From 8916b426ec0ac1d524d57298abce667ceeca0d9e Mon Sep 17 00:00:00 2001 From: Boris Bliznioukov Date: Thu, 20 Mar 2025 14:14:53 +0100 Subject: [PATCH 1/2] feat: add SSO configuration options in values.yaml and workload-manager.yaml Signed-off-by: Boris Bliznioukov --- charts/open-webui/README.md | 36 ++++++- .../templates/workload-manager.yaml | 70 ++++++++++++++ charts/open-webui/values.yaml | 95 +++++++++++++++++-- 3 files changed, 190 insertions(+), 11 deletions(-) diff --git a/charts/open-webui/README.md b/charts/open-webui/README.md index 6429888..aa1d20d 100644 --- a/charts/open-webui/README.md +++ b/charts/open-webui/README.md @@ -1,6 +1,6 @@ # open-webui -![Version: 5.24.0](https://img.shields.io/badge/Version-5.24.0-informational?style=flat-square) ![AppVersion: 0.5.20](https://img.shields.io/badge/AppVersion-0.5.20-informational?style=flat-square) +![Version: 5.25.0](https://img.shields.io/badge/Version-5.25.0-informational?style=flat-square) ![AppVersion: 0.5.20](https://img.shields.io/badge/AppVersion-0.5.20-informational?style=flat-square) Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋 @@ -56,7 +56,7 @@ helm upgrade --install open-webui open-webui/open-webui | image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/open-webui/open-webui","tag":""}` | Open WebUI image tags can be found here: https://github.com/open-webui/open-webui | | imagePullSecrets | list | `[]` | Configure imagePullSecrets to use private registry ref: | | ingress.additionalHosts | list | `[]` | | -| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX: | +| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX: | | ingress.class | string | `""` | | | ingress.enabled | bool | `false` | | | ingress.existingSecret | string | `""` | | @@ -103,6 +103,34 @@ helm upgrade --install open-webui open-webui/open-webui | serviceAccount.automountServiceAccountToken | bool | `false` | | | serviceAccount.enable | bool | `true` | | | serviceAccount.name | string | `""` | | +| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim | +| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim | +| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) | +| sso.enabled | bool | `false` | Enable SSO authentication globally | +| sso.github.clientId | string | `""` | GitHub OAuth client ID | +| sso.github.clientSecret | string | `""` | GitHub OAuth client secret | +| sso.github.enabled | bool | `false` | Enable GitHub OAuth | +| sso.google.clientId | string | `""` | Google OAuth client ID | +| sso.google.clientSecret | string | `""` | Google OAuth client secret | +| sso.google.enabled | bool | `false` | Enable Google OAuth | +| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) | +| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) | +| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID | +| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret | +| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth | +| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts | +| sso.oidc.clientId | string | `""` | OIDC client ID | +| sso.oidc.clientSecret | string | `""` | OIDC client secret | +| sso.oidc.enabled | bool | `false` | Enable OIDC authentication | +| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI | +| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL | +| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). | +| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) | +| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) | +| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) | +| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address | +| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication | +| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) | | startupProbe | object | `{}` | Probe for startup of the Open WebUI container ref: | | strategy | object | `{}` | Strategy for updating the workload manager: deployment or statefulset | | tika.enabled | bool | `false` | Automatically install Apache Tika to extend Open WebUI | @@ -112,7 +140,7 @@ helm upgrade --install open-webui open-webui/open-webui | volumes | list | `[]` | Configure pod volumes ref: | | websocket.enabled | bool | `false` | Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT` | | websocket.manager | string | `"redis"` | Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default) | -| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis | +| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"securityContext":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis | | websocket.redis.affinity | object | `{}` | Redis affinity for pod assignment | | websocket.redis.annotations | object | `{}` | Redis annotations | | websocket.redis.args | list | `[]` | Redis arguments (overrides default) | @@ -124,7 +152,7 @@ helm upgrade --install open-webui open-webui/open-webui | websocket.redis.pods | object | `{"annotations":{}}` | Redis pod | | websocket.redis.pods.annotations | object | `{}` | Redis pod annotations | | websocket.redis.resources | object | `{}` | Redis resources | -| websocket.redis.securityContext | object | `{}` | Redis security context ref: | +| websocket.redis.securityContext | object | `{}` | Redis security context | | websocket.redis.service | object | `{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"}` | Redis service | | websocket.redis.service.annotations | object | `{}` | Redis service annotations | | websocket.redis.service.containerPort | int | `6379` | Redis container/target port | diff --git a/charts/open-webui/templates/workload-manager.yaml b/charts/open-webui/templates/workload-manager.yaml index fe6290b..a950c74 100644 --- a/charts/open-webui/templates/workload-manager.yaml +++ b/charts/open-webui/templates/workload-manager.yaml @@ -161,6 +161,76 @@ spec: - name: "WEBSOCKET_REDIS_URL" value: {{ .Values.websocket.url | quote }} {{- end }} + {{- if .Values.sso.enabled }} + {{- if .Values.sso.enableSignup }} + - name: "ENABLE_OAUTH_SIGNUP" + value: "True" + {{- end }} + {{- if .Values.sso.mergeAccountsByEmail }} + - name: "OAUTH_MERGE_ACCOUNTS_BY_EMAIL" + value: "True" + {{- end }} + {{- if .Values.sso.google.enabled }} + - name: "GOOGLE_CLIENT_ID" + value: {{ .Values.sso.google.clientId | quote }} + - name: "GOOGLE_CLIENT_SECRET" + value: {{ .Values.sso.google.clientSecret | quote }} + {{- end }} + {{- if .Values.sso.microsoft.enabled }} + - name: "MICROSOFT_CLIENT_ID" + value: {{ .Values.sso.microsoft.clientId | quote }} + - name: "MICROSOFT_CLIENT_SECRET" + value: {{ .Values.sso.microsoft.clientSecret | quote }} + - name: "MICROSOFT_CLIENT_TENANT_ID" + value: {{ .Values.sso.microsoft.tenantId | quote }} + {{- end }} + {{- if .Values.sso.github.enabled }} + - name: "GITHUB_CLIENT_ID" + value: {{ .Values.sso.github.clientId | quote }} + - name: "GITHUB_CLIENT_SECRET" + value: {{ .Values.sso.github.clientSecret | quote }} + {{- end }} + {{- if .Values.sso.oidc.enabled }} + - name: "OAUTH_CLIENT_ID" + value: {{ .Values.sso.oidc.clientId | quote }} + - name: "OAUTH_CLIENT_SECRET" + value: {{ .Values.sso.oidc.clientSecret | quote }} + - name: "OPENID_PROVIDER_URL" + value: {{ .Values.sso.oidc.providerUrl | quote }} + - name: "OAUTH_PROVIDER_NAME" + value: {{ .Values.sso.oidc.providerName | quote }} + - name: "OAUTH_SCOPES" + value: {{ .Values.sso.oidc.scopes | quote }} + {{- end }} + {{- if .Values.sso.enableRoleManagement }} + - name: "ENABLE_OAUTH_ROLE_MANAGEMENT" + value: "True" + - name: "OAUTH_ROLES_CLAIM" + value: {{ .Values.sso.roleManagement.rolesClaim | quote }} + {{- if .Values.sso.roleManagement.allowedRoles }} + - name: "OAUTH_ALLOWED_ROLES" + value: {{ .Values.sso.roleManagement.allowedRoles | quote }} + {{- end }} + {{- if .Values.sso.roleManagement.adminRoles }} + - name: "OAUTH_ADMIN_ROLES" + value: {{ .Values.sso.roleManagement.adminRoles | quote }} + {{- end }} + {{- end }} + {{- if .Values.sso.enableGroupManagement }} + - name: "ENABLE_OAUTH_GROUP_MANAGEMENT" + value: "True" + - name: "OAUTH_GROUP_CLAIM" + value: {{ .Values.sso.groupManagement.groupsClaim | quote }} + {{- end }} + {{- if .Values.sso.trustedHeader.enabled }} + - name: "WEBUI_AUTH_TRUSTED_EMAIL_HEADER" + value: {{ .Values.sso.trustedHeader.emailHeader | quote }} + {{- if .Values.sso.trustedHeader.nameHeader }} + - name: "WEBUI_AUTH_TRUSTED_NAME_HEADER" + value: {{ .Values.sso.trustedHeader.nameHeader | quote }} + {{- end }} + {{- end }} + {{- end }} tty: true {{- with .Values.nodeSelector }} nodeSelector: diff --git a/charts/open-webui/values.yaml b/charts/open-webui/values.yaml index 02007df..30a5ba2 100644 --- a/charts/open-webui/values.yaml +++ b/charts/open-webui/values.yaml @@ -1,6 +1,6 @@ nameOverride: "" namespaceOverride: "" - +# @section -- OLLAMA ollama: # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure