issue: Exception during token refresh for provider oidc: Constructor parameter should be str #6522

New Issue

GiteaMirror · 2025-11-11T16:58:24-06:00

GiteaMirror commented

2025-11-11 16:58:24 -06:00

Originally created by @davidshen84 on GitHub (Sep 27, 2025).

Check Existing Issues

I have searched for any existing and/or related issues.
I have searched for any existing and/or related discussions.
I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.6.31

Ollama Version (if applicable)

No response

Operating System

Linux+k3s

Browser (if applicable)

Chrome

Confirmation

I have read and followed all instructions in README.md.
I am using the latest version of both Open WebUI and Ollama.
I have included the browser console logs.
I have included the Docker container logs.
I have provided every relevant configuration, setting, and environment variable used in my setup.
I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
Start with the initial platform/version/OS and dependencies used,
Specify exact install/launch/configure commands,
List URLs visited, user input (incl. example values/emails/passwords if needed),
Describe all options and toggles enabled or changed,
Include any files or environmental changes,
Identify the expected and actual result at each stage,
Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

There are repetitive errors and warnings related to OAuth; however, I was able to log in and use the app using OAuth authentication.

Actual Behavior

Repeatitive messages like the following.

Steps to Reproduce

Set up the openweb-ui container with OAuth support using OIDC.

    # oauth
    - name: WEBUI_URL
      value: https://openwebui.xyz.duckdns.org
    - name: ENABLE_OAUTH_PERSISTENT_CONFIG
      value: 'false'
    - name: ENABLE_OAUTH_SIGNUP
      value: 'true'
    - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
      value: 'true'
    - name: OAUTH_SESSION_TOKEN_ENCRYPTION_KEY
      valueFrom:
        secretKeyRef:
          name: openwebui-oauth-secrets
          key: sessionTokenEncryptionKey
    - name: OAUTH_CLIENT_ID
      value: duck
    - name: OAUTH_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: openwebui-oauth-secrets
          key: clientSecret
    - name: OPENID_PROVIDER_URL
      value: https://xyz.cloud-iam.com/auth/realms/duck/.well-known/openid-configuration
    - name: OPENID_REDIRECT_URI
      value: https://openwebui.xyz.duckdns.org/oauth/oidc/callback
    - name: ENABLE_OAUTH_ROLE_MANAGEMENT
      value: 'true'
    - name: OAUTH_ROLES_CLAIM
      value: resource_access.duck.roles
    - name: OAUTH_ALLOWED_ROLES
      value: user
    - name: OAUTH_ADMIN_ROLES
      value: admin
    # end oauth

Logs & Screenshots

open-webui 2025-09-27 22:59:51.936 | ERROR    | open_webui.utils.oauth:_perform_token_refresh:786 - Exception during token refresh for provider oidc: Constructor parameter should be str
open-webui 2025-09-27 22:59:51.936 | ERROR    | open_webui.utils.oauth:_refresh_token:691 - Failed to refresh token for session d73df636-2da3-4593-b849-f65db28a59cd
open-webui 2025-09-27 22:59:51.936 | WARNING  | open_webui.utils.oauth:get_oauth_token:657 - Token refresh failed for user 4be9e804-6278-481a-9793-cbe17fac2a2f, provider oidc, deleting session d73df636-2da3-4593-b849-f65db28a59cd
open-webui 2025-09-27 22:59:58.168 | WARNING  | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session d73df636-2da3-4593-b849-f65db28a59cd

Additional Information

I don't fully understand how to use the ENABLE_OAUTH_PERSISTENT_CONFIG settings, so I set it to false.

I wonder if the error is related to the value in OAUTH_SESSION_TOKEN_ENCRYPTION_KEY. The key value is not some random string. It is a Fernet encryption key, but there's no mention of it in the document. I wonder if there are other hidden requirements of this key or other related settings that I didn't set correctly.

