

@tjbck commented on GitHub (Sep 23, 2025): This has been addressed in dev, please check for duplicate issues.

GiteaMirror commented

2025-11-11 16:56:29 -06:00

@koflerm commented on GitHub (Oct 6, 2025):

All right sorry oversaw this one thanks for the fast response as always!