mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 14:39:31 -05:00
[PR #23529] [CLOSED] feat: add support for custom SSO/OAuth providers #66096
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/23529
Author: @RoryChou-flux
Created: 4/9/2026
Status: ❌ Closed
Base:
main← Head:feat/custom-sso-providers📝 Commits (1)
c5f70bcfeat: add support for custom SSO/OAuth providers📊 Changes
8 files changed (+858 additions, -134 deletions)
View changed files
📝
backend/open_webui/config.py(+123 -0)📝
backend/open_webui/main.py(+14 -1)📝
backend/open_webui/routers/auths.py(+137 -0)📝
backend/open_webui/utils/oauth.py(+39 -19)📝
src/lib/apis/auths/index.ts(+100 -0)📝
src/lib/components/admin/Settings.svelte(+4 -1)📝
src/lib/components/admin/Settings/General.svelte(+364 -2)📝
src/routes/auth/+page.svelte(+77 -111)📄 Description
Summary
CUSTOM_OAUTH_PROVIDERS_CONFIGenvironment variableMotivation
Currently, Open WebUI hardcodes 5 OAuth providers (Google, Microsoft, GitHub, OIDC, Feishu), each limited to a single instance. Users who need multiple instances of the same provider type (e.g., two Feishu apps for different enterprises) must modify source code. This PR adds a general-purpose custom SSO provider system that solves this limitation.
Changes
Backend
config.py: AddCUSTOM_OAUTH_PROVIDERS_CONFIGPersistentConfig,_build_custom_provider_register()helper, extendload_oauth_providers()to register custom providers, addprovider_typeandnameto all built-in providersutils/oauth.py: Refactorhandle_callback()to support per-provider claim overrides (sub_claim, email_claim, username_claim, picture_claim, email_fallback), generalize Feishu data-unwrap viaprovider_type, addreload_providers()for hot-reloadrouters/auths.py: Add admin CRUD endpoints (GET/POST/POST/{slug}/DELETE/{slug}) for custom OAuth providers with slug validation and secret redactionmain.py: Change/api/configoauth.providersresponse from{key: name_string}to{key: {name, icon_url, is_custom, provider_type}}, registerCUSTOM_OAUTH_PROVIDERS_CONFIGon app stateFrontend
auth/+page.svelte: Replace hardcoded{#if}blocks for each OAuth provider with a single dynamic{#each}loop, preserving branded SVG icons for built-in providers and supportingicon_urlor a default key icon for custom providersGeneral.svelte: Add "Custom SSO Providers" management section in Admin Settings with full CRUD UI (add/edit/delete providers, configure endpoints, claim mappings, etc.)apis/auths/index.ts: Add frontend API functions for custom provider CRUDNo database migration needed
configtable JSON blobUser.oauthJSON field already supports arbitrary provider keysOAuthSession.providertext field already accepts any slugConfiguration
Via Admin UI
Admin Settings → General → Custom SSO Providers → Add Provider
Via Environment Variable
Breaking Changes
/api/configresponse:oauth.providersvalues changed from plain strings to objects. This only affects the bundled frontend (updated in this PR) and any external consumers of this internal API.Test plan
CUSTOM_OAUTH_PROVIDERS_CONFIGenv var and verify it loads on startup🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.