jamie-dit
c21c2d2d10
Merge b766a23e36 into 68219d84a9
2025-12-11 12:24:14 +11:00
jamie
b766a23e36
fix: MCP OAuth discovery via Protected Resource metadata flow
...
When an MCP server's OAuth authorization server is on a different domain
(e.g., Todoist MCP at ai.todoist.net with OAuth at todoist.com), the
current implementation fails because it only looks for OAuth metadata at
the MCP server's domain.
This commit implements the full MCP Protected Resource discovery flow as
specified in the MCP authorization spec:
1. Make an unauthenticated request to the MCP endpoint
2. Parse the WWW-Authenticate header to get the resource_metadata URL
3. Fetch the Protected Resource metadata
4. Extract the authorization_servers array
5. Use those servers for OAuth metadata discovery
The fix is backwards-compatible - if Protected Resource discovery fails,
it falls back to the existing behavior.
Fixes #19794
2025-12-07 12:53:22 +11:00
bitsofinfo
492c8bac09
feat: new OAUTH_AUDIENCE config ( #19768 )
...
Deploy to HuggingFace Spaces / check-secret (push) Has been cancelled
Create and publish Docker images with specific build args / build-main-image (linux/amd64, ubuntu-latest) (push) Has been cancelled
Create and publish Docker images with specific build args / build-main-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled
Create and publish Docker images with specific build args / build-cuda-image (linux/amd64, ubuntu-latest) (push) Has been cancelled
Create and publish Docker images with specific build args / build-cuda-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled
Create and publish Docker images with specific build args / build-cuda126-image (linux/amd64, ubuntu-latest) (push) Has been cancelled
Create and publish Docker images with specific build args / build-cuda126-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled
Create and publish Docker images with specific build args / build-ollama-image (linux/amd64, ubuntu-latest) (push) Has been cancelled
Create and publish Docker images with specific build args / build-ollama-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled
Create and publish Docker images with specific build args / build-slim-image (linux/amd64, ubuntu-latest) (push) Has been cancelled
Create and publish Docker images with specific build args / build-slim-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled
Python CI / Format Backend (push) Has been cancelled
Frontend Build / Format & Build Frontend (push) Has been cancelled
Frontend Build / Frontend Unit Tests (push) Has been cancelled
Create and publish Docker images with specific build args / merge-cuda126-images (push) Has been cancelled
Deploy to HuggingFace Spaces / deploy (push) Has been cancelled
Create and publish Docker images with specific build args / merge-main-images (push) Has been cancelled
Create and publish Docker images with specific build args / merge-cuda-images (push) Has been cancelled
Create and publish Docker images with specific build args / merge-ollama-images (push) Has been cancelled
Create and publish Docker images with specific build args / merge-slim-images (push) Has been cancelled
* feat: new config AUTH0_AUDIENCE
* feat: OAUTH_AUDIENCE config
2025-12-06 10:45:34 -05:00
Classic298
a49e1d87ad
fix: Default Group ID assignment on SSO/OAUTH and LDAP ( #19685 )
...
* fix (#99 )
Co-authored-by: Tim Baek <tim@openwebui.com>
Co-authored-by: Claude <noreply@anthropic.com>
* Update auths.py
* unified logic
* PUSH
* remove getattr
* rem getattr
* whitespace
* Update oauth.py
* trusted header group sync
Added default group re-application after trusted header group sync
* not apply after syncs
* .
* rem
---------
Co-authored-by: Tim Baek <tim@openwebui.com>
Co-authored-by: Claude <noreply@anthropic.com>
2025-12-02 16:48:00 -05:00
Timothy Jaeryang Baek
c1d760692f
refac: db group
2025-11-28 22:48:58 -05:00
Timothy Jaeryang Baek
0a4358c3d1
refac: oauth_sub -> oauth migration
2025-11-28 06:39:36 -05:00
Tobias Genannt
04b337323a
fix: correct role check on OAuth login ( #19476 )
...
When a users role is switched from admin to user in the OAuth provider
their groups are not correctly updated when ENABLE_OAUTH_GROUP_MANAGEMENT
is enabled.