enabled: true @@ -177,14 +177,14 @@ copyAppData: managedCertificate: enabled: false - name: "mydomain-chat-cert" # You can override this name if needed + name: "mydomain-chat-cert" # You can override this name if needed domains: - chat.example.com # update to your real domain ingress: enabled: false class: "" - # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX: + # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX: annotations: {} # # Example for GKE Ingress # kubernetes.io/ingress.class: "gce" @@ -194,8 +194,8 @@ ingress: # nginx.ingress.kubernetes.io/ssl-redirect: "true" # nginx.ingress.kubernetes.io/permanent-redirect: "https://chat.example.com" # networking.gke.io/managed-certificates: "mydomain-chat-cert" - # # nginx.ingress.kubernetes.io/rewrite-target: / - host: "chat.example.com" # update to your real domain + # # nginx.ingress.kubernetes.io/rewrite-target: / + host: "chat.example.com" # update to your real domain additionalHosts: [] tls: false existingSecret: "" @@ -245,7 +245,8 @@ enableOpenaiApi: true openaiBaseApiUrl: "https://api.openai.com/v1" # -- OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set -openaiBaseApiUrls: [] +openaiBaseApiUrls: + [] # - "https://api.openai.com/v1" # - "https://api.company.openai.com/v1" @@ -304,7 +305,6 @@ podSecurityContext: # supplementalGroups: [] # fsGroup: 1001 - # -- Configure container security context # ref: containerSecurityContext: @@ -321,6 +321,87 @@ containerSecurityContext: # seccompProfile: # type: "RuntimeDefault" +# @section -- SSO Configuration +sso: + # -- Enable SSO authentication globally + enabled: false + # -- Enable account creation when logging in with OAuth (distinct from regular signup) + enableSignup: false + # -- Allow logging into accounts that match email from OAuth provider (considered insecure) + mergeAccountsByEmail: false + # -- Enable OAuth role management through access token roles claim + enableRoleManagement: false + # -- Enable OAuth group management through access token groups claim + enableGroupManagement: false + + # @section -- Google OAuth configuration + google: + # -- Enable Google OAuth + enabled: false + # -- Google OAuth client ID + clientId: "" + # -- Google OAuth client secret + clientSecret: "" + + # @section -- Microsoft OAuth configuration + microsoft: + # -- Enable Microsoft OAuth + enabled: false + # -- Microsoft OAuth client ID + clientId: "" + # -- Microsoft OAuth client secret + clientSecret: "" + # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts + tenantId: "" + + # @section -- GitHub OAuth configuration + github: + # -- Enable GitHub OAuth + enabled: false + # -- GitHub OAuth client ID + clientId: "" + # -- GitHub OAuth client secret + clientSecret: "" + + # @section -- OIDC configuration + oidc: + # -- Enable OIDC authentication + enabled: false + # -- OIDC client ID + clientId: "" + # -- OIDC client secret + clientSecret: "" + # -- OIDC provider well known URL + providerUrl: "" + # -- Name of the provider to show on the UI + providerName: "SSO" + # -- Scopes to request (space-separated). + scopes: "openid email profile" + + # @section -- Role management configuration + roleManagement: + # -- The claim that contains the roles (can be nested, e.g., user.roles) + rolesClaim: "roles" + # -- Comma-separated list of roles allowed to log in (receive open webui role user) + allowedRoles: "" + # -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin) + adminRoles: "" + + # @section -- Group management configuration + # @default -- "groups" + groupManagement: + # -- The claim that contains the groups (can be nested, e.g., user.memberOf) + groupsClaim: "groups" + + # @section -- Trusted header authentication + trustedHeader: + # -- Enable trusted header authentication + enabled: false + # -- Header containing the user's email address + emailHeader: "" + # -- Header containing the user's name (optional, used for new user creation) + nameHeader: "" + # -- Extra resources to deploy with Open WebUI extraResources: [] From 57fd1bd51353f2a3cb6f7f4cb4ea0c3db96f7761 Mon Sep 17 00:00:00 2001 From: Boris Bliznioukov Date: Thu, 20 Mar 2025 14:41:36 +0100 Subject: [PATCH 2/2] feat: add SSO and OAuth configuration options to README and values.yaml Signed-off-by: Boris Bliznioukov --- charts/open-webui/README.md | 93 ++++++++++++++++++++++++----------- charts/open-webui/values.yaml | 