From f2d6a425de47127f2bd0487a9c982783c3b4c9f2 Mon Sep 17 00:00:00 2001
From: gerhardj-b <110168424+gerhardj-b@users.noreply.github.com>
Date: Wed, 26 Nov 2025 23:38:26 +0100
Subject: [PATCH] feat: also consider OAUTH_ROLES_SEPARATOR for string claims
 themselves (#19514)

---
 backend/open_webui/config.py      | 10 +++++++---
 backend/open_webui/utils/oauth.py |  9 ++++++++-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py
index 5a9844c067..ec62c8ba01 100644
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@@ -583,14 +583,16 @@ OAUTH_ROLES_CLAIM = PersistentConfig(
     os.environ.get("OAUTH_ROLES_CLAIM", "roles"),
 )
 
-SEP = os.environ.get("OAUTH_ROLES_SEPARATOR", ",")
+OAUTH_ROLES_SEPARATOR = os.environ.get("OAUTH_ROLES_SEPARATOR", ",")
 
 OAUTH_ALLOWED_ROLES = PersistentConfig(
     "OAUTH_ALLOWED_ROLES",
     "oauth.allowed_roles",
     [
         role.strip()
-        for role in os.environ.get("OAUTH_ALLOWED_ROLES", f"user{SEP}admin").split(SEP)
+        for role in os.environ.get(
+            "OAUTH_ALLOWED_ROLES", f"user{OAUTH_ROLES_SEPARATOR}admin"
+        ).split(OAUTH_ROLES_SEPARATOR)
         if role
     ],
 )
@@ -600,7 +602,9 @@ OAUTH_ADMIN_ROLES = PersistentConfig(
     "oauth.admin_roles",
     [
         role.strip()
-        for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split(SEP)
+        for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split(
+            OAUTH_ROLES_SEPARATOR
+        )
         if role
     ],
 )
diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py
index 77a2ebd46e..b5c5944683 100644
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@@ -43,6 +43,7 @@ from open_webui.config import (
     ENABLE_OAUTH_GROUP_CREATION,
     OAUTH_BLOCKED_GROUPS,
     OAUTH_GROUPS_SEPARATOR,
+    OAUTH_ROLES_SEPARATOR,
     OAUTH_ROLES_CLAIM,
     OAUTH_SUB_CLAIM,
     OAUTH_GROUPS_CLAIM,
@@ -1032,7 +1033,13 @@ class OAuthManager:
 
                 if isinstance(claim_data, list):
                     oauth_roles = claim_data
-                if isinstance(claim_data, str) or isinstance(claim_data, int):
+                elif isinstance(claim_data, str):
+                    # Split by the configured separator if present
+                    if OAUTH_ROLES_SEPARATOR and OAUTH_ROLES_SEPARATOR in claim_data:
+                        oauth_roles = claim_data.split(OAUTH_ROLES_SEPARATOR)
+                    else:
+                        oauth_roles = [claim_data]
+                elif isinstance(claim_data, int):
                     oauth_roles = [str(claim_data)]
 
             log.debug(f"Oauth Roles claim: {oauth_claim}")