2025-11-26 21:48:06 -05:00
gerhardj-b
f2d6a425de
feat: also consider OAUTH_ROLES_SEPARATOR for string claims themselves ( #19514 )
2025-11-26 17:38:26 -05:00
Timothy Jaeryang Baek
0f8729dea2
refac
Deploy to HuggingFace Spaces / check-secret (push) Waiting to run
Deploy to HuggingFace Spaces / deploy (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-cuda126-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / build-main-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-main-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda126-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda126-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-ollama-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-ollama-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-slim-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-slim-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / merge-main-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-cuda-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-ollama-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-slim-images (push) Blocked by required conditions
Python CI / Format Backend (push) Waiting to run
2025-11-24 06:42:12 -05:00
Timothy Jaeryang Baek
286a5ad0db
refac/fix: oauth
2025-11-24 06:03:19 -05:00
gerhardj-b
66c5b7380d
feat: allow flat claims instead of nested claims as alternative ( #19286 )
Deploy to HuggingFace Spaces / check-secret (push) Waiting to run
Deploy to HuggingFace Spaces / deploy (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-ollama-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / build-main-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-main-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda126-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda126-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-ollama-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-ollama-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-slim-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-slim-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / merge-main-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-cuda-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-cuda126-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-slim-images (push) Blocked by required conditions
Python CI / Format Backend (push) Waiting to run
Frontend Build / Format & Build Frontend (push) Waiting to run
Frontend Build / Frontend Unit Tests (push) Waiting to run
2025-11-19 19:58:53 -05:00
Timothy Jaeryang Baek
0c47cbd16a
refac/enh: mcp oauth auth method support
2025-11-19 02:26:42 -05:00
Tim Baek
34684e7e58
feat/refac: group members db table ( #19239 )
...
* refac: group members table db migration
* refac: group members backend
* refac: group members frontend
* refac: group members frontend integration
* refac: styling
2025-11-18 03:59:56 -05:00
logan-hcg
0ed174f6a1
Update MCP Oauth server metadata discovery order ( #19244 )
2025-11-17 18:24:43 -05:00
Timothy Jaeryang Baek
bc576782d7
refac: group members backend
2025-11-17 05:09:06 -05:00
Timothy Jaeryang Baek
c43f95f4b8
refac: pass token_endpoint_auth_method
2025-11-13 15:34:45 -05:00
Timothy Jaeryang Baek
6d9a562edd
refac: oauth pass client auth params
2025-11-13 15:30:22 -05:00
xqqp
3207998114
Fix: Handle empty strings in OAuth registration response ( #19144 )
...
- The mcp package requires optional unset values to be None. If an empty string is passed, it gets validated and fails.
- Replace all empty strings with None.
2025-11-12 22:57:53 -05:00
Adam M. Smith
96b98cd13c
feat: add OAUTH_GROUPS_SEPARATOR for configurable group parsing
2025-11-06 21:01:51 +00:00
Timothy Jaeryang Baek
bafeb76c41
refac/fix: trusted env for proxy
Deploy to HuggingFace Spaces / check-secret (push) Waiting to run
Deploy to HuggingFace Spaces / deploy (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-slim-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / build-main-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-main-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda126-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-cuda126-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-ollama-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-ollama-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / build-slim-image (linux/amd64, ubuntu-latest) (push) Waiting to run
