github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-10 15:54:15 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

issue: OAuth Credential Decryption Failure #6601

New Issue
Closed
opened 2025-11-11 17:00:45 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-11 17:00:45 -06:00
Owner
Copy Link

Originally created by @NeilMazumdar on GitHub (Oct 7, 2025).

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.6.32

Ollama Version (if applicable)

No response

Operating System

Host: Azure Web App (Linux-based container host), Container OS: Debian GNU/Linux 11 (bullseye)

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation.

Expected Behavior

Open WebUI should start successfully and be accessible via the web browser. If there are issues with OAuth credentials (such as a changed WEBUI_SECRET_KEY), the application should either:

  1. Handle the decryption failure gracefully with a warning/error message but continue to start
  2. Provide a clear error message indicating the encryption key mismatch
  3. Offer a recovery mechanism or startup flag to skip credential decryption

Actual Behavior

The application crashes during startup with a cryptography.fernet.InvalidToken exception, preventing the entire application from starting. This creates a complete service outage with no graceful degradation or recovery path.

The error prevents any user from accessing the application, even though the underlying issue only affects a single MCP tool server connection configuration.

Steps to Reproduce

Prerequisites

  1. Open WebUI deployed in Docker container (Azure Web App or similar)
  2. SQLite database with existing configuration
  3. MCP tool server connection configured with OAuth 2.1 authentication (specifically Atlassian MCP)

Reproduction Steps

  1. Initial Setup:

    • Deploy Open WebUI using Docker with a specific WEBUI_SECRET_KEY environment variable
    • Configure Atlassian MCP tool server connection via the UI with OAuth 2.1 authentication
    • Allow the application to encrypt and store OAuth credentials in the database

  2. Trigger the Bug:

    • Change the WEBUI_SECRET_KEY environment variable to a different value
    • OR restore a database backup that was encrypted with a different secret key
    • OR deploy to a new environment without setting the original WEBUI_SECRET_KEY

  3. Restart the Application:

    docker restart <container-name>
# OR
az webapp restart --name <webapp-name> --resource-group <resource-group>

  4. Observe the Crash:

    • Application fails to start
    • Container logs show the following error:
    ERROR [open_webui.utils.oauth] Error decrypting data:

Traceback (most recent call last):
  File "/app/backend/open_webui/main.py", line 1906, in <module>
    oauth_client_info = decrypt_data(oauth_client_info)
  File "/app/backend/open_webui/utils/oauth.py", line 143, in decrypt_data
    decrypted = FERNET.decrypt(data.encode()).decode()
  File "/usr/local/lib/python3.11/site-packages/cryptography/fernet.py", line 85, in decrypt
    timestamp, data = Fernet._get_unverified_token_data(token)
  File "/usr/local/lib/python3.11/site-packages/cryptography/fernet.py", line 119, in _get_unverified_token_data
    raise InvalidToken
cryptography.fernet.InvalidToken

  5. Application State:

    • Complete service outage
    • No web interface accessible
    • All users unable to access the application

Database Configuration

The problematic configuration in the SQLite database (webui.db, config table) looks like:

{
  "tool_server": {
    "connections": [
      {
        "url": "https://mcp.atlassian.com/v1/sse",
        "path": "openapi.json",
        "type": "mcp",
        "auth_type": "oauth_2.1",
        "key": "<encrypted_value>",
        "config": {
          "enable": true,
          "access_control": {...}
        },
        "info": {
          "id": "atlassian-mcp",
          "name": "Atlassian MCP",
          "description": ""
        }
      }
    ]
  }
}

Logs & Screenshots

Docker Container Logs

2025-10-07T01:34:22.177708884Z  ERROR [open_webui.utils.oauth] Error decrypting data:

2025-10-07T01:34:22.187584466Z  Traceback (most recent call last):

2025-10-07T01:34:22.187616001Z    File "<frozen runpy>", line 198, in _run_module_as_main

2025-10-07T01:34:22.187621052Z    File "<frozen runpy>", line 88, in _run_code

2025-10-07T01:34:22.187624068Z    File "/usr/local/lib/python3.11/site-packages/uvicorn/__main__.py", line 4, in <module>

2025-10-07T01:34:22.187626948Z      uvicorn.main()

2025-10-07T01:34:22.187629635Z    File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1462, in __call__

2025-10-07T01:34:22.197613456Z      return self.main(*args, **kwargs)

2025-10-07T01:34:22.198143580Z             ^^^^^^^^^^^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.198153277Z    File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1383, in main

