mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 14:39:31 -05:00
[GH-ISSUE #15551] issue: OAuth Role Management Ignored: OAUTH_ALLOWED_ROLES and OAUTH_ADMIN_ROLES Not Applied on OIDC Login #88339
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Hani-K on GitHub (Jul 6, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/15551
Originally assigned to: @jackthgu on GitHub.
Check Existing Issues
Installation Method
Docker
Open WebUI Version
v0.6.15
Ollama Version (if applicable)
No response
Operating System
Ubuntu 24.04
Browser (if applicable)
No response
Confirmation
README.md.Expected Behavior
Actual Behavior
Steps to Reproduce
Logs & Screenshots
Docker container logs at the time of login:
No warnings or errors about role matching appear in the logs.
My docker-compose.yml:
A preview of the JWT payload sent by authentik:
Additional Information
@guenhter commented on GitHub (Jul 10, 2025):
Could you turn on debug log because then we should see these lines:
@2o1o0 commented on GitHub (Jul 12, 2025):
Hey,
I have a similar issue, I end up in a login cycle when using SSO, here are the logs with debug enable:
I'm deploying it with the helm chart, my login related values :
Rolling back to chart
6.19.0(open-webui:0.6.13) fix the issue.Thanks!
@jackthgu commented on GitHub (Jul 22, 2025):
Hello, @Hani-K
This issue is related to assigning admin privileges in Authentik. There are several ways to grant superuser rights to a user, but I first tested it by assigning the user to a specific group.
In this case, the
OAUTH_ROLES_CLAIMmust be set togroups.With the latest version of Authentik, unless explicitly configured, the incoming payload typically does not include a
rolesfield. So if you're using groups to assign permissions, make sure to update that environment variable accordingly.Here is my env for test
AUTHENTIK_SECRET_KEY=xxx
AUTHENTIK_ERROR_REPORTING__ENABLED=true
ENABLE_OAUTH_SIGNUP=true
OAUTH_CLIENT_ID=xxx
OAUTH_CLIENT_SECRET=xxx
OPENID_PROVIDER_URL=http://localhost:9000/application/o/openwebui/.well-known/openid-configuration
OPENID_REDIRECT_URI=http://localhost:8080/oauth/oidc/callback
OAUTH_SCOPES="openid email profile"
OAUTH_PROVIDER_NAME="Authentik"
OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true
ENABLE_OAUTH_GROUP_MANAGEMENT="true"
ENABLE_OAUTH_GROUP_CREATION="true"
OAUTH_ROLES_CLAIM="groups"
OAUTH_ADMIN_ROLES="admin"
OAUTH_ALLOWED_ROLES="user,admin"
ENABLE_OAUTH_ROLE_MANAGEMENT="true"
Let me know if you’d prefer to use a different method.
Jack.
@Hani-K commented on GitHub (Jul 25, 2025):
Hey @jackthgu Thanks for the hint, setting roles by using groups definitely works well.
I realized that Authentik doesn't pass OAuth custom parameters which get omitted from the actual JWT token. I opened an issue with authentik and realized that source property mappings only start after establishing the initial connection, so I resulted to using a middleware called dex.
The middleware works too but I wasn't a fan of the increased complexty of the stack.
For others facing this issue, you can either try with a middleware, Open WebUI -> Dex-> Authentik -> Auth.
Or use groups like @jackthgu mentioned.
I simply created 2 groups: OpenWebUI (Admins) and OpenWebUI
and add them to my env: