[GH-ISSUE #21016] issue:Trusted Header Authentication does not automatically register new users after the first login #73961

Closed
opened 2026-05-13 06:32:13 -05:00 by GiteaMirror · 3 comments
Owner

Originally created by @FHaggs on GitHub (Jan 28, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21016

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

0.7.2

Ollama Version (if applicable)

No response

Operating System

Debian 12

Browser (if applicable)

Firefox

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

According to the documentation for WEBUI_AUTH_TRUSTED_EMAIL_HEADER, Open WebUI should handle "automatic registration and login" for any user passed in the header.

When a request is received with a valid email in the X-User-Email header (that does not currently exist in the database), the system should:

Automatically create a new user account for that email.

Log the user in.

This should apply to all users, not just the initial admin account.

Actual Behavior

Automatic registration works only for the very first user (who is assigned the Admin role).

For any subsequent requests with a new email address in the X-User-Email header:

The user is not automatically created.

Authentication fails (or simply does not log the user in).

To make it work, I currently have to manually create the user in the Open WebUI admin panel first. Once the user exists in the database, the Trusted Header authentication works correctly.

Steps to Reproduce

Start Open WebUI using the following Docker command on Debian 12 (ensure the volume is fresh/empty to simulate a first install):
Bash

docker run --rm
-p 3000:8080
--add-host=host.docker.internal:host-gateway
-e OLLAMA_BASE_URL=http://host.docker.internal:11434
-e WEBUI_AUTH_TRUSTED_EMAIL_HEADER="X-User-Email"
-e DEFAULT_USER_ROLE=user
-v open-webui:/app/backend/data
--name open-webui-remote
ghcr.io/open-webui/open-webui:main-slim

Authenticate User 1 (Admin):

Send a request/access the site passing the header X-User-Email: admin@example.com.

Result: The user is created as Admin and logged in. (This works as expected).

Authenticate User 2 (Regular User):

In a new private window or different session, access the site passing the header X-User-Email: newuser@example.com.

Result: The user is not created. Login fails.

Workaround:

Log back in as User 1 (Admin).

Go to Admin Panel -> Users -> Add User.

Manually add newuser@example.com.

Retry step 3.

Result: Login now succeeds.

Logs & Screenshots

Image

Additional Information

2026-01-28 19:42:26.476 | INFO | open_webui.utils.logger:start_logger:166 - GLOBAL_LOG_LEVEL: INFO
2026-01-28 19:42:26.477 | INFO | open_webui.main:lifespan:604 - Installing external dependencies of functions and tools...
2026-01-28 19:42:26.485 | INFO | open_webui.utils.plugin:install_frontmatter_requirements:286 - No requirements found in frontmatter.
2026-01-28 19:42:33.182 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/custom.css HTTP/1.1" 200
2026-01-28 19:42:33.183 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /static/loader.js HTTP/1.1" 200
2026-01-28 19:42:33.328 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/splash-dark.png HTTP/1.1" 200
2026-01-28 19:42:33.329 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /static/splash.png HTTP/1.1" 200
2026-01-28 19:42:33.457 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/apple-touch-icon.png HTTP/1.1" 200
2026-01-28 19:42:33.458 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /static/favicon.svg HTTP/1.1" 200
2026-01-28 19:42:33.560 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /api/config HTTP/1.1" 200
2026-01-28 19:42:33.572 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /api/v1/auths/ HTTP/1.1" 401
2026-01-28 19:42:33.612 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/favicon.png HTTP/1.1" 200
2026-01-28 19:42:33.613 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56572 - "GET /static/favicon-dark.png HTTP/1.1" 200
2026-01-28 19:42:33.614 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "POST /api/v1/auths/signin HTTP/1.1" 403
2026-01-28 19:42:37.564 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56572 - "GET /api/version HTTP/1.1" 200
2026-01-28 19:42:37.565 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56590 - "GET /api/version HTTP/1.1" 200
2026-01-28 19:42:44.208 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /static/loader.js HTTP/1.1" 304
2026-01-28 19:42:44.208 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57390 - "GET /static/custom.css HTTP/1.1" 304
2026-01-28 19:42:44.225 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /static/splash-dark.png HTTP/1.1" 304
2026-01-28 19:42:44.229 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57390 - "GET /static/splash.png HTTP/1.1" 304
2026-01-28 19:42:44.373 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /api/config HTTP/1.1" 200
2026-01-28 19:42:44.397 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57390 - "GET /static/favicon.png HTTP/1.1" 304
2026-01-28 19:42:44.398 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57402 - "GET /static/favicon-dark.png HTTP/1.1" 304
2026-01-28 19:42:44.399 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "POST /api/v1/auths/signin HTTP/1.1" 403
2026-01-28 19:42:44.406 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /api/version HTTP/1.1" 200
2026-01-28 19:42:52.843 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:49190 - "GET /_app/version.json HTTP/1.1" 304

