Skip to main content

🔐 Dual OAuth Configuration (Microsoft & Google)

Unofficial Workaround

This configuration is a community-contributed workaround and is not officially supported by the Open WebUI team. While it works in current versions, behavior may change in future updates. This tutorial serves as a demonstration for advanced users.

Overview

While Open WebUI officially supports only one OpenID Connect (OIDC) provider at a time via the OPENID_PROVIDER_URL variable, it is possible to support both Microsoft and Google simultaneously.

The trick is to configure one provider (e.g., Microsoft) as the primary OIDC provider and the other (e.g., Google) as a standard OAuth provider by utilizing Open WebUI's built-in support for specific providers.

Prerequisites

  • Access to your Open WebUI environment variables (Docker or local).
  • Client IDs and Secrets from both Google Cloud Console and Microsoft Azure/Entra ID.
  • OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true must be enabled to ensure users are mapped to the same account regardless of the provider used.

Configuration logic

Open WebUI uses OPENID_PROVIDER_URL as a generic "catch-all" for OIDC. However, it also has native modules for Google and Microsoft. By leaving the OPENID_PROVIDER_URL for Microsoft and providing only the Client IDs for Google, the system can internalize both flows.

Environment Variables

Add the following to your docker-compose.yaml or environment config:

# Enable signup and account merging (CRITICAL)
ENABLE_OAUTH_SIGNUP=true
OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true

# 1. Microsoft as the primary OIDC provider
# This uses the generic OIDC flow via the OPENID_PROVIDER_URL
MICROSOFT_CLIENT_ID=your_microsoft_client_id
MICROSOFT_CLIENT_SECRET=your_microsoft_client_secret
MICROSOFT_CLIENT_TENANT_ID=your_tenant_id
MICROSOFT_REDIRECT_URI=https://your-webui.com/oauth/microsoft/callback
OPENID_PROVIDER_URL=https://login.microsoftonline.com/your_tenant_id/v2.0/.well-known/openid-configuration

# 2. Google as a secondary OAuth provider
# Note: Do NOT provide an OPENID_PROVIDER_URL for Google.
# The system will use its internal Google OAuth implementation.
GOOGLE_CLIENT_ID=your_google_client_id
GOOGLE_CLIENT_SECRET=your_google_client_secret

Why This Works

  1. Microsoft is handled via the generic OIDC flow because OPENID_PROVIDER_URL is set to the Microsoft endpoint.
  2. Google is handled via the dedicated internal Google OAuth module because the system detects GOOGLE_CLIENT_ID but sees that the global OPENID_PROVIDER_URL is already "claimed" by Microsoft or simply isn't needed for the built-in Google module.
  3. Account Merging: Since both providers return the user's email, OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true ensures the user logs into the same profile whether they click "Sign in with Google" or "Sign in with Microsoft."

Troubleshooting

  • Redirect Mismatch: Ensure your Redirect URIs in both consoles match your WEBUI_URL.
  • Merge Failures: Double-check that OAUTH_MERGE_ACCOUNTS_BY_EMAIL is set to true.
  • Microsoft Logout: Microsoft often requires the OPENID_PROVIDER_URL to handle the logout redirect correctly. If logout fails, ensure this URL is correct for your tenant.