github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-06-02 23:08:26 -05:00
Code Issues 2.4k Packages Projects Releases 129 Wiki Activity

[GH-ISSUE #20518] Microsoft Entra ID OAuth role mapping not working - ENABLE_OAUTH_ROLE_MANAGEMENT ignored #73812

New Issue
Closed
opened 2026-05-13 06:20:06 -05:00 by GiteaMirror · 5 comments
GiteaMirror commented 2026-05-13 06:20:06 -05:00
Owner
Copy Link

Originally created by @roller100 on GitHub (Jan 9, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/20518

Description

When using Microsoft Entra ID OAuth with app roles configured, the ENABLE_OAUTH_ROLE_MANAGEMENT and OAUTH_ROLES_CLAIM environment variables do not work. All users are created with user role regardless of their Entra ID app role assignment.

Environment

  • Open Web UI version: v0.6.43
  • OAuth provider: Microsoft Entra ID
  • Deployment: Docker Compose

Configuration

Entra ID App Registration:

  • App roles defined: admin and user
  • User assigned to admin role in Enterprise Application
  • Token configuration includes roles claim in both ID token and access token:
{
  "optionalClaims": {
    "idToken": [
      {"name": "groups", "essential": true},
      {"name": "roles", "essential": false}
    ],
    "accessToken": [
      {"name": "groups", "essential": true},
      {"name": "roles", "essential": false}
    ]
  }
}

Open Web UI Environment Variables:

MICROSOFT_CLIENT_ID=<client_id>
MICROSOFT_CLIENT_SECRET=<secret>
MICROSOFT_CLIENT_TENANT_ID=<tenant_id>
MICROSOFT_REDIRECT_URI=https://example.com/oauth/microsoft/callback
OPENID_PROVIDER_URL=https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration
ENABLE_OAUTH_SIGNUP=true
ENABLE_OAUTH_ROLE_MANAGEMENT=true
OAUTH_ROLES_CLAIM=roles
ENABLE_OAUTH_GROUP_MANAGEMENT=true
OAUTH_GROUPS_CLAIM=groups

Expected Behavior

Users with admin role assigned in Entra ID Enterprise Application should be created with admin role in Open Web UI.

Actual Behavior

All users are created with user role, regardless of their Entra ID app role assignment. Manual database promotion required:

UPDATE "user" SET role = 'admin' WHERE email = 'user@example.com';

Observations

  1. OAuth login succeeds and user is created
  2. Container logs show successful OAuth callback but no role processing
  3. The roles claim is present in the token (verified via Entra ID token configuration)
  4. ENABLE_OAUTH_ROLE_MANAGEMENT=true appears to have no effect with Microsoft OAuth

Related Discussion

This issue is mentioned in #9275 where other users report the same problem. Quote from @riosengineer:

"Got you. Yeah, I agree, that's gonna need source code to fix. They don't expose the claim for us to pull into the database. Even if I specify it."

Proposed Solution

Extend the Microsoft OAuth handler to:

  1. Read the roles claim from the ID token
  2. Map Entra ID app roles to Open Web UI roles (admin, user, pending)
  3. Respect ENABLE_OAUTH_ROLE_MANAGEMENT for Microsoft OAuth (currently appears to only work with generic OIDC)

Workaround

Manual database update after initial OAuth login:

from sqlalchemy import create_engine, text
engine = create_engine(DATABASE_URL)
with engine.connect() as conn:
    conn.execute(text("UPDATE \"user\" SET role = 'admin' WHERE email = 'user@example.com'"))
    conn.commit()

Additional Context

This is critical for enterprise deployments where role-based access control is managed centrally in Entra ID. Manual promotion doesn't scale and defeats the purpose of SSO integration.