Create and publish Docker images with specific build args / build-slim-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run
Create and publish Docker images with specific build args / merge-main-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-cuda-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-cuda126-images (push) Blocked by required conditions
Create and publish Docker images with specific build args / merge-ollama-images (push) Blocked by required conditions
Python CI / Format Backend (push) Waiting to run
2025-11-04 12:21:18 -05:00
Timothy Jaeryang Baek
cbcab062eb
refac
2025-10-27 16:46:04 -07:00
Timothy Jaeryang Baek
c8b2313362
refac
2025-10-27 15:38:59 -07:00
Timothy Jaeryang Baek
92aafd6c06
refac
2025-10-27 15:31:25 -07:00
Taylor Wilsdon
4b74034967
black fmt
2025-10-19 16:58:09 -04:00
Taylor Wilsdon
ecbf74dbea
Added a preflight authorize check that automatically re-registers MCP OAuth clients when the stored client ID no longer exists on the server, so the browser flow never hits the stale-ID failure
2025-10-18 16:53:44 -04:00
Taylor Wilsdon
d49fb9c010
complete cleanup of oauth clients
2025-10-18 14:16:10 -04:00
Taylor Wilsdon
40c450e6e5
Add more granular information to oauth failure messages
2025-10-18 13:43:51 -04:00
Timothy Jaeryang Baek
dbbdad3ebd
refac
2025-10-07 16:13:20 -05:00
Timothy Jaeryang Baek
911a114ad4
refac/fix: mcp oauth2.1
2025-10-07 14:56:10 -05:00
Timothy Jaeryang Baek
eaf786c1ef
enh: ENABLE_OAUTH_EMAIL_FALLBACK
2025-10-05 15:11:56 -05:00
Timothy Jaeryang Baek
062264c7f6
refac/fix: oauth
2025-10-05 14:22:00 -05:00
Timothy Jaeryang Baek
0330dc3159
refac
2025-10-01 15:35:37 -05:00
Timothy Jaeryang Baek
e493562735
fix: oauth client registration
2025-10-01 15:15:24 -05:00
Timothy Jaeryang Baek
0431ad9cc4
refac: get_discovery_urls
2025-09-26 14:34:26 -05:00
Timothy Jaeryang Baek
3c7d01163d
refac
2025-09-25 11:02:49 -05:00
Timothy Jaeryang Baek
cd7bd0aa20
refac
2025-09-25 02:00:02 -05:00
Timothy Jaeryang Baek
77e971dd9f
feat: oauth2.1 mcp integration
2025-09-25 01:49:16 -05:00
Timothy Jaeryang Baek
972be4eda5
enh: oauth2.1 dynamic client registration
2025-09-25 00:28:13 -05:00
Timothy Jaeryang Baek
c5a967e05f
refac
2025-09-24 06:56:50 -05:00
Timothy Jaeryang Baek
651f385ba5
fix: oauth refresh server metadata
2025-09-24 06:56:24 -05:00
Timothy Jaeryang Baek
e4c4ba0979
fix: oauth token
2025-09-19 00:10:48 -05:00
Timothy Jaeryang Baek
034163e9f9
chore: format
2025-09-16 11:16:08 -05:00
Xie Yanbo
ee82439e67
feat: add Feishu OAuth integration
...
Implement Feishu OAuth provider using standard client:
- Set up Feishu-specific endpoints for authorization, token, and userinfo
- Use user_id as sub claim for Feishu user identification
- Extract correct user information from nested 'data' field in Feishu responses
Configuration requirements:
- Set FEISHU_CLIENT_ID and FEISHU_CLIENT_SECRET environment variables to enable Feishu OAuth
- Set ENABLE_OAUTH_SIGNUP=true to allow automatic user creation after OAuth login
- Set DEFAULT_USER_ROLE=user to grant immediate access after OAuth registration
- Set OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true to enable merging of existing user accounts with matching emails
2025-09-12 14:09:32 +08:00
Timothy Jaeryang Baek
b786d1e3f3
refac
2025-09-08 18:52:59 +04:00
Timothy Jaeryang Baek
fc11e4384f
refac
2025-09-08 18:17:11 +04:00
Timothy Jaeryang Baek
217f4daef0
feat: server-side OAuth token management system
...
Co-Authored-By: Classic298 <27028174+Classic298@users.noreply.github.com>
2025-09-08 18:05:43 +04:00
Timothy Jaeryang Baek
6d38ac41b6
refac
2025-09-08 14:36:00 +04:00
Timothy Jaeryang Baek
91755309ce
refac
2025-09-08 14:18:25 +04:00
Timothy Jaeryang Baek
3d6d050ad8
refac/enh: display oauth error as toast
2025-09-07 01:48:52 +04:00
Timothy Jaeryang Baek
df66e21472
enh: regex pattern support for groups
2025-09-03 18:50:02 +04:00