Originally created by @davidshen84 on GitHub (Sep 27, 2025). ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.6.31 ### Ollama Version (if applicable) _No response_ ### Operating System Linux+k3s ### Browser (if applicable) Chrome ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior There are repetitive errors and warnings related to OAuth; however, I was able to log in and use the app using OAuth authentication. ### Actual Behavior Repeatitive messages like the following. ### Steps to Reproduce Set up the openweb-ui container with OAuth support using OIDC. ```yaml # oauth - name: WEBUI_URL value: https://openwebui.xyz.duckdns.org - name: ENABLE_OAUTH_PERSISTENT_CONFIG value: 'false' - name: ENABLE_OAUTH_SIGNUP value: 'true' - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL value: 'true' - name: OAUTH_SESSION_TOKEN_ENCRYPTION_KEY valueFrom: secretKeyRef: name: openwebui-oauth-secrets key: sessionTokenEncryptionKey - name: OAUTH_CLIENT_ID value: duck - name: OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: name: openwebui-oauth-secrets key: clientSecret - name: OPENID_PROVIDER_URL value: https://xyz.cloud-iam.com/auth/realms/duck/.well-known/openid-configuration - name: OPENID_REDIRECT_URI value: https://openwebui.xyz.duckdns.org/oauth/oidc/callback - name: ENABLE_OAUTH_ROLE_MANAGEMENT value: 'true' - name: OAUTH_ROLES_CLAIM value: resource_access.duck.roles - name: OAUTH_ALLOWED_ROLES value: user - name: OAUTH_ADMIN_ROLES value: admin # end oauth ``` ### Logs & Screenshots ``` open-webui 2025-09-27 22:59:51.936 | ERROR | open_webui.utils.oauth:_perform_token_refresh:786 - Exception during token refresh for provider oidc: Constructor parameter should be str open-webui 2025-09-27 22:59:51.936 | ERROR | open_webui.utils.oauth:_refresh_token:691 - Failed to refresh token for session d73df636-2da3-4593-b849-f65db28a59cd open-webui 2025-09-27 22:59:51.936 | WARNING | open_webui.utils.oauth:get_oauth_token:657 - Token refresh failed for user 4be9e804-6278-481a-9793-cbe17fac2a2f, provider oidc, deleting session d73df636-2da3-4593-b849-f65db28a59cd open-webui 2025-09-27 22:59:58.168 | WARNING | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session d73df636-2da3-4593-b849-f65db28a59cd ``` ### Additional Information I don't fully understand how to use the `ENABLE_OAUTH_PERSISTENT_CONFIG` settings, so I set it to *false*. I wonder if the error is related to the value in `OAUTH_SESSION_TOKEN_ENCRYPTION_KEY`. The key value is not some random string. It is a [Fernet](https://github.com/open-webui/open-webui/blob/598282cf75de358215d045c617e70d28bc48929e/backend/open_webui/models/oauth_sessions.py#L76) encryption key, but there's no mention of it in the document. I wonder if there are other hidden requirements of this key or other related settings that I didn't set correctly.

GiteaMirror added the bug label 2025-11-11 16:58:24 -06:00

GiteaMirror closed this issue

2025-11-11 16:58:25 -06:00

GiteaMirror commented

2025-11-11 16:58:25 -06:00

@tjbck commented on GitHub (Sep 28, 2025):

Do you have WEBUI_SECRET_KEY set?

@tjbck commented on GitHub (Sep 28, 2025): Do you have `WEBUI_SECRET_KEY` set?

GiteaMirror commented

2025-11-11 16:58:25 -06:00

@davidshen84 commented on GitHub (Sep 28, 2025):

No. I thinks the doc says if I set OAUTH_SESSION_TOKEN_ENCRYPTION_KEY, I
don't need to set the web secret key. Also, the log says it generated one
on startup.

If I set the web secret key, do I need to reset the database?

On Mon, 29 Sept 2025, 02:53 Tim Jaeryang Baek, @.***>
wrote:

tjbck left a comment (open-webui/open-webui#17829)
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3343875875

Do you have WEBUI_SECRET_KEY set?