Originally created by @roller100 on GitHub (Jan 9, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/20518 ## Description When using Microsoft Entra ID OAuth with app roles configured, the `ENABLE_OAUTH_ROLE_MANAGEMENT` and `OAUTH_ROLES_CLAIM` environment variables do not work. All users are created with `user` role regardless of their Entra ID app role assignment. ## Environment - Open Web UI version: v0.6.43 - OAuth provider: Microsoft Entra ID - Deployment: Docker Compose ## Configuration **Entra ID App Registration:** - App roles defined: `admin` and `user` - User assigned to `admin` role in Enterprise Application - Token configuration includes `roles` claim in both ID token and access token: ```json { "optionalClaims": { "idToken": [ {"name": "groups", "essential": true}, {"name": "roles", "essential": false} ], "accessToken": [ {"name": "groups", "essential": true}, {"name": "roles", "essential": false} ] } } ``` **Open Web UI Environment Variables:** ```bash MICROSOFT_CLIENT_ID=<client_id> MICROSOFT_CLIENT_SECRET=<secret> MICROSOFT_CLIENT_TENANT_ID=<tenant_id> MICROSOFT_REDIRECT_URI=https://example.com/oauth/microsoft/callback OPENID_PROVIDER_URL=https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration ENABLE_OAUTH_SIGNUP=true ENABLE_OAUTH_ROLE_MANAGEMENT=true OAUTH_ROLES_CLAIM=roles ENABLE_OAUTH_GROUP_MANAGEMENT=true OAUTH_GROUPS_CLAIM=groups ``` ## Expected Behavior Users with `admin` role assigned in Entra ID Enterprise Application should be created with `admin` role in Open Web UI. ## Actual Behavior All users are created with `user` role, regardless of their Entra ID app role assignment. Manual database promotion required: ```sql UPDATE "user" SET role = 'admin' WHERE email = 'user@example.com'; ``` ## Observations 1. OAuth login succeeds and user is created 2. Container logs show successful OAuth callback but no role processing 3. The `roles` claim is present in the token (verified via Entra ID token configuration) 4. `ENABLE_OAUTH_ROLE_MANAGEMENT=true` appears to have no effect with Microsoft OAuth ## Related Discussion This issue is mentioned in #9275 where other users report the same problem. Quote from @riosengineer: > "Got you. Yeah, I agree, that's gonna need source code to fix. They don't expose the claim for us to pull into the database. Even if I specify it." ## Proposed Solution Extend the Microsoft OAuth handler to: 1. Read the `roles` claim from the ID token 2. Map Entra ID app roles to Open Web UI roles (`admin`, `user`, `pending`) 3. Respect `ENABLE_OAUTH_ROLE_MANAGEMENT` for Microsoft OAuth (currently appears to only work with generic OIDC) ## Workaround Manual database update after initial OAuth login: ```python from sqlalchemy import create_engine, text engine = create_engine(DATABASE_URL) with engine.connect() as conn: conn.execute(text("UPDATE \"user\" SET role = 'admin' WHERE email = 'user@example.com'")) conn.commit() ``` ## Additional Context This is critical for enterprise deployments where role-based access control is managed centrally in Entra ID. Manual promotion doesn't scale and defeats the purpose of SSO integration.
GiteaMirror commented 2026-05-13 06:20:08 -05:00
Author
Owner
Copy Link

@riosengineer commented on GitHub (Jan 9, 2026):

Hey @roller100 - Just to clarify, my comment is referring to the Entra groups display name claim not being present on the token in Open WebUI, rather than the roles.

I can manage the roles from Entra, and give someone an Administrator role - when they log in they do get an admin role. But the synced Entra groups are the object id/guids and not the display names (same for the profile photo claim too, only works with Microsoft IdP and NOT OAUTH generic claims)

In regards to your problem, is it possible that you are missing this env var?

OAUTH_ALLOWED_ROLES which I have two roles as the value: user,admin (you'd need to add one more for your pending state. ?)

Edit: Decided to dig out all my Entra/OAuth env vars that do work for roles and sync as of today

