mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 06:03:26 -05:00
[GH-ISSUE #20808] issue: mcp oauth 2.1 callback always ends in 401 not authenticated #90033
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @bk-lg on GitHub (Jan 20, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/20808
Check Existing Issues
Installation Method
Docker
Open WebUI Version
0.7.2
Ollama Version (if applicable)
Operating System
Ubuntu 24.04
Browser (if applicable)
Microsoft Edge 44.0.3719.82
Confirmation
README.md.Expected Behavior
When I configure an MCP Server as Admin with Oauth 2.1 the user can enable the Tool, Login and get's returned to the application without errors and can start to use the mcp component.
Actual Behavior
Tested with:
When I enable the tool I get redirected to the corresponding Service(Miro, Atlassian) and authorize the access. Then I get a typical callback and openwebui displays in the Browser the json formatted message detail: "Not authenticated".
The callback urls looks like this: https://llm.example.com/oauth/clients/mcp:miro/callback?code=SomeRedactedCode&state=SomeRedactedState
The return code from the request is 401.
The docker logs schows only the info message with the request and the return code.
After some time the second log message that no oauth session was found gets logged.
Steps to Reproduce
Logs & Screenshots
Additional Information
We use OIDC based logins with role management via microsoft entra id for our users.
The behaviour is the same for normal users and admins.
If you need additional information for specific configuration settings of our installation, feel free to reach out.
I attached a redacted version of our env settings for the docker container.
openwebui_env.txt
@owui-terminator[bot] commented on GitHub (Jan 20, 2026):
🔍 Similar Issues Found
I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions:
#19823 Issue: MCP with OAuth 2.1 Authorization/Token retrival is broken in v0.6.41
by mllab-nl • Dec 08, 2025 •
bug#19116 issue: MCP OAuth 2.1 client registration fails when policy_uri, client_uri, logo_uri or tos_uri are not set
by xqqp • Nov 11, 2025 •
bug#19148 issue: Verify OAuth mcp server sends incorrect authorization header
by Oleg52 • Nov 12, 2025 •
bug#18010 issue: MCP OAuth 2.1 flow doesn't match standard (missing code_challenge and resource_url)
by hsuyuming • Oct 02, 2025 •
bug#20629 issue: MCP server response fails
by thrasher • Jan 12, 2026 •
bugShow 3 more related issues
#20291 issue: MCP Atlassian OAuth token refresh fails with "Constructor parameter should be str" in v0.6.43
by rolandscho • Dec 31, 2025 •
bug#19792 issue: OAuth Login redirects to https://openwebui.domain.org/oauth/oidc/openwebui.domain.org after succesful login
by StNiosem • Dec 06, 2025 •
bug#19813 issue: Failed to connect to MCP server, while the connection test works fine
by spi-dlp • Dec 08, 2025 •
bug💡 Tips:
This comment was generated automatically by a bot. Please react with a 👍 if this comment was helpful, or a 👎 if it was not.
@bk-lg commented on GitHub (Jan 20, 2026):
For context: I rechecked all the linked issues the bot posted and as far as I can understand with my system engineers view none of these describes my observed behaviour.
@Lemmons commented on GitHub (Jan 21, 2026):
FYI - I filed a bug report for the Verify Connection issue yesterday
@tjbck commented on GitHub (Jan 21, 2026):
@Lemmons should be addressed in dev, testing wanted here!