github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 19:38:46 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #22357] [CLOSED] fix: add support for scope in OAuth refresh token request #65484

New Issue
Closed
opened 2026-05-06 11:19:54 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-05-06 11:19:54 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/22357
Author: @pedro-inf-custodio
Created: 3/7/2026
Status: Closed

Base: mainHead: fix/add-scope-refresh-token-oauth

📝 Commits (10+)

📊 Changes

118 files changed (+5248 additions, -824 deletions)

View changed files

📝 .github/pull_request_template.md (+3 -1)
📝 backend/open_webui/config.py (+1 -1)
📝 backend/open_webui/env.py (+10 -0)
📝 backend/open_webui/internal/db.py (+24 -5)
📝 backend/open_webui/main.py (+44 -38)
📝 backend/open_webui/models/functions.py (+22 -0)
📝 backend/open_webui/routers/retrieval.py (+27 -24)
📝 backend/open_webui/routers/skills.py (+1 -1)
📝 backend/open_webui/routers/tools.py (+1 -1)
📝 backend/open_webui/socket/main.py (+2 -0)
📝 backend/open_webui/utils/middleware.py (+34 -23)
📝 backend/open_webui/utils/models.py (+5 -1)
📝 backend/open_webui/utils/oauth.py (+12 -0)
📝 backend/open_webui/utils/telemetry/instrumentors.py (+2 -0)
📝 backend/open_webui/utils/telemetry/metrics.py (+2 -2)
📝 backend/requirements-min.txt (+1 -0)
📝 backend/requirements.txt (+2 -0)
📝 package-lock.json (+528 -3)
📝 package.json (+3 -0)
📝 src/lib/apis/terminal/index.ts (+101 -0)

...and 80 more files

📄 Description

Contributor License Agreement (CLA)

By submitting this pull request, I certify that I have the right to submit this code and that it complies with the project's licensing requirements.

Description

This PR fixes an issue where the refresh token request for Microsoft OAuth was failing with error AADSTS90009. Previously, the refresh payload only included the grant_type, refresh_token, client_id, and optionally client_secret.

Azure AD requires the scope (or resource) to be explicitly provided when refreshing a token. Without it, Azure interprets the request as “the application is requesting a token for itself,” which triggers the 400 error:

AADSTS90009: Application '[APPLICATION_ID]' is requesting a token for itself.

Changes

  • Added support for including a custom scope in the refresh token request.
  • The scope is read from the environment variable MICROSOFT_OAUTH_SCOPE.
  • Example format for the scope:
openid email profile offline_access api://<Application ID URI>/<custom_scope>
  • Updated _perform_token_refresh to include this scope when refreshing tokens.

Root Cause

  • Azure AD v2.0 requires explicit scopes in refresh token requests to determine which resource the new access token should target.
  • Omitting scope caused Azure to treat the request as self-targeted, resulting in AADSTS90009.
  • Including the custom scope resolves this and allows token refreshes to succeed.

Logs Before Fix

Token refresh failed for provider microsoft: 400 - {"error":"invalid_request","error_description":"AADSTS90009: Application '[APPLICATION_ID]' is requesting a token for itself."}

Logs After Fix

  • Refresh token requests now succeed, and new access tokens are issued without errors.