ENABLE_OAUTH_SIGNUP: true
ENABLE_LOGIN_FORM: false
ENABLE_OAUTH_PERSISTENT_CONFIG: false
OAUTH_PROVIDER_NAME: Microsoft Entra ID
OAUTH_CLIENT_ID: <resEntraIdApp.appId>
OAUTH_CODE_CHALLENGE_METHOD: S256
OPENID_PROVIDER_URL: https://<login-endpoint>/<tenant-id>/v2.0/.well-known/openid-configuration
OAUTH_SCOPES: openid email profile api://<app-name>/user_impersonation User.Read GroupMember.Read.All ProfilePhoto.Read.All
OAUTH_EMAIL_CLAIM: email
OAUTH_USERNAME_CLAIM: name
ENABLE_OAUTH_ROLE_MANAGEMENT: true
OAUTH_ROLES_CLAIM: roles
OAUTH_ALLOWED_ROLES: user,admin
OAUTH_ADMIN_ROLES: admin
ENABLE_OAUTH_GROUP_MANAGEMENT: true
ENABLE_OAUTH_GROUP_CREATION: true
OAUTH_GROUPS_CLAIM: groups
<!-- gh-comment-id:3729719076 --> @riosengineer commented on GitHub (Jan 9, 2026): Hey @roller100 - Just to clarify, my comment is referring to the Entra groups display name claim not being present on the token in Open WebUI, rather than the roles. I can manage the roles from Entra, and give someone an Administrator role - when they log in they do get an admin role. But the synced Entra groups are the object id/guids and not the display names (same for the profile photo claim too, only works with Microsoft IdP and NOT OAUTH generic claims) In regards to your problem, is it possible that you are missing this env var? `OAUTH_ALLOWED_ROLES` which I have two roles as the value: `user,admin` (you'd need to add one more for your pending state. ?) Edit: Decided to dig out all my Entra/OAuth env vars that do work for roles and sync as of today ``` ENABLE_OAUTH_SIGNUP: true ENABLE_LOGIN_FORM: false ENABLE_OAUTH_PERSISTENT_CONFIG: false OAUTH_PROVIDER_NAME: Microsoft Entra ID OAUTH_CLIENT_ID: <resEntraIdApp.appId> OAUTH_CODE_CHALLENGE_METHOD: S256 OPENID_PROVIDER_URL: https://<login-endpoint>/<tenant-id>/v2.0/.well-known/openid-configuration OAUTH_SCOPES: openid email profile api://<app-name>/user_impersonation User.Read GroupMember.Read.All ProfilePhoto.Read.All OAUTH_EMAIL_CLAIM: email OAUTH_USERNAME_CLAIM: name ENABLE_OAUTH_ROLE_MANAGEMENT: true OAUTH_ROLES_CLAIM: roles OAUTH_ALLOWED_ROLES: user,admin OAUTH_ADMIN_ROLES: admin ENABLE_OAUTH_GROUP_MANAGEMENT: true ENABLE_OAUTH_GROUP_CREATION: true OAUTH_GROUPS_CLAIM: groups ```
GiteaMirror commented 2026-05-13 06:20:08 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Mar 25, 2026):

Addressed in dev.

<!-- gh-comment-id:4122713717 --> @tjbck commented on GitHub (Mar 25, 2026): Addressed in dev.
GiteaMirror commented 2026-05-13 06:20:09 -05:00
Author
Owner
Copy Link

@silenceroom commented on GitHub (Apr 12, 2026):

Hey @roller100 - Just to clarify, my comment is referring to the Entra groups display name claim not being present on the token in Open WebUI, rather than the roles.

I can manage the roles from Entra, and give someone an Administrator role - when they log in they do get an admin role. But the synced Entra groups are the object id/guids and not the display names (same for the profile photo claim too, only works with Microsoft IdP and NOT OAUTH generic claims)

In regards to your problem, is it possible that you are missing this env var?

OAUTH_ALLOWED_ROLES which I have two roles as the value: user,admin (you'd need to add one more for your pending state. ?)

Edit: Decided to dig out all my Entra/OAuth env vars that do work for roles and sync as of today

ENABLE_OAUTH_SIGNUP: true
ENABLE_LOGIN_FORM: false
ENABLE_OAUTH_PERSISTENT_CONFIG: false
OAUTH_PROVIDER_NAME: Microsoft Entra ID
OAUTH_CLIENT_ID: <resEntraIdApp.appId>
OAUTH_CODE_CHALLENGE_METHOD: S256
OPENID_PROVIDER_URL: https://<login-endpoint>/<tenant-id>/v2.0/.well-known/openid-configuration
OAUTH_SCOPES: openid email profile api://<app-name>/user_impersonation User.Read GroupMember.Read.All ProfilePhoto.Read.All
OAUTH_EMAIL_CLAIM: email
OAUTH_USERNAME_CLAIM: name
ENABLE_OAUTH_ROLE_MANAGEMENT: true
OAUTH_ROLES_CLAIM: roles
OAUTH_ALLOWED_ROLES: user,admin
OAUTH_ADMIN_ROLES: admin
ENABLE_OAUTH_GROUP_MANAGEMENT: true
ENABLE_OAUTH_GROUP_CREATION: true
OAUTH_GROUPS_CLAIM: groups

I'm having the same problem that the display name in Groups are object ID instad of the actual group name. To clarify, this happens only on the Group that were sync from local Windows Active Directory, if the groups were a cloud Group, then OWUI can properly display the name.

