[PR #22071] [CLOSED] feat: add OAUTH_LOGOUT_URI for custom OAuth logout endpoints #65317

New Issue

Closed

opened 2026-05-06 11:06:17 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-06 11:06:17 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/22071
Author: @Br1an67
Created: 3/1/2026
Status: ❌ Closed

Base: dev ← Head: feat/oauth-logout-uri

---

📝 Commits (1)

• c5d0209 feat: add OAUTH_LOGOUT_URI for custom OAuth logout endpoints

📊 Changes

2 files changed (+18 additions, -1 deletions)

View changed files

📝 backend/open_webui/config.py (+7 -1)
📝 backend/open_webui/routers/auths.py (+11 -0)

📄 Description

Pull Request Checklist

• Target branch: dev
• Description: See below
• Changelog: See below
• Testing: Manually verified that the new config variable is picked up and the signout handler correctly redirects when OAUTH_LOGOUT_URI is set
• Agentic AI Code: This PR has been reviewed and tested by a human
• Code review: Self-reviewed
• Git Hygiene: Single atomic commit

Changelog Entry

Description

Add a new OAUTH_LOGOUT_URI environment variable that allows specifying a full custom logout URI for OAuth providers that do not support the standard OIDC end_session_endpoint discovery (e.g. AWS Cognito).

Closes #19182

Added

• OAUTH_LOGOUT_URI PersistentConfig in config.py — accepts a full custom logout URL via environment variable
• Early return in the /signout handler: when OAUTH_LOGOUT_URI is set and an OAuth session exists, redirect to it directly instead of attempting OIDC discovery

Changed

• Startup warning now also checks OAUTH_LOGOUT_URI — the "logout will not work" warning is suppressed when either OPENID_PROVIDER_URL or OAUTH_LOGOUT_URI is configured

Fixed

• OAuth logout for providers like AWS Cognito that use a custom logout endpoint with different parameters (e.g. client_id + logout_uri) instead of the standard OIDC end_session_endpoint with id_token_hint

---

Additional Information

• AWS Cognito requires a logout URL like https://<domain>/logout?client_id=<id>&logout_uri=<uri> — this cannot be discovered via OIDC metadata
• The new variable is fully opt-in: when unset (default ""), the existing OIDC discovery flow is used unchanged
• Only 2 files changed, 18 lines added

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/22071 **Author:** [@Br1an67](https://github.com/Br1an67) **Created:** 3/1/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `feat/oauth-logout-uri` --- ### 📝 Commits (1) - [`c5d0209`](https://github.com/open-webui/open-webui/commit/c5d0209d412d817fc2459acbdf5f8e733a8652c3) feat: add OAUTH_LOGOUT_URI for custom OAuth logout endpoints ### 📊 Changes **2 files changed** (+18 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+7 -1) 📝 `backend/open_webui/routers/auths.py` (+11 -0) </details> ### 📄 Description ## Pull Request Checklist - [x] **Target branch:** `dev` - [x] **Description:** See below - [x] **Changelog:** See below - [x] **Testing:** Manually verified that the new config variable is picked up and the signout handler correctly redirects when `OAUTH_LOGOUT_URI` is set - [x] **Agentic AI Code:** This PR has been reviewed and tested by a human - [x] **Code review:** Self-reviewed - [x] **Git Hygiene:** Single atomic commit # Changelog Entry ### Description Add a new `OAUTH_LOGOUT_URI` environment variable that allows specifying a full custom logout URI for OAuth providers that do not support the standard OIDC `end_session_endpoint` discovery (e.g. AWS Cognito). Closes #19182 ### Added - `OAUTH_LOGOUT_URI` PersistentConfig in `config.py` — accepts a full custom logout URL via environment variable - Early return in the `/signout` handler: when `OAUTH_LOGOUT_URI` is set and an OAuth session exists, redirect to it directly instead of attempting OIDC discovery ### Changed - Startup warning now also checks `OAUTH_LOGOUT_URI` — the "logout will not work" warning is suppressed when either `OPENID_PROVIDER_URL` or `OAUTH_LOGOUT_URI` is configured ### Fixed - OAuth logout for providers like AWS Cognito that use a custom logout endpoint with different parameters (e.g. `client_id` + `logout_uri`) instead of the standard OIDC `end_session_endpoint` with `id_token_hint` --- ### Additional Information - AWS Cognito requires a logout URL like `https://<domain>/logout?client_id=<id>&logout_uri=<uri>` — this cannot be discovered via OIDC metadata - The new variable is fully opt-in: when unset (default `""`), the existing OIDC discovery flow is used unchanged - Only 2 files changed, 18 lines added ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-05-06 11:06:17 -05:00

GiteaMirror closed this issue 2026-05-06 11:06:19 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#65317