Environment Variables

  • MICROSOFT_OAUTH_SCOPE (required) – the custom scope for token requests.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/22357 **Author:** [@pedro-inf-custodio](https://github.com/pedro-inf-custodio) **Created:** 3/7/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/add-scope-refresh-token-oauth` --- ### 📝 Commits (10+) - [`ca2aaf0`](https://github.com/open-webui/open-webui/commit/ca2aaf0321c219d041e92e2c0c842a4e424732ef) fix: ot terminal - [`a36692b`](https://github.com/open-webui/open-webui/commit/a36692b4a2e3ddc645d3c6419c13c9c4ceace76b) Merge pull request #22231 from ShirasawaSama/patch-10 - [`5af24b3`](https://github.com/open-webui/open-webui/commit/5af24b3ebe1587ef87792cba772d03e923d4f070) fix: Implement archive chat handler in Chat page navbar (#22229) - [`7d45459`](https://github.com/open-webui/open-webui/commit/7d45459a4784dd3a8e9e925820a8d0e349910103) fix: keep save button spinner inline (#22227) - [`ad27535`](https://github.com/open-webui/open-webui/commit/ad275351b6689ced7ea76a0b7f46dc18eaeb2ebe) i18n(fr-FR): complete French translation pass (#22200) - [`6e43861`](https://github.com/open-webui/open-webui/commit/6e43861c0c5f1df98adca9be7bc7d40df728d1cf) feat: prioritize in-group members in sorting (#22211) - [`890949a`](https://github.com/open-webui/open-webui/commit/890949abe6b01d201355a86c50317e20da07dd34) feat: add DOCX/XLSX/PPTX file preview - [`e08341d`](https://github.com/open-webui/open-webui/commit/e08341dab3bb10e26a64eb44cbebd2d507087b03) enh: ot ports - [`f962bae`](https://github.com/open-webui/open-webui/commit/f962bae98306ea9264967b78b803397f4821f9b0) feat: improve XLSX preview + add code syntax highlighting - [`627b063`](https://github.com/open-webui/open-webui/commit/627b063b88522a6346b72d83b3f221c756778c98) refac ### 📊 Changes **118 files changed** (+5248 additions, -824 deletions) <details> <summary>View changed files</summary> 📝 `.github/pull_request_template.md` (+3 -1) 📝 `backend/open_webui/config.py` (+1 -1) 📝 `backend/open_webui/env.py` (+10 -0) 📝 `backend/open_webui/internal/db.py` (+24 -5) 📝 `backend/open_webui/main.py` (+44 -38) 📝 `backend/open_webui/models/functions.py` (+22 -0) 📝 `backend/open_webui/routers/retrieval.py` (+27 -24) 📝 `backend/open_webui/routers/skills.py` (+1 -1) 📝 `backend/open_webui/routers/tools.py` (+1 -1) 📝 `backend/open_webui/socket/main.py` (+2 -0) 📝 `backend/open_webui/utils/middleware.py` (+34 -23) 📝 `backend/open_webui/utils/models.py` (+5 -1) 📝 `backend/open_webui/utils/oauth.py` (+12 -0) 📝 `backend/open_webui/utils/telemetry/instrumentors.py` (+2 -0) 📝 `backend/open_webui/utils/telemetry/metrics.py` (+2 -2) 📝 `backend/requirements-min.txt` (+1 -0) 📝 `backend/requirements.txt` (+2 -0) 📝 `package-lock.json` (+528 -3) 📝 `package.json` (+3 -0) 📝 `src/lib/apis/terminal/index.ts` (+101 -0) _...and 80 more files_ </details> ### 📄 Description # Contributor License Agreement (CLA) By submitting this pull request, I certify that I have the right to submit this code and that it complies with the project's licensing requirements. --- ## Description This PR fixes an issue where the refresh token request for Microsoft OAuth was failing with error `AADSTS90009`. Previously, the refresh payload only included the `grant_type`, `refresh_token`, `client_id`, and optionally `client_secret`. Azure AD requires the **scope (or resource)** to be explicitly provided when refreshing a token. Without it, Azure interprets the request as “the application is requesting a token for itself,” which triggers the 400 error: ``` AADSTS90009: Application '[APPLICATION_ID]' is requesting a token for itself. ``` ### Changes - Added support for including a **custom scope** in the refresh token request. - The scope is read from the environment variable `MICROSOFT_OAUTH_SCOPE`. - Example format for the scope: ``` openid email profile offline_access api://<Application ID URI>/<custom_scope> ``` - Updated `_perform_token_refresh` to include this scope when refreshing tokens. ### Root Cause - Azure AD v2.0 requires **explicit scopes** in refresh token requests to determine which resource the new access token should target. - Omitting `scope` caused Azure to treat the request as self-targeted, resulting in `AADSTS90009`. - Including the custom scope resolves this and allows token refreshes to succeed. ### Logs Before Fix ``` Token refresh failed for provider microsoft: 400 - {"error":"invalid_request","error_description":"AADSTS90009: Application '[APPLICATION_ID]' is requesting a token for itself."} ``` ### Logs After Fix - Refresh token requests now succeed, and new access tokens are issued without errors. ### Environment Variables - `MICROSOFT_OAUTH_SCOPE` (required) – the custom scope for token requests. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-06 11:19:54 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#65484
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?