diff --git a/backend/open_webui/env.py b/backend/open_webui/env.py index f0b26ae25c..f72d827afc 100644 --- a/backend/open_webui/env.py +++ b/backend/open_webui/env.py @@ -465,6 +465,10 @@ ENABLE_COMPRESSION_MIDDLEWARE = ( os.environ.get("ENABLE_COMPRESSION_MIDDLEWARE", "True").lower() == "true" ) +ENABLE_OAUTH_SESSION_TOKENS_COOKIES = ( + os.environ.get("ENABLE_OAUTH_SESSION_TOKENS_COOKIES", "True").lower() == "true" +) + #################################### # SCIM Configuration diff --git a/backend/open_webui/routers/auths.py b/backend/open_webui/routers/auths.py index b8670edeaa..665660a954 100644 --- a/backend/open_webui/routers/auths.py +++ b/backend/open_webui/routers/auths.py @@ -28,6 +28,7 @@ from open_webui.env import ( WEBUI_AUTH_TRUSTED_GROUPS_HEADER, WEBUI_AUTH_COOKIE_SAME_SITE, WEBUI_AUTH_COOKIE_SECURE, + ENABLE_OAUTH_SESSION_TOKENS_COOKIES, WEBUI_AUTH_SIGNOUT_REDIRECT_URL, ENABLE_INITIAL_ADMIN_SIGNUP, SRC_LOG_LEVELS, @@ -678,6 +679,7 @@ async def signout(request: Request, response: Response): response.delete_cookie("oui-session") if ENABLE_OAUTH_SIGNUP.value: + # TODO: update this to use oauth_session_tokens in User Object oauth_id_token = request.cookies.get("oauth_id_token") if oauth_id_token and OPENID_PROVIDER_URL.value: try: @@ -687,7 +689,11 @@ async def signout(request: Request, response: Response): openid_data = await resp.json() logout_url = openid_data.get("end_session_endpoint") if logout_url: - response.delete_cookie("oauth_id_token") + + if ENABLE_OAUTH_SESSION_TOKENS_COOKIES: + response.delete_cookie("oauth_id_token") + response.delete_cookie("oauth_access_token") + response.delete_cookie("oauth_refresh_token") return JSONResponse( status_code=200, diff --git a/backend/open_webui/utils/auth.py b/backend/open_webui/utils/auth.py index 228dd3e30a..33b377ad03 100644 --- a/backend/open_webui/utils/auth.py +++ b/backend/open_webui/utils/auth.py @@ -285,8 +285,14 @@ def get_current_user( # Delete the token cookie response.delete_cookie("token") # Delete OAuth token if present + if request.cookies.get("oauth_id_token"): response.delete_cookie("oauth_id_token") + if request.cookies.get("oauth_access_token"): + response.delete_cookie("oauth_access_token") + if request.cookies.get("oauth_refresh_token"): + response.delete_cookie("oauth_refresh_token") + raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="User mismatch. Please sign in again.", diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py index 9dfdad50a1..9763b35463 100644 --- a/backend/open_webui/utils/oauth.py +++ b/backend/open_webui/utils/oauth.py @@ -626,6 +626,15 @@ class OAuthManager: ) if ENABLE_OAUTH_SIGNUP.value: + oauth_id_token = token.get("id_token") + response.set_cookie( + key="oauth_id_token", + value=oauth_id_token, + httponly=True, + samesite=WEBUI_AUTH_COOKIE_SAME_SITE, + secure=WEBUI_AUTH_COOKIE_SECURE, + ) + oauth_access_token = token.get("access_token") response.set_cookie( key="oauth_access_token", @@ -635,12 +644,13 @@ class OAuthManager: secure=WEBUI_AUTH_COOKIE_SECURE, ) - oauth_id_token = token.get("id_token") + oauth_refresh_token = token.get("refresh_token") response.set_cookie( - key="oauth_id_token", - value=oauth_id_token, + key="oauth_refresh_token", + value=oauth_refresh_token, httponly=True, samesite=WEBUI_AUTH_COOKIE_SAME_SITE, secure=WEBUI_AUTH_COOKIE_SECURE, ) + return response