mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-15 21:19:39 -05:00
[PR #24689] [CLOSED] fix(oauth): use Protected Resource Metadata scopes in static OAuth 2.1 flow #98820
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24689
Author: @JustinJohnWilliams
Created: 5/13/2026
Status: ❌ Closed
Base:
dev← Head:fix/static-oauth-scopes-from-prm📝 Commits (1)
b46d333fix(oauth): use Protected Resource Metadata scopes in static OAuth 2.1 flow📊 Changes
1 file changed (+14 additions, -8 deletions)
View changed files
📝
backend/open_webui/utils/oauth.py(+14 -8)📄 Description
Summary
The static credentials OAuth 2.1 flow (
oauth_2.1_static) currently setsscope=None, relying on the OAuth provider's default scopes. This breaks providers like GitHub that default to minimal/public-only access when no scope is requested — making it impossible to access private resources via MCP tool servers using static OAuth credentials.This PR reads
scopes_supportedfrom the Protected Resource Metadata document (RFC 9728) and uses them in the authorization request.Why this doesn't break Entra ID
The original change (
349ea4ea) correctly identified that requesting all scopes from the Authorization Server Metadata breaks providers like Entra ID. However, the Protected Resource Metadata'sscopes_supportedis semantically different:scopes_supported: Full catalog of every scope the authorization server can grant across all resourcesscopes_supported(RFC 9728 §2): Scopes required by this specific protected resourcePer the MCP spec's Scope Selection Strategy, clients should use
scopes_supportedfrom the Protected Resource Metadata when no explicit scope is provided in theWWW-Authenticatechallenge.Changes
scopes_supportedfield toProtectedResourceMetadatadataclassscopes_supportedfrom the PRM document during discovery (it was already being fetched but the field was discarded)NoneTest plan
/.well-known/oauth-protected-resourcereturns appropriatescopes_supported(repo,read:org, etc.)scope=repo read:org ...and GitHub grants access to private org reposscopes_supported, so behavior falls back toscope=None)Related issues
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.