—
Reply to this email directly, view it on GitHub
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3343875875,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAQBTPJT6HCTUMRMNRV7ZT3VAHAHAVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBTHA3TKOBXGU
.
You are receiving this because you authored the thread.Message ID:
@.***>

@davidshen84 commented on GitHub (Sep 28, 2025): No. I thinks the doc says if I set OAUTH_SESSION_TOKEN_ENCRYPTION_KEY, I don't need to set the web secret key. Also, the log says it generated one on startup. If I set the web secret key, do I need to reset the database? On Mon, 29 Sept 2025, 02:53 Tim Jaeryang Baek, ***@***.***> wrote: > *tjbck* left a comment (open-webui/open-webui#17829) > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3343875875> > > Do you have WEBUI_SECRET_KEY set? > > — > Reply to this email directly, view it on GitHub > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3343875875>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAAQBTPJT6HCTUMRMNRV7ZT3VAHAHAVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBTHA3TKOBXGU> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >

GiteaMirror commented

2025-11-11 16:58:26 -06:00

@Classic298 commented on GitHub (Sep 28, 2025):

@davidshen84
incorrect, the docs say that OAUTH_SESSION_TOKEN_ENCRYPTION_KEY defaults back to WEBUI_SECRET_KEY

It does not say you don't need to set the WEBUI_SECRET_KEY
In fact, the SSO tutorial page specifically says that WEBUI_SECRET_KEY is required.

@Classic298 commented on GitHub (Sep 28, 2025): @davidshen84 incorrect, the docs say that OAUTH_SESSION_TOKEN_ENCRYPTION_KEY defaults back to WEBUI_SECRET_KEY It does not say you don't need to set the WEBUI_SECRET_KEY In fact, the SSO tutorial page specifically says that WEBUI_SECRET_KEY is required.

GiteaMirror commented

2025-11-11 16:58:26 -06:00

@Classic298 commented on GitHub (Sep 28, 2025):

Correction: The SSO Troubleshooting Tutorial says it, not the normal one. Updating the docs rn!

But the troubleshooting tutorial should have been conducted first before opening an issue

@Classic298 commented on GitHub (Sep 28, 2025): Correction: The SSO Troubleshooting Tutorial says it, not the normal one. Updating the docs rn! But the troubleshooting tutorial should have been conducted first before opening an issue

GiteaMirror commented

2025-11-11 16:58:26 -06:00

@davidshen84 commented on GitHub (Sep 28, 2025):

Ok, thanks for the clarification.

On Mon, 29 Sept 2025, 06:26 Classic298, @.***> wrote:

Classic298 left a comment (open-webui/open-webui#17829)
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3344224634

Correction: The SSO Troubleshooting Tutorial says it, not the normal one.
Updating.

But the troubleshooting tutorial should have been conducted first before
opening an issue

—
Reply to this email directly, view it on GitHub
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3344224634,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAQBTMRJDTSGHOOLBT2HU33VA76RAVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBUGIZDINRTGQ
.
You are receiving this because you were mentioned.Message ID:
@.***>

@davidshen84 commented on GitHub (Sep 28, 2025): Ok, thanks for the clarification. On Mon, 29 Sept 2025, 06:26 Classic298, ***@***.***> wrote: > *Classic298* left a comment (open-webui/open-webui#17829) > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3344224634> > > Correction: The SSO Troubleshooting Tutorial says it, not the normal one. > Updating. > > But the troubleshooting tutorial should have been conducted first before > opening an issue > > — > Reply to this email directly, view it on GitHub > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3344224634>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAAQBTMRJDTSGHOOLBT2HU33VA76RAVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBUGIZDINRTGQ> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

GiteaMirror commented

2025-11-11 16:58:26 -06:00

@davidshen84 commented on GitHub (Sep 29, 2025):

I have set both WEBUI_SECRET_KEY and OAUTH_SESSION_TOKEN_ENCRYPTION_KEY to the same value and still get this Error. The site still seems to be functional.

Perhaps it's related to my OIDC provider? I am using cloud-iam.com, which uses KeyCloak for its service.

