mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 06:03:26 -05:00
[GH-ISSUE #9632] OAuth names and emails suppressed on certain OIDC instances #70192
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @gabrc52 on GitHub (Feb 8, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/9632
Bug Report
On OAuth providers that return identity tokens that are less complete than querying the user info endpoint (i.e. only
suband nonameoremail), Open WebUI never queries the user info endpoint resulting in those claims being suppressed and unusable.Installation Method
pip in venv
Environment
Open WebUI Version: v0.5.10
Ollama (if applicable): yes
Operating System: Linux
Browser (if applicable): Firefox 133
Confirmation:
Description
Bug Summary:
On OAuth providers that return identity tokens that are less complete than querying the user info endpoint (i.e. only
suband nonameoremail), Open WebUI never queries the user info endpoint resulting in those claims being suppressed and unusable.Expected Behavior:
Open WebUI can find
nameandemailfrom the user info, assumingOAUTH_USERNAME_CLAIM=nameandOAUTH_EMAIL_CLAIM=emailActual Behavior:
Open WebUI can only find
sub, so it fails at authenticating unless one uses the workaround to set the name and username tosub.Reproduction Details
Steps to Reproduce:
suband to get thenameoremailyou have to query the user info endpoint.ENABLE_OAUTH_SIGNUP=true,OAUTH_CLIENT_ID,OAUTH_CLIENT_SECRET,OPENID_PROVIDER_URL,OPENID_REDIRECT_URI, leaving other default values.Logs and Screenshots
Docker Container Logs:
We are not using docker but this is the log part from journalctl:
Additional Information
We are using https://github.com/IdentityPython/SATOSA as an OpenID Connect provider for Open WebUI.
In this case, our OIDC provider gives id tokens that look like this (they contain only
sub):However, our user info HTTPS endpoint is more complete and also returns
email,name,given_nameandfamily_name.As a result, if a user tries to login they will get the following error:
{"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."}And this will be in the logs:
OAuth callback failed, email is missingA workaround for such an instance would be to set the following environment variables, however this makes it impossible to get users' names and also relies on the implementation detail (bug?) of
subcoincidentally containing the email address.We believe that the issue lies in
backend/open_webui/utils/oauth.pyline 196:Because
user_datacontains something, even if it is incomplete,client.userinfonever gets called becauseuser_datais truthy. We believe that it should be called anyways to complete the missing user info (i.e.user_data.update(await client.userinfo(token=token)). Alternatively, it could call userinfo only if it finds that the identity token/JWT is incomplete (instead of raising an exception that the id token does not contain an email, try to get the email from the userinfo endpoint).@gabrc52 commented on GitHub (Feb 8, 2025):
Wow, this has been annoying us for a while and we only decided to debug now but it seems like it is actually solved 2 days ago in https://github.com/open-webui/open-webui/pull/9456
It simply has not made it to
mainor a release so the changes haven't made it to production...Also, I guess we wrote everything without realizing that this issue is also a duplicate of #9452, which was also filed 2 days ago...