diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py index 5a9844c067..ec62c8ba01 100644 --- a/backend/open_webui/config.py +++ b/backend/open_webui/config.py @@ -583,14 +583,16 @@ OAUTH_ROLES_CLAIM = PersistentConfig( os.environ.get("OAUTH_ROLES_CLAIM", "roles"), ) -SEP = os.environ.get("OAUTH_ROLES_SEPARATOR", ",") +OAUTH_ROLES_SEPARATOR = os.environ.get("OAUTH_ROLES_SEPARATOR", ",") OAUTH_ALLOWED_ROLES = PersistentConfig( "OAUTH_ALLOWED_ROLES", "oauth.allowed_roles", [ role.strip() - for role in os.environ.get("OAUTH_ALLOWED_ROLES", f"user{SEP}admin").split(SEP) + for role in os.environ.get( + "OAUTH_ALLOWED_ROLES", f"user{OAUTH_ROLES_SEPARATOR}admin" + ).split(OAUTH_ROLES_SEPARATOR) if role ], ) @@ -600,7 +602,9 @@ OAUTH_ADMIN_ROLES = PersistentConfig( "oauth.admin_roles", [ role.strip() - for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split(SEP) + for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split( + OAUTH_ROLES_SEPARATOR + ) if role ], ) diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py index 77a2ebd46e..b5c5944683 100644 --- a/backend/open_webui/utils/oauth.py +++ b/backend/open_webui/utils/oauth.py @@ -43,6 +43,7 @@ from open_webui.config import ( ENABLE_OAUTH_GROUP_CREATION, OAUTH_BLOCKED_GROUPS, OAUTH_GROUPS_SEPARATOR, + OAUTH_ROLES_SEPARATOR, OAUTH_ROLES_CLAIM, OAUTH_SUB_CLAIM, OAUTH_GROUPS_CLAIM, @@ -1032,7 +1033,13 @@ class OAuthManager: if isinstance(claim_data, list): oauth_roles = claim_data - if isinstance(claim_data, str) or isinstance(claim_data, int): + elif isinstance(claim_data, str): + # Split by the configured separator if present + if OAUTH_ROLES_SEPARATOR and OAUTH_ROLES_SEPARATOR in claim_data: + oauth_roles = claim_data.split(OAUTH_ROLES_SEPARATOR) + else: + oauth_roles = [claim_data] + elif isinstance(claim_data, int): oauth_roles = [str(claim_data)] log.debug(f"Oauth Roles claim: {oauth_claim}")