github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-22 06:02:06 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

[PR #2574] [MERGED] feat: experimental SSO support for Google, Microsoft, and OIDC #7830

New Issue
Closed
opened 2025-11-11 17:37:13 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-11 17:37:13 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/2574
Author: @cheahjs
Created: 5/26/2024
Status: Merged
Merged: 6/25/2024
Merged by: @tjbck

Base: devHead: feat/oauth

📝 Commits (10+)

  • a842d8d deps: add authlib
  • 0210a10 feat: experimental SSO support for Google, Microsoft, and OIDC
  • b3557d0 fix: bad authlib version
  • 7385016 fix: only get user by emails without oauth sub
  • 776bb28 fix: bad user get
  • 4a4e323 refac: rename OPENID -> OAUTH
  • 06dbf59 feat: make oauth config persist into config.json
  • 985fdca refac: move things around, uplift oauth endpoints
  • 6a36039 Merge remote-tracking branch 'upstream/dev' into feat/oauth
  • a1f4706 fix: OAUTH_MERGE_ACCOUNTS_BY_EMAIL not being correctly read

📊 Changes

52 files changed (+633 additions, -13 deletions)

View changed files

backend/apps/webui/internal/migrations/017_add_user_oauth_sub.py (+49 -0)
📝 backend/apps/webui/main.py (+2 -0)
📝 backend/apps/webui/models/auths.py (+4 -1)
📝 backend/apps/webui/models/users.py (+25 -0)
📝 backend/apps/webui/routers/auths.py (+0 -1)
📝 backend/config.py (+139 -0)
📝 backend/main.py (+174 -2)
📝 backend/requirements.txt (+1 -0)
📝 pyproject.toml (+1 -0)
📝 requirements-dev.lock (+9 -3)
📝 requirements.lock (+9 -3)
📝 src/lib/i18n/locales/ar-BH/translation.json (+2 -0)
📝 src/lib/i18n/locales/bg-BG/translation.json (+2 -0)
📝 src/lib/i18n/locales/bn-BD/translation.json (+2 -0)
📝 src/lib/i18n/locales/ca-ES/translation.json (+2 -0)
📝 src/lib/i18n/locales/ceb-PH/translation.json (+2 -0)
📝 src/lib/i18n/locales/de-DE/translation.json (+2 -0)
📝 src/lib/i18n/locales/dg-DG/translation.json (+2 -0)
📝 src/lib/i18n/locales/en-GB/translation.json (+2 -0)
📝 src/lib/i18n/locales/en-US/translation.json (+2 -0)

...and 32 more files

📄 Description

Pull Request Checklist

Before submitting, make sure you've checked the following:

  • Target branch: Please verify that the pull request targets the dev branch.
  • Description: Provide a concise description of the changes made in this pull request.
  • Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
  • Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
  • Testing: Have you written and run sufficient tests for validating the changes?
  • Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
  • Label: To cleary categorize this pull request, assign a relevant label to the pull request title, using one of the following:
    • BREAKING CHANGE: Significant changes that may affect compatibility
    • build: Changes that affect the build system or external dependencies
    • ci: Changes to our continuous integration processes or workflows
    • chore: Refactor, cleanup, or other non-functional code changes
    • docs: Documentation update or addition
    • feat: Introduces a new feature or enhancement to the codebase
    • fix: Bug fix or error correction
    • i18n: Internationalization or localization changes
    • perf: Performance improvement
    • refactor: Code restructuring for better maintainability, readability, or scalability
    • style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)
    • test: Adding missing tests or correcting existing tests
    • WIP: Work in progress, a temporary label for incomplete or ongoing work

Changelog Entry

Description

Addresses #483

Adds support for SSO logins with Google, Microsoft, or an OIDC provider.

