mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 06:03:26 -05:00
[PR #15142] [MERGED] fix: OAuth authentication failure on second login due to stale session state #94770
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/15142
Author: @Classic298
Created: 6/19/2025
Status: ✅ Merged
Merged: 6/19/2025
Merged by: @tjbck
Base:
dev← Head:fix-oauth📝 Commits (1)
bbdb098Update auths.py📊 Changes
1 file changed (+1 additions, -0 deletions)
View changed files
📝
backend/open_webui/routers/auths.py(+1 -0)📄 Description
Pull Request Checklist
Before submitting, make sure you've checked the following:
devbranch.Changelog Entry
Description
Added
Changed
/signoutendpoint to include deletion of theoui-sessioncookie alongside existing token cleanupFixed
Security
Breaking Changes
Additional Information
Root Cause: The OAuth state token used for CSRF protection is stored in the session (via
authliband Starlette's SessionMiddleware). The session is tracked by theoui-sessioncookie, which was not being deleted during logout. This caused the old OAuth state to persist, leading to state mismatch errors on subsequent login attempts.Impact: This bug affected ALL OAuth providers (Microsoft, Google, GitHub, etc.) and was particularly problematic in production environments.
Testing Performed:
Related Issues:
- Fixes: https://github.com/open-webui/open-webui/issues/15104
Related to: https://github.com/open-webui/open-webui/issues/13509
Relates to: https://github.com/open-webui/open-webui/discussions/15008
Relates to: https://github.com/open-webui/open-webui/discussions/15007
Relates to: https://github.com/open-webui/open-webui/issues/14540
Before fix: OAuth login works first time, fails on second attempt with CSRF error in logs and generic error in UI
After fix: OAuth login works consistently across multiple login/logout cycles
Contributor License Agreement
By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.