open-webui INFO  [alembic.runtime.migration] Context impl PostgresqlImpl.
open-webui INFO  [alembic.runtime.migration] Will assume transactional DDL.
open-webui WARNI [open_webui.env] 
open-webui 
open-webui WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS.
open-webui 
open-webui 
open-webui  ██████╗ ██████╗ ███████╗███╗   ██╗    ██╗    ██╗███████╗██████╗ ██╗   ██╗██╗
open-webui ██╔═══██╗██╔══██╗██╔════╝████╗  ██║    ██║    ██║██╔════╝██╔══██╗██║   ██║██║
open-webui ██║   ██║██████╔╝█████╗  ██╔██╗ ██║    ██║ █╗ ██║█████╗  ██████╔╝██║   ██║██║
open-webui ██║   ██║██╔═══╝ ██╔══╝  ██║╚██╗██║    ██║███╗██║██╔══╝  ██╔══██╗██║   ██║██║
open-webui ╚██████╔╝██║     ███████╗██║ ╚████║    ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║
open-webui  ╚═════╝ ╚═╝     ╚══════╝╚═╝  ╚═══╝     ╚══╝╚══╝ ╚══════╝╚═════╝  ╚═════╝ ╚═╝
open-webui 
open-webui 
open-webui v0.6.31 - building the best AI user interface.
open-webui 
open-webui https://github.com/open-webui/open-webui
open-webui 
open-webui INFO:     Started server process [1]
open-webui INFO:     Waiting for application startup.
open-webui 2025-09-29 01:37:45.838 | WARNING  | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session 2fe1a28a-81a6-467e-9d52-dc59ecab8e18
stream closed EOF for llm-stack/open-webui-0 (copy-app-data)
open-webui 2025-09-29 01:37:48.318 | WARNING  | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session 2fe1a28a-81a6-467e-9d52-dc59ecab8e18
open-webui 2025-09-29 01:38:25.617 | ERROR    | open_webui.utils.oauth:_perform_token_refresh:786 - Exception during token refresh for provider oidc: Constructor parameter should be str
open-webui 2025-09-29 01:38:25.617 | ERROR    | open_webui.utils.oauth:_refresh_token:691 - Failed to refresh token for session e054c838-ad49-4dcf-a9bd-f45851529e5a
open-webui 2025-09-29 01:38:25.617 | WARNING  | open_webui.utils.oauth:get_oauth_token:657 - Token refresh failed for user 4be9e804-6278-481a-9793-cbe17fac2a2f, provider oidc, deleting session e054c838-ad49-4dcf-a9bd-f45851529e5a
open-webui 2025-09-29 01:38:28.044 | WARNING  | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session e054c838-ad49-4dcf-a9bd-f45851529e5a

@davidshen84 commented on GitHub (Sep 29, 2025): I have set both `WEBUI_SECRET_KEY` and `OAUTH_SESSION_TOKEN_ENCRYPTION_KEY` to the same value and still get this Error. The site still seems to be functional. Perhaps it's related to my OIDC provider? I am using cloud-iam.com, which uses KeyCloak for its service. ``` open-webui INFO [alembic.runtime.migration] Context impl PostgresqlImpl. open-webui INFO [alembic.runtime.migration] Will assume transactional DDL. open-webui WARNI [open_webui.env] open-webui open-webui WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS. open-webui open-webui open-webui ██████╗ ██████╗ ███████╗███╗ ██╗ ██╗ ██╗███████╗██████╗ ██╗ ██╗██╗ open-webui ██╔═══██╗██╔══██╗██╔════╝████╗ ██║ ██║ ██║██╔════╝██╔══██╗██║ ██║██║ open-webui ██║ ██║██████╔╝█████╗ ██╔██╗ ██║ ██║ █╗ ██║█████╗ ██████╔╝██║ ██║██║ open-webui ██║ ██║██╔═══╝ ██╔══╝ ██║╚██╗██║ ██║███╗██║██╔══╝ ██╔══██╗██║ ██║██║ open-webui ╚██████╔╝██║ ███████╗██║ ╚████║ ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║ open-webui ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═══╝ ╚══╝╚══╝ ╚══════╝╚═════╝ ╚═════╝ ╚═╝ open-webui open-webui open-webui v0.6.31 - building the best AI user interface. open-webui open-webui https://github.com/open-webui/open-webui open-webui open-webui INFO: Started server process [1] open-webui INFO: Waiting for application startup. open-webui 2025-09-29 01:37:45.838 | WARNING | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session 2fe1a28a-81a6-467e-9d52-dc59ecab8e18 stream closed EOF for llm-stack/open-webui-0 (copy-app-data) open-webui 2025-09-29 01:37:48.318 | WARNING | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session 2fe1a28a-81a6-467e-9d52-dc59ecab8e18 open-webui 2025-09-29 01:38:25.617 | ERROR | open_webui.utils.oauth:_perform_token_refresh:786 - Exception during token refresh for provider oidc: Constructor parameter should be str open-webui 2025-09-29 01:38:25.617 | ERROR | open_webui.utils.oauth:_refresh_token:691 - Failed to refresh token for session e054c838-ad49-4dcf-a9bd-f45851529e5a open-webui 2025-09-29 01:38:25.617 | WARNING | open_webui.utils.oauth:get_oauth_token:657 - Token refresh failed for user 4be9e804-6278-481a-9793-cbe17fac2a2f, provider oidc, deleting session e054c838-ad49-4dcf-a9bd-f45851529e5a open-webui 2025-09-29 01:38:28.044 | WARNING | open_webui.utils.oauth:get_oauth_token:642 - No OAuth session found for user 4be9e804-6278-481a-9793-cbe17fac2a2f, session e054c838-ad49-4dcf-a9bd-f45851529e5a ```