Env vars:

  • ENABLE_OAUTH_SIGNUP - allow accounts to be created when logging in with oauth
  • OAUTH_MERGE_ACCOUNTS_BY_EMAIL - allow logging in to the account keyed by the email address present in the id token. This is less secure because handling the provided email address requires a lot of care that I have not put in.
  • Google
  • Microsoft
    • see: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
    • Only supports either Entra or personal apps, but not combined apps
    • MICROSOFT_CLIENT_ID - Microsoft OAuth client ID
    • MICROSOFT_CLIENT_SECRET - Microsoft OAuth client secret
    • MICROSOFT_CLIENT_TENANT_ID - Microsoft tenant ID, use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts
      • Set redirect URI to <backend>/oauth/microsoft/callback
  • OIDC
    • OAUTH_CLIENT_ID - OIDC client ID
    • OAUTH_CLIENT_SECRET - OIDC client secret
    • OPENID_PROVIDER_URL - OIDC well known URL, eg https://accounts.google.com/.well-known/openid-configuration
    • OAUTH_PROVIDER_NAME - Name of the provider to show on the UI, defaults to SSO
      • Set redirect URI to <backend>/oauth/oidc/callback

As email addresses are not generally trusted - authentication is matched against the sub field of the ID token unless OAUTH_MERGE_ACCOUNTS_BY_EMAIL is enabled.

Added

  • OIDC support - Admins can now configure login via Google, Microsoft, or a custom OIDC provider.

