feat: also consider OAUTH_ROLES_SEPARATOR for string claims themselves (#19514)

2025-12-12 04:15:25 +00:00 · 2025-11-26 23:38:26 +01:00 · 2025-11-26 23:38:26 +01:00 · f2d6a425de
commit f2d6a425de
parent d071cdf7d4
2 changed files with 15 additions and 4 deletions
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@ -583,14 +583,16 @@ OAUTH_ROLES_CLAIM = PersistentConfig(
    os.environ.get("OAUTH_ROLES_CLAIM", "roles"),
 )

-SEP = os.environ.get("OAUTH_ROLES_SEPARATOR", ",")
+OAUTH_ROLES_SEPARATOR = os.environ.get("OAUTH_ROLES_SEPARATOR", ",")

 OAUTH_ALLOWED_ROLES = PersistentConfig(
    "OAUTH_ALLOWED_ROLES",
    "oauth.allowed_roles",
    [
        role.strip()
-        for role in os.environ.get("OAUTH_ALLOWED_ROLES", f"user{SEP}admin").split(SEP)
+        for role in os.environ.get(
+            "OAUTH_ALLOWED_ROLES", f"user{OAUTH_ROLES_SEPARATOR}admin"
+        ).split(OAUTH_ROLES_SEPARATOR)
        if role
    ],
 )
@ -600,7 +602,9 @@ OAUTH_ADMIN_ROLES = PersistentConfig(
    "oauth.admin_roles",
    [
        role.strip()
-        for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split(SEP)
+        for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split(
+            OAUTH_ROLES_SEPARATOR
+        )
        if role
    ],
 )
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@ -43,6 +43,7 @@ from open_webui.config import (
    ENABLE_OAUTH_GROUP_CREATION,
    OAUTH_BLOCKED_GROUPS,
    OAUTH_GROUPS_SEPARATOR,
+    OAUTH_ROLES_SEPARATOR,
    OAUTH_ROLES_CLAIM,
    OAUTH_SUB_CLAIM,
    OAUTH_GROUPS_CLAIM,
@ -1032,7 +1033,13 @@ class OAuthManager:

                if isinstance(claim_data, list):
                    oauth_roles = claim_data
-                if isinstance(claim_data, str) or isinstance(claim_data, int):
+                elif isinstance(claim_data, str):
+                    # Split by the configured separator if present
+                    if OAUTH_ROLES_SEPARATOR and OAUTH_ROLES_SEPARATOR in claim_data:
+                        oauth_roles = claim_data.split(OAUTH_ROLES_SEPARATOR)
+                    else:
+                        oauth_roles = [claim_data]
+                elif isinstance(claim_data, int):
                    oauth_roles = [str(claim_data)]

            log.debug(f"Oauth Roles claim: {oauth_claim}")