[PR #18572] [MERGED] feat: OAUTH_ROLES_SEPARATOR env var #95873

New Issue

GiteaMirror · 2026-05-15T22:04:28-05:00

GiteaMirror commented

2026-05-15 22:04:28 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/18572
Author: @attilaolah
Created: 10/24/2025
Status: ✅ Merged
Merged: 10/26/2025
Merged by: @tjbck

Base: dev ← Head: issue-18542

📝 Commits (2)

35504e8 feat: add OAUTH_ROLES_SEPARATOR env var
c165a6b fix: exclude empty roles

📊 Changes

1 file changed (+5 additions, -2 deletions)

View changed files

📝 backend/open_webui/config.py (+5 -2)

📄 Description

Pull Request Checklist

Note to first-time contributors: Please open a discussion post in Discussions and describe your changes before submitting a pull request.

Before submitting, make sure you've checked the following:

Target branch: Verify that the pull request targets the dev branch. Not targeting the dev branch may lead to immediate closure of the PR.
Description: Provide a concise description of the changes made in this pull request.
Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: If necessary, update relevant documentation Open WebUI Docs like environment variables, the tutorials, or other documentation sources.
Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
Testing: Perform manual tests to verify the implemented fix/feature works as intended AND does not break any other functionality. Take this as an opportunity to make screenshots of the feature/fix and include it in the PR description.
Agentic AI Code:: Confirm this Pull Request is not written by any AI Agent or has at least gone through additional human review and manual testing. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR.
Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
Title Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
- BREAKING CHANGE: Significant changes that may affect compatibility
- build: Changes that affect the build system or external dependencies
- ci: Changes to our continuous integration processes or workflows
- chore: Refactor, cleanup, or other non-functional code changes
- docs: Documentation update or addition
- feat: Introduces a new feature or enhancement to the codebase
- fix: Bug fix or error correction
- i18n: Internationalization or localization changes
- perf: Performance improvement
- refactor: Code restructuring for better maintainability, readability, or scalability
- style: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.)
- test: Adding missing tests or correcting existing tests
- WIP: Work in progress, a temporary label for incomplete or ongoing work

Changelog Entry

Add OAUTH_ROLES_SEPARATOR env var to support roles with commas

Description

Add the OAUTH_ROLES_SEPARATOR env var (not a stored setting), a helper for specifying roles in the edge-case where the roles contain commas. The easiest solution is to set this to something like ; or just a whitespace ( ). The target audience is roles specified in LDAP syntax, e.g. cn=rolename,ou=unit,o=org.

This should be fully backwards compatible, with one exception: empty roles are now filtered out, so if someone specified e.g. admin, or admin,,user the empty one will now be filtered out. I don't expect this to break anyone's setup.

Added

OAUTH_ROLES_SEPARATOR option (env var only).

Changed

Empty roles now filtered out, even for the existing case of using the default comma-separator.

Deprecated

No change.

Removed

Nothing.

Fixed

Fixes #18542.

Security

No change.

Breaking Changes

No change.

Additional Information

I'm happy to revert the second commit if we want to make this 100% backwards-compatible, although I don't expect it to brake anyone's setup.

Screenshots or Videos

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/18572 **Author:** [@attilaolah](https://github.com/attilaolah) **Created:** 10/24/2025 **Status:** ✅ Merged **Merged:** 10/26/2025 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `issue-18542` --- ### 📝 Commits (2) - [`35504e8`](https://github.com/open-webui/open-webui/commit/35504e84865cc44f998f1e4ba6c7d2152387af50) feat: add OAUTH_ROLES_SEPARATOR env var - [`c165a6b`](https://github.com/open-webui/open-webui/commit/c165a6b6c2423c280d7c2e3a8b37cbc861920a01) fix: exclude empty roles ### 📊 Changes **1 file changed** (+5 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+5 -2) </details> ### 📄 Description # Pull Request Checklist ### Note to first-time contributors: Please open a discussion post in [Discussions](https://github.com/open-webui/open-webui/discussions) and describe your changes before submitting a pull request. **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Verify that the pull request targets the `dev` branch. Not targeting the `dev` branch may lead to immediate closure of the PR. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** If necessary, update relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs) like environment variables, the tutorials, or other documentation sources. - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [ ] **Testing:** Perform manual tests to verify the implemented fix/feature works as intended AND does not break any other functionality. Take this as an opportunity to make screenshots of the feature/fix and include it in the PR description. - [x] **Agentic AI Code:**: Confirm this Pull Request is **not written by any AI Agent** or has at least gone through additional human review **and** manual testing. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR. - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Title Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **BREAKING CHANGE**: Significant changes that may affect compatibility - **build**: Changes that affect the build system or external dependencies - **ci**: Changes to our continuous integration processes or workflows - **chore**: Refactor, cleanup, or other non-functional code changes - **docs**: Documentation update or addition - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction - **i18n**: Internationalization or localization changes - **perf**: Performance improvement - **refactor**: Code restructuring for better maintainability, readability, or scalability - **style**: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.) - **test**: Adding missing tests or correcting existing tests - **WIP**: Work in progress, a temporary label for incomplete or ongoing work # Changelog Entry Add OAUTH_ROLES_SEPARATOR env var to support roles with commas ### Description Add the `OAUTH_ROLES_SEPARATOR` env var (not a stored setting), a helper for specifying roles in the edge-case where the roles contain commas. The easiest solution is to set this to something like `;` or just a whitespace (` `). The target audience is roles specified in LDAP syntax, e.g. `cn=rolename,ou=unit,o=org`. This should be fully backwards compatible, with one exception: empty roles are now filtered out, so if someone specified e.g. `admin,` or `admin,,user` the empty one will now be filtered out. I don't expect this to break anyone's setup. ### Added - `OAUTH_ROLES_SEPARATOR` option (env var only). ### Changed - Empty roles now filtered out, even for the existing case of using the default comma-separator. ### Deprecated - No change. ### Removed - Nothing. ### Fixed - Fixes #18542. ### Security - No change. ### Breaking Changes - No change. --- ### Additional Information I'm happy to revert the second commit if we want to make this 100% backwards-compatible, although I don't expect it to brake anyone's setup. ### Screenshots or Videos ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-05-15 22:04:28 -05:00

GiteaMirror closed this issue

2026-05-15 22:04:32 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#95873