From 35504e84865cc44f998f1e4ba6c7d2152387af50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Attila=20Ol=C3=A1h?= Date: Fri, 24 Oct 2025 08:42:28 +0200 Subject: [PATCH] feat: add OAUTH_ROLES_SEPARATOR env var This allows changing the separator for the `OAUTH_ALLOWED_ROLES` and `OAUTH_ADMIN_ROLES` env vars, from the default comma (,) to something that is not present in the role name. The intended audience is folks with LDAP-syntax groups/roles, e.g. `cn=webui_admin,ou=it_department,o=my_org` instead of just `webui_admin`. --- backend/open_webui/config.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py index f7926abe85..466adc4f1b 100644 --- a/backend/open_webui/config.py +++ b/backend/open_webui/config.py @@ -576,19 +576,21 @@ OAUTH_ROLES_CLAIM = PersistentConfig( os.environ.get("OAUTH_ROLES_CLAIM", "roles"), ) +SEP = os.environ.get("OAUTH_ROLES_SEPARATOR", ",") + OAUTH_ALLOWED_ROLES = PersistentConfig( "OAUTH_ALLOWED_ROLES", "oauth.allowed_roles", [ role.strip() - for role in os.environ.get("OAUTH_ALLOWED_ROLES", "user,admin").split(",") + for role in os.environ.get("OAUTH_ALLOWED_ROLES", f"user{SEP}admin").split(SEP) ], ) OAUTH_ADMIN_ROLES = PersistentConfig( "OAUTH_ADMIN_ROLES", "oauth.admin_roles", - [role.strip() for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split(",")], + [role.strip() for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split(SEP)], ) OAUTH_ALLOWED_DOMAINS = PersistentConfig(