GiteaMirror commented

2025-11-11 16:58:27 -06:00

@tjbck commented on GitHub (Sep 30, 2025):

We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting?

@tjbck commented on GitHub (Sep 30, 2025): We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting?

GiteaMirror commented

2025-11-11 16:58:27 -06:00

@davidshen84 commented on GitHub (Sep 30, 2025):

I enabled the global debugging log, but I don't find anything useful.
Here's the full container log https://0x0.st/KBRE.log.

Is there any particular log or configuration setting you are looking for?

Also, I found the error did not occur right after I logged in, but after I
started a new chat session. The error log only occurred once, but the
warning log repeated.

Thanks

On Tue, 30 Sept 2025 at 13:47, Tim Jaeryang Baek @.***>
wrote:

tjbck left a comment (open-webui/open-webui#17829)
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3349832618

We're unable to reproduce here, are you able to provide any other relevant
logs to help with troubleshooting?

—
Reply to this email directly, view it on GitHub
https://github.com/open-webui/open-webui/issues/17829#issuecomment-3349832618,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAQBTOJ75NKH26LXOHDXC33VH4L7AVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBZHAZTENRRHA
.
You are receiving this because you were mentioned.Message ID:
@.***>

@davidshen84 commented on GitHub (Sep 30, 2025): I enabled the global debugging log, but I don't find anything useful. Here's the full container log https://0x0.st/KBRE.log. Is there any particular log or configuration setting you are looking for? Also, I found the error did not occur right after I logged in, but after I started a new chat session. The error log only occurred once, but the warning log repeated. Thanks On Tue, 30 Sept 2025 at 13:47, Tim Jaeryang Baek ***@***.***> wrote: > *tjbck* left a comment (open-webui/open-webui#17829) > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3349832618> > > We're unable to reproduce here, are you able to provide any other relevant > logs to help with troubleshooting? > > — > Reply to this email directly, view it on GitHub > <https://github.com/open-webui/open-webui/issues/17829#issuecomment-3349832618>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAAQBTOJ75NKH26LXOHDXC33VH4L7AVCNFSM6AAAAACHV27B6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBZHAZTENRRHA> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

GiteaMirror commented

2025-11-11 16:58:27 -06:00

@gvo commented on GitHub (Oct 1, 2025):

We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting?

My provider is Microsoft.

The typo mentioned in https://github.com/open-webui/open-webui/issues/17585 - fixed in 0.6.32 - was intended to call get_server_metadata_url.

Per my tests with 0.6.32, get_server_metadata_url() is returning None which throws the error during _perform_token_refresh. Same error as the OP. My provider is microsoft.

2025-10-01T18:13:32.4657963Z 2025-10-01 18:13:32.465 | DEBUG    | open_webui.utils.oauth:get_oauth_token:666 - Token refresh needed for user 53c23607-bd0f-4e5d-ac78-19fe7e84c3f9, provider microsoft
2025-10-01T18:13:32.4658559Z 2025-10-01 18:13:32.465 | DEBUG    | open_webui.utils.oauth:_perform_token_refresh:727 - REFRESH_DEBUG: Session provider: microsoft (type: str)
2025-10-01T18:13:32.4658873Z 2025-10-01 18:13:32.465 | DEBUG    | open_webui.utils.oauth:_perform_token_refresh:728 - REFRESH_DEBUG: Token data type: dict
2025-10-01T18:13:32.4658919Z 2025-10-01 18:13:32.465 | DEBUG    | open_webui.utils.oauth:_perform_token_refresh:739 - REFRESH_DEBUG: Client: <authlib.integrations.starlette_client.apps.StarletteOAuth2App object at 0x7ed3283cbe90>, client_id: 093db6c9-xxxx-xxxx-xxxx-569c81e8b46b (type: str)
2025-10-01T18:13:32.4663653Z 2025-10-01 18:13:32.465 | DEBUG    | open_webui.utils.oauth:_perform_token_refresh:742 - REFRESH_DEBUG: Server metadata URL: None (type: NoneType)
2025-10-01T18:13:32.4737630Z 2025-10-01 18:13:32.473 | ERROR    | open_webui.utils.oauth:_perform_token_refresh:830 - Exception during token refresh for provider microsoft: Constructor parameter should be str

