mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-17 08:21:12 -05:00
[GH-ISSUE #15104] issue: OAuth mismatching_state CSRF Error on Second Login Attempt Due to Incomplete Session Logout #88209
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Classic298 on GitHub (Jun 18, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/15104
Originally assigned to: @jackthgu on GitHub.
Check Existing Issues
Installation Method
Pip Install
Open WebUI Version
0.6.15
Ollama Version (if applicable)
No response
Operating System
Debian 12
Browser (if applicable)
Edge
Confirmation
README.md.Expected Behavior
After the second login attempt (starting from Step 11), the user should be successfully and seamlessly logged back into the Open WebUI dashboard. The application should re-establish the user's session without any errors, just as it did during the first login.
Actual Behavior
The second login attempt consistently fails.
In the Browser: Immediately after the redirect from Microsoft in Step 12, the user is kicked back to the Open WebUI login page (/auth). The UI does not show any user-friendly error message, but an inspection of the network tab in the developer tools reveals that the callback failed. The user is effectively stuck in a loop where they cannot log in again.
In the Backend Logs: The Open WebUI container logs show a clear and specific error message, confirming the root cause of the failure
ERROR | open_webui.routers.auths:[...]:[...] - OAuth callback error: mismatching_state: CSRF Warning! State not equal in request and response. - {}
The Browser on the other hand shows a dubious error message that makes no sense, and in a json format too:
{"detail":"The email or password provided is incorrect. Please check for typos and try logging in again."}
Steps to Reproduce
My setup is configured to use Microsoft Entra ID as the sole authentication provider. The key environment variables are set as follows to enforce this and handle the session correctly in a scaled environment:
Authentication & OAuth Configuration:
ENABLE_OAUTH_SIGNUP=true (Enables OAuth login)
ENABLE_LOGIN_FORM=false (Disables the traditional email/password form)
ENABLE_SIGNUP=false (Disables traditional user registration)
MICROSOFT_CLIENT_ID=""
MICROSOFT_CLIENT_SECRET=""
MICROSOFT_CLIENT_TENANT_ID=""
OAUTH_SCOPES="openid email profile"
Logout & Redirect Configuration:
WEBUI_URL has been set in admin panel
OPENID_PROVIDER_URL="https://login.microsoftonline.com/{your-microsoft-tenant-id}/.well-known/openid-configuration" (For discovering OIDC endpoints)
WEBUI_AUTH_SIGNOUT_REDIRECT_URL="https://login.microsoftonline.com/{your-microsoft-tenant-id}/oauth2/v2.0/logout" (To initiate the logout at Microsoft)
Session, Security & Scaling Configuration:
WEBUI_SECRET_KEY=""
WEBUI_SESSION_COOKIE_SAME_SITE=lax
WEBUI_AUTH_COOKIE_SAME_SITE=lax
REDIS_URL="redis://"
ENABLE_WEBSOCKET_SUPPORT=true
WEBSOCKET_MANAGER=redis
UVICORN_WORKERS=2 (Running in a multi-worker setup)
Note: The issue has been reproduced and confirmed even when testing with UVICORN_WORKERS=1 and with WEBUI_SESSION_COOKIE_SECURE=False to rule out race conditions or reverse-proxy/SSL termination issues.
Logs & Screenshots
As above
Additional Information
OAuth Provider: Microsoft Entra ID (Azure)
Setup: Multi-worker (UVICORN_WORKERS > 1) behind a reverse proxy, using Redis for session/websocket management.
@Classic298 commented on GitHub (Jun 18, 2025):
Related to:
https://github.com/open-webui/open-webui/issues/13509
@Classic298 commented on GitHub (Jun 18, 2025):
Assumption: logout is faulty, logout is not actually fully completed. Why this assumption? Because:
Workaround: once error is shown in browser and console:
Delete cache
Delete local storage in developer console
Delete cookies
Then go back to login page and try to log in again
Now it will work
@Classic298 commented on GitHub (Jun 19, 2025):
The merged PR fixes this exact issue, and perhaps some other related issues where users experienced similar problems.
I will close this issue now.
Thanks everyone.