40 ++++++++++----- 2 files changed, 94 insertions(+), 39 deletions(-) diff --git a/charts/open-webui/README.md b/charts/open-webui/README.md index aa1d20d..73a611f 100644 --- a/charts/open-webui/README.md +++ b/charts/open-webui/README.md @@ -40,6 +40,71 @@ helm upgrade --install open-webui open-webui/open-webui ## Values +### SSO Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim | +| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim | +| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) | +| sso.enabled | bool | `false` | **Enable SSO authentication globally** must enable to use SSO authentication | +| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) | +| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) | + +### GitHub OAuth configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.github.clientId | string | `""` | GitHub OAuth client ID | +| sso.github.clientSecret | string | `""` | GitHub OAuth client secret | +| sso.github.enabled | bool | `false` | Enable GitHub OAuth | + +### Google OAuth configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.google.clientId | string | `""` | Google OAuth client ID | +| sso.google.clientSecret | string | `""` | Google OAuth client secret | +| sso.google.enabled | bool | `false` | Enable Google OAuth | + +### Microsoft OAuth configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID | +| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret | +| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth | +| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts | + +### OIDC configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.oidc.clientId | string | `""` | OIDC client ID | +| sso.oidc.clientSecret | string | `""` | OIDC client secret | +| sso.oidc.enabled | bool | `false` | Enable OIDC authentication | +| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI | +| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL | +| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). | + +### Role management configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) | +| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) | +| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) | + +### SSO trusted header authentication + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address | +| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication | +| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) | + +### Other Values + | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity for pod assignment | @@ -103,34 +168,6 @@ helm upgrade --install open-webui open-webui/open-webui | serviceAccount.automountServiceAccountToken | bool | `false` | | | serviceAccount.enable | bool | `true` | | | serviceAccount.name | string | `""` | | -| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim | -| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim | -| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) | -| sso.enabled | bool | `false` | Enable SSO authentication globally | -| sso.github.clientId | string | `""` | GitHub OAuth client ID | -| sso.github.clientSecret | string | `""` | GitHub OAuth client secret | -| sso.github.enabled | bool | `false` | Enable GitHub OAuth | -| sso.google.clientId | string | `""` | Google OAuth client ID | -| sso.google.clientSecret | string | `""` | Google OAuth client secret | -| sso.google.enabled | bool | `false` | Enable Google OAuth | -| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) | -| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) | -| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID | -| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret | -| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth | -| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts | -| sso.oidc.clientId | string | `""` | OIDC client ID | -| sso.oidc.clientSecret | string | `""` | OIDC client secret | -| sso.oidc.enabled | bool | `false` | Enable OIDC authentication | -| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI | -| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL | -| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). | -| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) | -| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) | -| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) | -| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address | -| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication | -| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) | | startupProbe | object | `{}` | Probe for startup of the Open WebUI container ref: | | strategy | object | `{}` | Strategy for updating the workload manager: deployment or statefulset | | tika.enabled | bool | `false` | Automatically install Apache Tika to extend Open WebUI | diff --git a/charts/open-webui/values.yaml b/charts/open-webui/values.yaml index 30a5ba2..fa3327f 100644 --- a/charts/open-webui/values.yaml +++ b/charts/open-webui/values.yaml @@ -1,6 +1,5 @@ nameOverride: "" namespaceOverride: "" -# @section -- OLLAMA ollama: # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure enabled: true @@ -321,85 +320,104 @@ containerSecurityContext: # seccompProfile: # type: "RuntimeDefault" -# @section -- SSO Configuration sso: - # -- Enable SSO authentication globally + # -- **Enable SSO authentication globally** must enable to use SSO authentication + # @section -- SSO Configuration enabled: false # -- Enable account creation when logging in with OAuth (distinct from regular signup) + # @section -- SSO Configuration enableSignup: false # -- Allow logging into accounts that match email from OAuth provider (considered insecure) + # @section -- SSO Configuration mergeAccountsByEmail: false # -- Enable OAuth role management through access token roles claim + # @section -- SSO Configuration enableRoleManagement: false # -- Enable OAuth group management through access token groups claim + # @section -- SSO Configuration enableGroupManagement: false - # @section -- Google OAuth configuration google: # -- Enable Google OAuth + # @section -- Google OAuth configuration enabled: false # -- Google OAuth client ID + # @section -- Google OAuth configuration clientId: "" # -- Google OAuth client secret + # @section -- Google OAuth configuration clientSecret: "" - # @section -- Microsoft OAuth configuration microsoft: # -- Enable Microsoft OAuth + # @section -- Microsoft OAuth configuration enabled: false # -- Microsoft OAuth client ID + # @section -- Microsoft OAuth configuration clientId: "" # -- Microsoft OAuth client secret + # @section -- Microsoft OAuth configuration clientSecret: "" # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts + # @section -- Microsoft OAuth configuration tenantId: "" - # @section -- GitHub OAuth configuration github: # -- Enable GitHub OAuth + # @section -- GitHub OAuth configuration enabled: false # -- GitHub OAuth client ID + # @section -- GitHub OAuth configuration clientId: "" # -- GitHub OAuth client secret + # @section -- GitHub OAuth configuration clientSecret: "" - # @section -- OIDC configuration oidc: # -- Enable OIDC authentication + # @section -- OIDC configuration enabled: false # -- OIDC client ID + # @section -- OIDC configuration clientId: "" # -- OIDC client secret + # @section -- OIDC configuration clientSecret: "" # -- OIDC provider well known URL + # @section -- OIDC configuration providerUrl: "" # -- Name of the provider to show on the UI + # @section -- OIDC configuration providerName: "SSO" # -- Scopes to request (space-separated). + # @section -- OIDC configuration scopes: "openid email profile" - # @section -- Role management configuration roleManagement: # -- The claim that contains the roles (can be nested, e.g., user.roles) + # @section -- Role management configuration rolesClaim: "roles" # -- Comma-separated list of roles allowed to log in (receive open webui role user) + # @section -- Role management configuration allowedRoles: "" # -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin) + # @section -- Role management configuration adminRoles: "" - # @section -- Group management configuration - # @default -- "groups" groupManagement: # -- The claim that contains the groups (can be nested, e.g., user.memberOf) + # @section -- SSO Configuration groupsClaim: "groups" - # @section -- Trusted header authentication trustedHeader: # -- Enable trusted header authentication + # @section -- SSO trusted header authentication enabled: false # -- Header containing the user's email address + # @section -- SSO trusted header authentication emailHeader: "" # -- Header containing the user's name (optional, used for new user creation) + # @section -- SSO trusted header authentication nameHeader: "" # -- Extra resources to deploy with Open WebUI