A group created on local AD and synced to Entra.
Image

A Cloud based group.
Image

<!-- gh-comment-id:4231212371 --> @silenceroom commented on GitHub (Apr 12, 2026): > Hey [@roller100](https://github.com/roller100) - Just to clarify, my comment is referring to the Entra groups display name claim not being present on the token in Open WebUI, rather than the roles. > > I can manage the roles from Entra, and give someone an Administrator role - when they log in they do get an admin role. But the synced Entra groups are the object id/guids and not the display names (same for the profile photo claim too, only works with Microsoft IdP and NOT OAUTH generic claims) > > In regards to your problem, is it possible that you are missing this env var? > > `OAUTH_ALLOWED_ROLES` which I have two roles as the value: `user,admin` (you'd need to add one more for your pending state. ?) > > Edit: Decided to dig out all my Entra/OAuth env vars that do work for roles and sync as of today > > ``` > ENABLE_OAUTH_SIGNUP: true > ENABLE_LOGIN_FORM: false > ENABLE_OAUTH_PERSISTENT_CONFIG: false > OAUTH_PROVIDER_NAME: Microsoft Entra ID > OAUTH_CLIENT_ID: <resEntraIdApp.appId> > OAUTH_CODE_CHALLENGE_METHOD: S256 > OPENID_PROVIDER_URL: https://<login-endpoint>/<tenant-id>/v2.0/.well-known/openid-configuration > OAUTH_SCOPES: openid email profile api://<app-name>/user_impersonation User.Read GroupMember.Read.All ProfilePhoto.Read.All > OAUTH_EMAIL_CLAIM: email > OAUTH_USERNAME_CLAIM: name > ENABLE_OAUTH_ROLE_MANAGEMENT: true > OAUTH_ROLES_CLAIM: roles > OAUTH_ALLOWED_ROLES: user,admin > OAUTH_ADMIN_ROLES: admin > ENABLE_OAUTH_GROUP_MANAGEMENT: true > ENABLE_OAUTH_GROUP_CREATION: true > OAUTH_GROUPS_CLAIM: groups > ``` I'm having the same problem that the display name in Groups are object ID instad of the actual group name. To clarify, this happens only on the Group that were sync from local Windows Active Directory, if the groups were a cloud Group, then OWUI can properly display the name. A group created on local AD and synced to Entra. <img width="623" height="74" alt="Image" src="https://github.com/user-attachments/assets/ea53c495-7158-45ce-8779-689d5cfcf94a" /> A Cloud based group. <img width="266" height="65" alt="Image" src="https://github.com/user-attachments/assets/705d18c1-d99a-4f58-9344-fcb39a30475f" />
GiteaMirror commented 2026-05-13 06:20:09 -05:00
Author
Owner
Copy Link

@silenceroom commented on GitHub (Apr 12, 2026):

Just figure it out.

In the "Token Configurations" of App Registration, add the group claim, and then make sure the ID is set to "sAMAccountName". This will then ensure the OWUI recognize both cloud/local AD group names.

<!-- gh-comment-id:4231608159 --> @silenceroom commented on GitHub (Apr 12, 2026): Just figure it out. In the "Token Configurations" of App Registration, add the group claim, and then make sure the ID is set to "sAMAccountName". This will then ensure the OWUI recognize both cloud/local AD group names.
GiteaMirror commented 2026-05-13 06:20:10 -05:00
Author
Owner
Copy Link

@riosengineer commented on GitHub (Apr 12, 2026):

Just figure it out.

In the "Token Configurations" of App Registration, add the group claim, and then make sure the ID is set to "sAMAccountName". This will then ensure the OWUI recognize both cloud/local AD group names.

Nice. Thanks. When I posted my reply a few months ago there wasn't any claim in the code even if the Entra endpoint had it in there when passing to Open WebUI. Maybe they fixed this now also

<!-- gh-comment-id:4231628862 --> @riosengineer commented on GitHub (Apr 12, 2026): > Just figure it out. > > In the "Token Configurations" of App Registration, add the group claim, and then make sure the ID is set to "sAMAccountName". This will then ensure the OWUI recognize both cloud/local AD group names. Nice. Thanks. When I posted my reply a few months ago there wasn't any claim in the code even if the Entra endpoint had it in there when passing to Open WebUI. Maybe they fixed this now also
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#73812
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?