feat: OAUTH_BLOCKED_GROUPS support

2025-06-11 08:56:21 +00:00 · 2025-05-02 14:47:02 +04:00 · 2025-05-02 14:47:02 +04:00 · 754f631a07
commit 754f631a07
parent c1ddb00377
2 changed files with 22 additions and 1 deletions
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@ -515,6 +515,13 @@ ENABLE_OAUTH_GROUP_CREATION = PersistentConfig(
    os.environ.get("ENABLE_OAUTH_GROUP_CREATION", "False").lower() == "true",
 )

+
+OAUTH_BLOCKED_GROUPS = PersistentConfig(
+    "OAUTH_BLOCKED_GROUPS",
+    "oauth.blocked_groups",
+    os.environ.get("OAUTH_BLOCKED_GROUPS", "[]"),
+)
+
 OAUTH_ROLES_CLAIM = PersistentConfig(
    "OAUTH_ROLES_CLAIM",
    "oauth.roles_claim",
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@ -3,6 +3,7 @@ import logging
 import mimetypes
 import sys
 import uuid
+import json

 import aiohttp
 from authlib.integrations.starlette_client import OAuth
@ -24,6 +25,7 @@ from open_webui.config import (
    ENABLE_OAUTH_ROLE_MANAGEMENT,
    ENABLE_OAUTH_GROUP_MANAGEMENT,
    ENABLE_OAUTH_GROUP_CREATION,
+    OAUTH_BLOCKED_GROUPS,
    OAUTH_ROLES_CLAIM,
    OAUTH_GROUPS_CLAIM,
    OAUTH_EMAIL_CLAIM,
@ -59,6 +61,7 @@ auth_manager_config.OAUTH_MERGE_ACCOUNTS_BY_EMAIL = OAUTH_MERGE_ACCOUNTS_BY_EMAI
 auth_manager_config.ENABLE_OAUTH_ROLE_MANAGEMENT = ENABLE_OAUTH_ROLE_MANAGEMENT
 auth_manager_config.ENABLE_OAUTH_GROUP_MANAGEMENT = ENABLE_OAUTH_GROUP_MANAGEMENT
 auth_manager_config.ENABLE_OAUTH_GROUP_CREATION = ENABLE_OAUTH_GROUP_CREATION
+auth_manager_config.OAUTH_BLOCKED_GROUPS = OAUTH_BLOCKED_GROUPS
 auth_manager_config.OAUTH_ROLES_CLAIM = OAUTH_ROLES_CLAIM
 auth_manager_config.OAUTH_GROUPS_CLAIM = OAUTH_GROUPS_CLAIM
 auth_manager_config.OAUTH_EMAIL_CLAIM = OAUTH_EMAIL_CLAIM
@ -142,6 +145,12 @@ class OAuthManager:
        log.debug("Running OAUTH Group management")
        oauth_claim = auth_manager_config.OAUTH_GROUPS_CLAIM

+        try:
+            blocked_groups = json.loads(auth_manager_config.OAUTH_BLOCKED_GROUPS)
+        except Exception as e:
+            log.exception(f"Error loading OAUTH_BLOCKED_GROUPS: {e}")
+            blocked_groups = []
+
        user_oauth_groups = []
        # Nested claim search for groups claim
        if oauth_claim:
@ -208,7 +217,11 @@ class OAuthManager:

        # Remove groups that user is no longer a part of
        for group_model in user_current_groups:
-            if user_oauth_groups and group_model.name not in user_oauth_groups:
+            if (
+                user_oauth_groups
+                and group_model.name not in user_oauth_groups
+                and group_model.name not in blocked_groups
+            ):
                # Remove group from user
                log.debug(
                    f"Removing user from group {group_model.name} as it is no longer in their oauth groups"
@ -238,6 +251,7 @@ class OAuthManager:
                user_oauth_groups
                and group_model.name in user_oauth_groups
                and not any(gm.name == group_model.name for gm in user_current_groups)
+                and group_model.name not in blocked_groups
            ):
                # Add user to group
                log.debug(