From 04b337323a79aac6a901c4d3d7b493e8e223a0f2 Mon Sep 17 00:00:00 2001
From: Tobias Genannt <tobias.genannt@gmail.com>
Date: Thu, 27 Nov 2025 03:48:06 +0100
Subject: [PATCH] fix: correct role check on OAuth login (#19476)

When a users role is switched from admin to user in the OAuth provider
their groups are not correctly updated when ENABLE_OAUTH_GROUP_MANAGEMENT
is enabled.
---
 backend/open_webui/utils/oauth.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py
index b5c5944683..f8a924e8d0 100644
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@@ -1408,6 +1408,9 @@ class OAuthManager:
                 determined_role = self.get_user_role(user, user_data)
                 if user.role != determined_role:
                     Users.update_user_role_by_id(user.id, determined_role)
+                    # Update the user object in memory as well,
+                    # to avoid problems with the ENABLE_OAUTH_GROUP_MANAGEMENT check below
+                    user.role = determined_role
                 # Update profile picture if enabled and different from current
                 if auth_manager_config.OAUTH_UPDATE_PICTURE_ON_LOGIN:
                     picture_claim = auth_manager_config.OAUTH_PICTURE_CLAIM