2025-10-07T01:34:22.198156454Z      rv = self.invoke(ctx)

2025-10-07T01:34:22.198159236Z           ^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.198170640Z    File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1246, in invoke

2025-10-07T01:34:22.198173806Z      return ctx.invoke(self.callback, **ctx.params)

2025-10-07T01:34:22.198175631Z             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.198177540Z    File "/usr/local/lib/python3.11/site-packages/click/core.py", line 814, in invoke

2025-10-07T01:34:22.198179601Z      return callback(*args, **kwargs)

2025-10-07T01:34:22.198181422Z             ^^^^^^^^^^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.198183202Z    File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 413, in main

2025-10-07T01:34:22.198185233Z      run(

2025-10-07T01:34:22.198187087Z    File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 580, in run

2025-10-07T01:34:22.198189036Z      server.run()

2025-10-07T01:34:22.198190789Z    File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 67, in run

2025-10-07T01:34:22.198192730Z      return asyncio.run(self.serve(sockets=sockets))

2025-10-07T01:34:22.198194685Z             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.198196647Z    File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run

2025-10-07T01:34:22.198198587Z      return runner.run(main)

2025-10-07T01:34:22.198200423Z             ^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.198202147Z    File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run

2025-10-07T01:34:22.198204065Z      return self._loop.run_until_complete(task)

2025-10-07T01:34:22.198205858Z             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.198207724Z    File "uvloop/loop.pyx", line 1518, in uvloop.loop.Loop.run_until_complete

2025-10-07T01:34:22.198209742Z    File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 71, in serve

2025-10-07T01:34:22.198211854Z      await self._serve(sockets)

2025-10-07T01:34:22.198213668Z    File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 78, in _serve

2025-10-07T01:34:22.198215656Z      config.load()

2025-10-07T01:34:22.198217412Z    File "/usr/local/lib/python3.11/site-packages/uvicorn/config.py", line 436, in load

2025-10-07T01:34:22.198558097Z      self.loaded_app = import_from_string(self.app)

2025-10-07T01:34:22.198563909Z                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.198565980Z    File "/usr/local/lib/python3.11/site-packages/uvicorn/importer.py", line 19, in import_from_string

2025-10-07T01:34:22.198568200Z      module = importlib.import_module(module_str)

2025-10-07T01:34:22.198570184Z               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.198572062Z    File "/usr/local/lib/python3.11/importlib/__init__.py", line 126, in import_module

2025-10-07T01:34:22.198574081Z      return _bootstrap._gcd_import(name[level:], package, level)

2025-10-07T01:34:22.198582355Z             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.198584369Z    File "<frozen importlib._bootstrap>", line 1204, in _gcd_import

2025-10-07T01:34:22.198586454Z    File "<frozen importlib._bootstrap>", line 1176, in _find_and_load

2025-10-07T01:34:22.198588424Z    File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked

2025-10-07T01:34:22.198590376Z    File "<frozen importlib._bootstrap>", line 690, in _load_unlocked

2025-10-07T01:34:22.198592385Z    File "<frozen importlib._bootstrap_external>", line 940, in exec_module

2025-10-07T01:34:22.198594370Z    File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed

2025-10-07T01:34:22.198596412Z    File "/app/backend/open_webui/main.py", line 1906, in <module>

2025-10-07T01:34:22.200123387Z      oauth_client_info = decrypt_data(oauth_client_info)

2025-10-07T01:34:22.200139406Z                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.200142025Z    File "/app/backend/open_webui/utils/oauth.py", line 143, in decrypt_data

2025-10-07T01:34:22.200144515Z      decrypted = FERNET.decrypt(data.encode()).decode()

2025-10-07T01:34:22.200146386Z                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.200148203Z    File "/usr/local/lib/python3.11/site-packages/cryptography/fernet.py", line 85, in decrypt

2025-10-07T01:34:22.200150338Z      timestamp, data = Fernet._get_unverified_token_data(token)

2025-10-07T01:34:22.200155445Z                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2025-10-07T01:34:22.200157393Z    File "/usr/local/lib/python3.11/site-packages/cryptography/fernet.py", line 119, in _get_unverified_token_data

2025-10-07T01:34:22.200159446Z      raise InvalidToken

2025-10-07T01:34:22.200161268Z  cryptography.fernet.InvalidToken

Additional Information

Workaround / Temporary Fix

Access the SQLite database and modify the OAuth configuration:

