mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-11 10:34:13 -05:00
[GH-ISSUE #24730] issue: OAuth scopes are missing within authorize_url when using MCP with OAuth2.1 (Static) #91127
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @abehsu-mu on GitHub (May 14, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/24730
Check Existing Issues
Installation Method
Docker
Open WebUI Version
v0.9.5 (latest)
Ollama Version (if applicable)
no
Operating System
MacOS Sequoia & Linux
Browser (if applicable)
Chrome Version 148.0.7778.97
Confirmation
README.md.Expected Behavior
Openwebui should be able to retrieve scopes from
.well-known/oauth-protected-resourceand include those scopes when generating theauthorizeendpoint.Actual Behavior
When openwebui try to generate authorization url, it missing scopes because of this line [1]
Generate URL:
[1] https://github.com/open-webui/open-webui/blob/main/backend/open_webui/utils/oauth.py#L567
Steps to Reproduce
https://agent365.svc.cloud.microsoft/agents/tenants/<tenant>/servers/mcp_TeamsServer-> select OAuth 2.1 (Static) -> Provide client_id & client_secretLogs & Screenshots
Additional Information
Microsoft WorkIQ MCP server doesn't support dynamic client registry.
This is the example of WorkIQ Team MCP server
.well-known/oauth-protected-resourceendpointendpoint:
Response:
Change suggestion
@owui-terminator[bot] commented on GitHub (May 14, 2026):
🔍 Related Issues Found
I found some existing issues that might be related. Please check if any of these are duplicates or contain helpful solutions:
🟣 #23668 Bug: admin-configured scopes overridden by discovered scopes_supported in static-credential OAuth flow
This is directly related: it discusses static OAuth flows in
get_oauth_client_info_with_static_credentialsand how discoveredscopes_supportedare used to populate the authorization request. Your issue is the same area, but with the missing-scope problem arising from not readingscopes_supportedfrom protected resource metadata.by dhruvalgupta2003
🟣 #19794 MCP OAuth 2.1: Not following WWW-Authenticate → Protected Resource → Authorization Server discovery chain
This is closely related because it covers the MCP OAuth discovery chain from
WWW-Authenticateto Protected Resource Metadata to Authorization Server Metadata. Your issue builds on that same chain, specifically the protected-resource document'sscopes_supportedfield used for building the authorize URL.by jamie-dit ·
bug🟣 #21183 Regression: MCP OAuth 2.1 discovery fails when authorization_servers URL path doesn't match well-known endpoint location
This is related to the same MCP OAuth discovery logic around
authorization_serversand well-known metadata lookup. While it focuses on discovery URL path handling rather than scopes, it affects the same static OAuth setup flow and is adjacent to the bug you reported.by ashavolian ·
bug💡 If your issue is a duplicate, please close it and add any additional details to the existing issue instead.
This comment was generated automatically. React with 👍 if helpful, 👎 if not.
@abehsu-mu commented on GitHub (May 14, 2026):
Hi @owui-terminator:
I reviewed the tickets you shared, but neither of them resolved my issue.