Screenshots or Videos

image image

Example deployment: https://jscheah-open-webui.hf.space/

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/2574 **Author:** [@cheahjs](https://github.com/cheahjs) **Created:** 5/26/2024 **Status:** ✅ Merged **Merged:** 6/25/2024 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `feat/oauth` --- ### 📝 Commits (10+) - [`a842d8d`](https://github.com/open-webui/open-webui/commit/a842d8d62beaa9aedb6608ea36631b06cb9f7d03) deps: add authlib - [`0210a10`](https://github.com/open-webui/open-webui/commit/0210a105bfb4527f31e2bf1fb5086b0341ffe156) feat: experimental SSO support for Google, Microsoft, and OIDC - [`b3557d0`](https://github.com/open-webui/open-webui/commit/b3557d05b177833d62a4db02f680396cfe3ad2e1) fix: bad authlib version - [`7385016`](https://github.com/open-webui/open-webui/commit/7385016e364fdf796c7ef5871c1a47c097a46857) fix: only get user by emails without oauth sub - [`776bb28`](https://github.com/open-webui/open-webui/commit/776bb2892c169d6c96d19750f0f61b7f77f3f170) fix: bad user get - [`4a4e323`](https://github.com/open-webui/open-webui/commit/4a4e323a44b29f84a43abcfa32c8935fa58d91b5) refac: rename OPENID -> OAUTH - [`06dbf59`](https://github.com/open-webui/open-webui/commit/06dbf5974253c90a6dd7c33cb069b2245637a16f) feat: make oauth config persist into config.json - [`985fdca`](https://github.com/open-webui/open-webui/commit/985fdca585a6c2538cc8c1fe7097ce7406c063ec) refac: move things around, uplift oauth endpoints - [`6a36039`](https://github.com/open-webui/open-webui/commit/6a36039a59efd8cbcf2909dab880a4b6daf8ba0d) Merge remote-tracking branch 'upstream/dev' into feat/oauth - [`a1f4706`](https://github.com/open-webui/open-webui/commit/a1f4706aa17957e9eba8694ec3a44e9f68eec43f) fix: OAUTH_MERGE_ACCOUNTS_BY_EMAIL not being correctly read ### 📊 Changes **52 files changed** (+633 additions, -13 deletions) <details> <summary>View changed files</summary> ➕ `backend/apps/webui/internal/migrations/017_add_user_oauth_sub.py` (+49 -0) 📝 `backend/apps/webui/main.py` (+2 -0) 📝 `backend/apps/webui/models/auths.py` (+4 -1) 📝 `backend/apps/webui/models/users.py` (+25 -0) 📝 `backend/apps/webui/routers/auths.py` (+0 -1) 📝 `backend/config.py` (+139 -0) 📝 `backend/main.py` (+174 -2) 📝 `backend/requirements.txt` (+1 -0) 📝 `pyproject.toml` (+1 -0) 📝 `requirements-dev.lock` (+9 -3) 📝 `requirements.lock` (+9 -3) 📝 `src/lib/i18n/locales/ar-BH/translation.json` (+2 -0) 📝 `src/lib/i18n/locales/bg-BG/translation.json` (+2 -0) 📝 `src/lib/i18n/locales/bn-BD/translation.json` (+2 -0) 📝 `src/lib/i18n/locales/ca-ES/translation.json` (+2 -0) 📝 `src/lib/i18n/locales/ceb-PH/translation.json` (+2 -0) 📝 `src/lib/i18n/locales/de-DE/translation.json` (+2 -0) 📝 `src/lib/i18n/locales/dg-DG/translation.json` (+2 -0) 📝 `src/lib/i18n/locales/en-GB/translation.json` (+2 -0) 📝 `src/lib/i18n/locales/en-US/translation.json` (+2 -0) _...and 32 more files_ </details> ### 📄 Description # Pull Request Checklist **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [ ] **Description:** Provide a concise description of the changes made in this pull request. - [ ] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [ ] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [ ] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [x] **Testing:** Have you written and run sufficient tests for validating the changes? - [ ] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Label:** To cleary categorize this pull request, assign a relevant label to the pull request title, using one of the following: - **BREAKING CHANGE**: Significant changes that may affect compatibility - **build**: Changes that affect the build system or external dependencies - **ci**: Changes to our continuous integration processes or workflows - **chore**: Refactor, cleanup, or other non-functional code changes - **docs**: Documentation update or addition - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction - **i18n**: Internationalization or localization changes - **perf**: Performance improvement - **refactor**: Code restructuring for better maintainability, readability, or scalability - **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.) - **test**: Adding missing tests or correcting existing tests - **WIP**: Work in progress, a temporary label for incomplete or ongoing work # Changelog Entry ### Description Addresses #483 Adds support for SSO logins with Google, Microsoft, or an OIDC provider. Env vars: * `ENABLE_OAUTH_SIGNUP` - allow accounts to be created when logging in with oauth * `OAUTH_MERGE_ACCOUNTS_BY_EMAIL` - allow logging in to the account keyed by the email address present in the id token. This is less secure because handling the provided email address requires a lot of care that I have not put in. * Google * see: https://support.google.com/cloud/answer/6158849?hl=en * GOOGLE_CLIENT_ID - Google OAuth client ID * GOOGLE_CLIENT_SECRET - Google OAuth client secret * Set redirect URI to `<backend>/oauth/google/callback` * Microsoft * see: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app * Only supports either Entra or personal apps, but not combined apps * MICROSOFT_CLIENT_ID - Microsoft OAuth client ID * MICROSOFT_CLIENT_SECRET - Microsoft OAuth client secret * MICROSOFT_CLIENT_TENANT_ID - Microsoft tenant ID, use `9188040d-6c67-4c5b-b112-36a304b66dad` for personal accounts * * Set redirect URI to `<backend>/oauth/microsoft/callback` * OIDC * OAUTH_CLIENT_ID - OIDC client ID * OAUTH_CLIENT_SECRET - OIDC client secret * OPENID_PROVIDER_URL - OIDC well known URL, eg https://accounts.google.com/.well-known/openid-configuration * OAUTH_PROVIDER_NAME - Name of the provider to show on the UI, defaults to SSO * * Set redirect URI to `<backend>/oauth/oidc/callback` As email addresses are not generally trusted - authentication is matched against the `sub` field of the ID token unless `OAUTH_MERGE_ACCOUNTS_BY_EMAIL` is enabled. ### Added - OIDC support - Admins can now configure login via Google, Microsoft, or a custom OIDC provider. ### Screenshots or Videos <img width="865" alt="image" src="https://github.com/open-webui/open-webui/assets/818368/361c2cdb-9c64-4454-bad2-164b2fcc0f8a"> <img width="864" alt="image" src="https://github.com/open-webui/open-webui/assets/818368/055117d6-25ec-4b71-b7da-0e4391c6faab"> Example deployment: https://jscheah-open-webui.hf.space/ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-11 17:37:13 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#7830
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?