Originally created by @FHaggs on GitHub (Jan 28, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21016 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version 0.7.2 ### Ollama Version (if applicable) _No response_ ### Operating System Debian 12 ### Browser (if applicable) Firefox ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior According to the documentation for WEBUI_AUTH_TRUSTED_EMAIL_HEADER, Open WebUI should handle "automatic registration and login" for any user passed in the header. When a request is received with a valid email in the X-User-Email header (that does not currently exist in the database), the system should: Automatically create a new user account for that email. Log the user in. This should apply to all users, not just the initial admin account. ### Actual Behavior Automatic registration works only for the very first user (who is assigned the Admin role). For any subsequent requests with a new email address in the X-User-Email header: The user is not automatically created. Authentication fails (or simply does not log the user in). To make it work, I currently have to manually create the user in the Open WebUI admin panel first. Once the user exists in the database, the Trusted Header authentication works correctly. ### Steps to Reproduce Start Open WebUI using the following Docker command on Debian 12 (ensure the volume is fresh/empty to simulate a first install): Bash docker run --rm \ -p 3000:8080 \ --add-host=host.docker.internal:host-gateway \ -e OLLAMA_BASE_URL=http://host.docker.internal:11434 \ -e WEBUI_AUTH_TRUSTED_EMAIL_HEADER="X-User-Email" \ -e DEFAULT_USER_ROLE=user \ -v open-webui:/app/backend/data \ --name open-webui-remote \ ghcr.io/open-webui/open-webui:main-slim Authenticate User 1 (Admin): Send a request/access the site passing the header X-User-Email: admin@example.com. Result: The user is created as Admin and logged in. (This works as expected). Authenticate User 2 (Regular User): In a new private window or different session, access the site passing the header X-User-Email: newuser@example.com. Result: The user is not created. Login fails. Workaround: Log back in as User 1 (Admin). Go to Admin Panel -> Users -> Add User. Manually add newuser@example.com. Retry step 3. Result: Login now succeeds. ### Logs & Screenshots <img width="1028" height="322" alt="Image" src="https://github.com/user-attachments/assets/08b2f3df-afe3-48af-b804-3afce1bf2450" /> ### Additional Information 2026-01-28 19:42:26.476 | INFO | open_webui.utils.logger:start_logger:166 - GLOBAL_LOG_LEVEL: INFO 2026-01-28 19:42:26.477 | INFO | open_webui.main:lifespan:604 - Installing external dependencies of functions and tools... 2026-01-28 19:42:26.485 | INFO | open_webui.utils.plugin:install_frontmatter_requirements:286 - No requirements found in frontmatter. 2026-01-28 19:42:33.182 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/custom.css HTTP/1.1" 200 2026-01-28 19:42:33.183 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /static/loader.js HTTP/1.1" 200 2026-01-28 19:42:33.328 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/splash-dark.png HTTP/1.1" 200 2026-01-28 19:42:33.329 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /static/splash.png HTTP/1.1" 200 2026-01-28 19:42:33.457 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/apple-touch-icon.png HTTP/1.1" 200 2026-01-28 19:42:33.458 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /static/favicon.svg HTTP/1.1" 200 2026-01-28 19:42:33.560 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /api/config HTTP/1.1" 200 2026-01-28 19:42:33.572 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "GET /api/v1/auths/ HTTP/1.1" 401 2026-01-28 19:42:33.612 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56570 - "GET /static/favicon.png HTTP/1.1" 200 2026-01-28 19:42:33.613 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56572 - "GET /static/favicon-dark.png HTTP/1.1" 200 2026-01-28 19:42:33.614 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56566 - "POST /api/v1/auths/signin HTTP/1.1" 403 2026-01-28 19:42:37.564 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56572 - "GET /api/version HTTP/1.1" 200 2026-01-28 19:42:37.565 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:56590 - "GET /api/version HTTP/1.1" 200 2026-01-28 19:42:44.208 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /static/loader.js HTTP/1.1" 304 2026-01-28 19:42:44.208 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57390 - "GET /static/custom.css HTTP/1.1" 304 2026-01-28 19:42:44.225 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /static/splash-dark.png HTTP/1.1" 304 2026-01-28 19:42:44.229 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57390 - "GET /static/splash.png HTTP/1.1" 304 2026-01-28 19:42:44.373 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /api/config HTTP/1.1" 200 2026-01-28 19:42:44.397 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57390 - "GET /static/favicon.png HTTP/1.1" 304 2026-01-28 19:42:44.398 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57402 - "GET /static/favicon-dark.png HTTP/1.1" 304 2026-01-28 19:42:44.399 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "POST /api/v1/auths/signin HTTP/1.1" 403 2026-01-28 19:42:44.406 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:57376 - "GET /api/version HTTP/1.1" 200 2026-01-28 19:42:52.843 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 172.17.0.1:49190 - "GET /_app/version.json HTTP/1.1" 304
GiteaMirror added the bug label 2026-05-13 06:32:13 -05:00
Author
Owner

@pr-validator-bot commented on GitHub (Jan 28, 2026):

⚠️ Invalid Issue Title

Hey @FHaggs, please provide a descriptive title for your issue. Titles that are empty, very short (under 10 characters), or generic (like "issue:") make it difficult for volunteer contributors to understand and triage issues.

Please update the title to reflect the content of your issue.

<!-- gh-comment-id:3813500941 --> @pr-validator-bot commented on GitHub (Jan 28, 2026): # ⚠️ Invalid Issue Title Hey @FHaggs, please provide a descriptive title for your issue. Titles that are empty, very short (under 10 characters), or generic (like "issue:") make it difficult for volunteer contributors to understand and triage issues. Please update the title to reflect the content of your issue.
Author
Owner

@Classic298 commented on GitHub (Jan 28, 2026):

I am a bit unsure if this is now a feature request for a missing header check to be introduced or a report of incorrect docs or both?

The docs you reference were added here: 9b9162c182 not sure if this existed in the past and got removed at some point (?), the commit is very old.

<!-- gh-comment-id:3813568320 --> @Classic298 commented on GitHub (Jan 28, 2026): I am a bit unsure if this is now a feature request for a missing header check to be introduced or a report of incorrect docs or both? The docs you reference were added here: https://github.com/open-webui/docs/commit/9b9162c182ff00e0a94008c2e2eccf212423c26c not sure if this existed in the past and got removed at some point (?), the commit is very old.
Author
Owner

@tjbck commented on GitHub (Feb 11, 2026):

Addressed in dev.

<!-- gh-comment-id:3887867424 --> @tjbck commented on GitHub (Feb 11, 2026): Addressed in dev.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#73961