# SSH into the container
# Navigate to: /app/backend/data

# Backup the database
cp webui.db webui.db.backup

# Change OAuth connection to use no authentication
sqlite3 webui.db << 'EOF'
UPDATE config
SET data = json_set(
  data,
  '$.tool_server.connections[0].auth_type',
  'none'
)
WHERE id = 1;
EOF

# Restart the application
Originally created by @NeilMazumdar on GitHub (Oct 7, 2025). ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.6.32 ### Ollama Version (if applicable) _No response_ ### Operating System Host: Azure Web App (Linux-based container host), Container OS: Debian GNU/Linux 11 (bullseye) ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. ### Expected Behavior Open WebUI should start successfully and be accessible via the web browser. If there are issues with OAuth credentials (such as a changed `WEBUI_SECRET_KEY`), the application should either: 1. Handle the decryption failure gracefully with a warning/error message but continue to start 2. Provide a clear error message indicating the encryption key mismatch 3. Offer a recovery mechanism or startup flag to skip credential decryption ### Actual Behavior The application crashes during startup with a `cryptography.fernet.InvalidToken` exception, preventing the entire application from starting. This creates a complete service outage with no graceful degradation or recovery path. The error prevents any user from accessing the application, even though the underlying issue only affects a single MCP tool server connection configuration. ### Steps to Reproduce ### Prerequisites 1. Open WebUI deployed in Docker container (Azure Web App or similar) 2. SQLite database with existing configuration 3. MCP tool server connection configured with OAuth 2.1 authentication (specifically Atlassian MCP) ### Reproduction Steps 1. **Initial Setup**: - Deploy Open WebUI using Docker with a specific `WEBUI_SECRET_KEY` environment variable - Configure Atlassian MCP tool server connection via the UI with OAuth 2.1 authentication - Allow the application to encrypt and store OAuth credentials in the database 2. **Trigger the Bug**: - Change the `WEBUI_SECRET_KEY` environment variable to a different value - OR restore a database backup that was encrypted with a different secret key - OR deploy to a new environment without setting the original `WEBUI_SECRET_KEY` 3. **Restart the Application**: ```bash docker restart <container-name> # OR az webapp restart --name <webapp-name> --resource-group <resource-group> ``` 4. **Observe the Crash**: - Application fails to start - Container logs show the following error: ``` ERROR [open_webui.utils.oauth] Error decrypting data: Traceback (most recent call last): File "/app/backend/open_webui/main.py", line 1906, in <module> oauth_client_info = decrypt_data(oauth_client_info) File "/app/backend/open_webui/utils/oauth.py", line 143, in decrypt_data decrypted = FERNET.decrypt(data.encode()).decode() File "/usr/local/lib/python3.11/site-packages/cryptography/fernet.py", line 85, in decrypt timestamp, data = Fernet._get_unverified_token_data(token) File "/usr/local/lib/python3.11/site-packages/cryptography/fernet.py", line 119, in _get_unverified_token_data raise InvalidToken cryptography.fernet.InvalidToken ``` 5. **Application State**: - Complete service outage - No web interface accessible - All users unable to access the application ### Database Configuration The problematic configuration in the SQLite database (`webui.db`, `config` table) looks like: ```json { "tool_server": { "connections": [ { "url": "https://mcp.atlassian.com/v1/sse", "path": "openapi.json", "type": "mcp", "auth_type": "oauth_2.1", "key": "<encrypted_value>", "config": { "enable": true, "access_control": {...} }, "info": { "id": "atlassian-mcp", "name": "Atlassian MCP", "description": "" } } ] } } ``` ### Logs & Screenshots ### Docker Container Logs ``` 2025-10-07T01:34:22.177708884Z ERROR [open_webui.utils.oauth] Error decrypting data: 2025-10-07T01:34:22.187584466Z Traceback (most recent call last): 2025-10-07T01:34:22.187616001Z File "<frozen runpy>", line 198, in _run_module_as_main 2025-10-07T01:34:22.187621052Z File "<frozen runpy>", line 88, in _run_code 2025-10-07T01:34:22.187624068Z File "/usr/local/lib/python3.11/site-packages/uvicorn/__main__.py", line 4, in <module> 2025-10-07T01:34:22.187626948Z uvicorn.main() 2025-10-07T01:34:22.187629635Z File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1462, in __call__ 2025-10-07T01:34:22.197613456Z return self.main(*args, **kwargs) 2025-10-07T01:34:22.198143580Z ^^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.198153277Z File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1383, in main 2025-10-07T01:34:22.198156454Z rv = self.invoke(ctx) 2025-10-07T01:34:22.198159236Z ^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.198170640Z