๐ Troubleshooting OAUTH / SSO Issues
OAUTH or Single Sign-On (SSO) lets you secure Open WebUI with modern authentication, but when users encounter login problems, the solution is often simpleโif you know where to look. Most of the time, one of these key issues below is the culprit. Hereโs how to hunt them down and fix SSO headaches fast! ๐ฆ
Common OAUTH/SSO Issues and How to Fix Them ๐ ๏ธโ
1. WebUI URL Not Configured in Admin Panel ๐ช๐โ
Most OAUTH flows require the applicationโs external URL (โredirect URIโ) so the provider knows where to send users after login. If this is missing, OAUTH wonโt be able to complete!
โ Solution:
- Navigate to: Admin Settings > General
- Ensure your WebUI URL field is filled in and points to your deployed instance (e.g.,
https://yourwebui.yourdomain.com) ๐ Tip: Check for typos! OAUTH is strictโURLs must match exactly, includinghttps://.
2. Incorrect Environment Variable Configuration ๐๐ซโ
This is by far the most common cause of OAUTH breakage. If you misspell, omit, or set the wrong environment variable (especially for OIDC/OAUTH config), authentication canโt work.
โ Solutions:
- Double-check your deployment environment:
- Ensure all required environment variables are set (see docs for names like
OIDC_CONFIG,OAUTH_CLIENT_ID, etc.) - If self-hosting, confirm these variables are present in your Docker Compose, Kubernetes manifest, or
.envfile.
- Ensure all required environment variables are set (see docs for names like
- Restart your backend/app after changing variables so the new values are loaded.
๐ Tip: Most OAUTH errors (loops, 401s, unresponsiveness) are due to an environment variable incorrectly set or missing entirely!
3. OAUTH Misconfiguration on the Provider Side ๐ข๐โ
Sometimes the issue is with the identity provider (e.g., Google, Okta, Auth0, Azure AD) not aligning with your WebUIโs setup.
โ Solutions:
- Verify your application is correctly registered with the OAUTH provider. Confirm:
- Redirect URIs exactly match your deployed WebUI address
- Client ID and secret match the values given in your environment settings
- Scopes and allowed grant types (e.g.,
authorization_code) are set as required by Open WebUI
- Check the providerโs logsโmisconfigured apps will often show clear error messages there.
๐ Tip: When in doubt, recheck your provider registration and regenerate client secrets if needed.
4. Server-Side Caching (A Hidden Trouble Spot!) ๐ง๐ฆโ
A new and tricky problem: If you use NGINX (or another reverse proxy) with server-side caching, OAUTH endpoints can misbehave. The result isnโt always a total failureโoften, users experience random or โweirdโ login bugs that are almost impossible to debug.
โ Solutions:
- In your NGINX (or proxy) configuration:
- Make sure to exclude the following endpoints from server-side caching:
/api,/oauth,/callback,/login,/ws,/websocket
- Any critical login/auth endpoint must remain uncached!
- Make sure to exclude the following endpoints from server-side caching:
- Reload the proxy config after making changes.
๐ Warning: Never cache OAUTH or login endpoints! Caching can โpoisonโ the session or deliver stale tokens, causing bizarre auth errors.
๐งช Pro Tip: Always Check the Logsโ
- Look at backend logs and browser network errors. The first error usually points to the misconfiguration (redirect URI mismatch, missing/invalid variable, provider-side error, or caching).
- If unsure which side is the problem, try logging in from an incognito browser window and watch for any blocked or failed requests.
Summary Checklist โ โ
| Problem | Fix |
|---|---|
| ๐ WebUI URL missing or wrong | Set correct WebUI URL in admin panel |
| ๐ Env var typo or missing | Double-check and set all OAUTH/SSO env variables |
| ๐ข Provider misconfigured | Confirm app registration, URIs & client IDs/secrets |
| ๐ง Proxy caching interfering | Exclude OAUTH endpoints from all server-side caches |
| Still stuck? | Review logs and test without caches |
By carefully configuring BOTH your OAUTH provider and your WebUI environmentโand keeping critical login endpoints immune to cachingโyouโll eliminate nearly all SSO/OAUTH login problems. Donโt let a typo or a hidden cache block your users from seamless, secure AI access! ๐ฆพ