I know this works instead of calling get_server_metadata_url - perhaps it may be of some use.

            token_endpoint = None
            try:
                metadata = await client.load_server_metadata()
                if metadata:
                    token_endpoint = metadata.get("token_endpoint")
                    if token_endpoint:
                        log.debug(f"Retrieved token endpoint for provider {provider}: {token_endpoint}")
            except Exception as e:
                log.error(f"Failed to load server metadata for provider {provider}: {e}")

Maybe an issue with specific providers?

@gvo commented on GitHub (Oct 1, 2025): > We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting? My provider is Microsoft. The typo mentioned in https://github.com/open-webui/open-webui/issues/17585 - fixed in 0.6.32 - was intended to call get_server_metadata_url. Per my tests with 0.6.32, get_server_metadata_url() is returning `None` which throws the error during _perform_token_refresh. Same error as the OP. _My provider is microsoft._ ``` 2025-10-01T18:13:32.4657963Z 2025-10-01 18:13:32.465 | DEBUG | open_webui.utils.oauth:get_oauth_token:666 - Token refresh needed for user 53c23607-bd0f-4e5d-ac78-19fe7e84c3f9, provider microsoft 2025-10-01T18:13:32.4658559Z 2025-10-01 18:13:32.465 | DEBUG | open_webui.utils.oauth:_perform_token_refresh:727 - REFRESH_DEBUG: Session provider: microsoft (type: str) 2025-10-01T18:13:32.4658873Z 2025-10-01 18:13:32.465 | DEBUG | open_webui.utils.oauth:_perform_token_refresh:728 - REFRESH_DEBUG: Token data type: dict 2025-10-01T18:13:32.4658919Z 2025-10-01 18:13:32.465 | DEBUG | open_webui.utils.oauth:_perform_token_refresh:739 - REFRESH_DEBUG: Client: <authlib.integrations.starlette_client.apps.StarletteOAuth2App object at 0x7ed3283cbe90>, client_id: 093db6c9-xxxx-xxxx-xxxx-569c81e8b46b (type: str) 2025-10-01T18:13:32.4663653Z 2025-10-01 18:13:32.465 | DEBUG | open_webui.utils.oauth:_perform_token_refresh:742 - REFRESH_DEBUG: Server metadata URL: None (type: NoneType) 2025-10-01T18:13:32.4737630Z 2025-10-01 18:13:32.473 | ERROR | open_webui.utils.oauth:_perform_token_refresh:830 - Exception during token refresh for provider microsoft: Constructor parameter should be str ``` I know this works instead of calling get_server_metadata_url - perhaps it may be of some use. ``` token_endpoint = None try: metadata = await client.load_server_metadata() if metadata: token_endpoint = metadata.get("token_endpoint") if token_endpoint: log.debug(f"Retrieved token endpoint for provider {provider}: {token_endpoint}") except Exception as e: log.error(f"Failed to load server metadata for provider {provider}: {e}") ``` Maybe an issue with specific providers?

GiteaMirror commented

2025-11-11 16:58:28 -06:00

@tjbck commented on GitHub (Oct 1, 2025):

e493562735 may have addressed this issue in dev, testing wanted here!

@tjbck commented on GitHub (Oct 1, 2025): e493562735089462ad6cc30060778eb79ed302a6 may have addressed this issue in dev, testing wanted here!

GiteaMirror commented

2025-11-11 16:58:28 -06:00

@brainboutique commented on GitHub (Oct 3, 2025):

We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting?