File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1246, in invoke 2025-10-07T01:34:22.198173806Z return ctx.invoke(self.callback, **ctx.params) 2025-10-07T01:34:22.198175631Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.198177540Z File "/usr/local/lib/python3.11/site-packages/click/core.py", line 814, in invoke 2025-10-07T01:34:22.198179601Z return callback(*args, **kwargs) 2025-10-07T01:34:22.198181422Z ^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.198183202Z File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 413, in main 2025-10-07T01:34:22.198185233Z run( 2025-10-07T01:34:22.198187087Z File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 580, in run 2025-10-07T01:34:22.198189036Z server.run() 2025-10-07T01:34:22.198190789Z File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 67, in run 2025-10-07T01:34:22.198192730Z return asyncio.run(self.serve(sockets=sockets)) 2025-10-07T01:34:22.198194685Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.198196647Z File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run 2025-10-07T01:34:22.198198587Z return runner.run(main) 2025-10-07T01:34:22.198200423Z ^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.198202147Z File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run 2025-10-07T01:34:22.198204065Z return self._loop.run_until_complete(task) 2025-10-07T01:34:22.198205858Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.198207724Z File "uvloop/loop.pyx", line 1518, in uvloop.loop.Loop.run_until_complete 2025-10-07T01:34:22.198209742Z File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 71, in serve 2025-10-07T01:34:22.198211854Z await self._serve(sockets) 2025-10-07T01:34:22.198213668Z File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 78, in _serve 2025-10-07T01:34:22.198215656Z config.load() 2025-10-07T01:34:22.198217412Z File "/usr/local/lib/python3.11/site-packages/uvicorn/config.py", line 436, in load 2025-10-07T01:34:22.198558097Z self.loaded_app = import_from_string(self.app) 2025-10-07T01:34:22.198563909Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.198565980Z File "/usr/local/lib/python3.11/site-packages/uvicorn/importer.py", line 19, in import_from_string 2025-10-07T01:34:22.198568200Z module = importlib.import_module(module_str) 2025-10-07T01:34:22.198570184Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.198572062Z File "/usr/local/lib/python3.11/importlib/__init__.py", line 126, in import_module 2025-10-07T01:34:22.198574081Z return _bootstrap._gcd_import(name[level:], package, level) 2025-10-07T01:34:22.198582355Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.198584369Z File "<frozen importlib._bootstrap>", line 1204, in _gcd_import 2025-10-07T01:34:22.198586454Z File "<frozen importlib._bootstrap>", line 1176, in _find_and_load 2025-10-07T01:34:22.198588424Z File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked 2025-10-07T01:34:22.198590376Z File "<frozen importlib._bootstrap>", line 690, in _load_unlocked 2025-10-07T01:34:22.198592385Z File "<frozen importlib._bootstrap_external>", line 940, in exec_module 2025-10-07T01:34:22.198594370Z File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed 2025-10-07T01:34:22.198596412Z File "/app/backend/open_webui/main.py", line 1906, in <module> 2025-10-07T01:34:22.200123387Z oauth_client_info = decrypt_data(oauth_client_info) 2025-10-07T01:34:22.200139406Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.200142025Z File "/app/backend/open_webui/utils/oauth.py", line 143, in decrypt_data 2025-10-07T01:34:22.200144515Z decrypted = FERNET.decrypt(data.encode()).decode() 2025-10-07T01:34:22.200146386Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.200148203Z File "/usr/local/lib/python3.11/site-packages/cryptography/fernet.py", line 85, in decrypt 2025-10-07T01:34:22.200150338Z timestamp, data = Fernet._get_unverified_token_data(token) 2025-10-07T01:34:22.200155445Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-10-07T01:34:22.200157393Z File "/usr/local/lib/python3.11/site-packages/cryptography/fernet.py", line 119, in _get_unverified_token_data 2025-10-07T01:34:22.200159446Z raise InvalidToken 2025-10-07T01:34:22.200161268Z cryptography.fernet.InvalidToken ``` ### Additional Information ## Workaround / Temporary Fix Access the SQLite database and modify the OAuth configuration: ```bash # SSH into the container # Navigate to: /app/backend/data # Backup the database cp webui.db webui.db.backup # Change OAuth connection to use no authentication sqlite3 webui.db << 'EOF' UPDATE config SET data = json_set( data, '$.tool_server.connections[0].auth_type', 'none' ) WHERE id = 1; EOF # Restart the application ```
GiteaMirror added the bug label 2025-11-11 17:00:45 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#6601
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?