Same issue here.

open_webui.utils.oauth:get_oauth_token:654 - No OAuth session found for user xxx, session yy

but only after some time (I suspect after access token expiry). I do NOT have any log entries from
open_webui.utils.oauth:_perform_token_refresh

Yes, secret keys are set. Will keep monitoring and try the fix mentioned above.

@brainboutique commented on GitHub (Oct 3, 2025): > We're unable to reproduce here, are you able to provide any other relevant logs to help with troubleshooting? Same issue here. `open_webui.utils.oauth:get_oauth_token:654 - No OAuth session found for user xxx, session yy` but only after some time (I suspect after access token expiry). I do NOT have any log entries from `open_webui.utils.oauth:_perform_token_refresh` Yes, secret keys are set. Will keep monitoring and try the fix mentioned above.

GiteaMirror commented

2025-11-11 16:58:28 -06:00

@BrysonCrookDrewlo commented on GitHub (Oct 3, 2025):

Issue Report:
This issue still seems to be persisting. I’m currently running the latest dev build. However, when my token is close to expiring and I trigger a tool that relies on it, the refresh process fails with the following errors:

2025-10-03 17:21:44.357 | ERROR    | open_webui.utils.oauth:_perform_token_refresh:804 - Exception during token refresh for provider microsoft: Constructor parameter should be str
2025-10-03 17:21:44.357 | ERROR    | open_webui.utils.oauth:_refresh_token:709 - Failed to refresh token for session 5657803b-8f5c-4b84-9f0f-af4ed2df5b8e

My OAuth provider is Microsoft.
I have all required environment variables set.

@BrysonCrookDrewlo commented on GitHub (Oct 3, 2025): **Issue Report:** This issue still seems to be persisting. I’m currently running the latest `dev` build. However, when my token is close to expiring and I trigger a tool that relies on it, the refresh process fails with the following errors: ``` 2025-10-03 17:21:44.357 | ERROR | open_webui.utils.oauth:_perform_token_refresh:804 - Exception during token refresh for provider microsoft: Constructor parameter should be str 2025-10-03 17:21:44.357 | ERROR | open_webui.utils.oauth:_refresh_token:709 - Failed to refresh token for session 5657803b-8f5c-4b84-9f0f-af4ed2df5b8e ``` My OAuth provider is **Microsoft**. I have all required environment variables set.

GiteaMirror commented

2025-11-11 16:58:28 -06:00

@jshelman commented on GitHub (Oct 6, 2025):

I was having exact same issue and errors in the log using Microsoft provider as well.

The issue appears to be that

self.get_server_metadata_url(client_id) returns None?, and throws this exception at

08f8713ee1/backend/open_webui/utils/oauth.py (L477C15-L479C24)

I haven't dug into root cause of that yet, but hard coding it to 'https://login.microsoftonline.com/{mytenantid}/v2.0/.well-known/openid-configuration' resolves the issue.

maybe this should be getting it from OPENID_PROVIDER_URL, but isn't?

@jshelman commented on GitHub (Oct 6, 2025): I was having exact same issue and errors in the log using Microsoft provider as well. The issue appears to be that `self.get_server_metadata_url(client_id)` returns None?, and throws this exception at https://github.com/open-webui/open-webui/blob/08f8713ee1c290491f4e6584ec36e022fcfecd34/backend/open_webui/utils/oauth.py#L477C15-L479C24 I haven't dug into root cause of that yet, but hard coding it to 'https://login.microsoftonline.com/{mytenantid}/v2.0/.well-known/openid-configuration' resolves the issue. maybe this should be getting it from OPENID_PROVIDER_URL, but isn't?

GiteaMirror commented

2025-11-11 16:58:29 -06:00

@tjbck commented on GitHub (Oct 23, 2025):

I believe this issue has been resolved, please flag again if the issue persists!

@tjbck commented on GitHub (Oct 23, 2025): I believe this issue has been resolved, please flag again if the issue persists!

GiteaMirror referenced this issue

2025-11-11 18:03:26 -06:00

[PR #6522] [MERGED] 0.4 #8695

GiteaMirror referenced this issue

2025-11-11 18:06:41 -06:00

[PR #7147] [MERGED] i18n: Updated Irish translations #8814

GiteaMirror referenced this issue