From 5c658a4879d4b7c48cb8ec11b513138d10a8b295 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Wed, 26 Mar 2025 18:24:49 +0100 Subject: [PATCH] feat(config): add config OAUTH_CODE_CHALLENGE_METHOD Add support to enable OIDC code challenge method (PKCE). --- backend/open_webui/config.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py index 8238f8a87..0d45d658b 100644 --- a/backend/open_webui/config.py +++ b/backend/open_webui/config.py @@ -456,6 +456,12 @@ OAUTH_SCOPES = PersistentConfig( os.environ.get("OAUTH_SCOPES", "openid email profile"), ) +OAUTH_CODE_CHALLENGE_METHOD = PersistentConfig( + "OAUTH_CODE_CHALLENGE_METHOD", + "oauth.oidc.code_challenge_method", + os.environ.get("OAUTH_CODE_CHALLENGE_METHOD", None), +) + OAUTH_PROVIDER_NAME = PersistentConfig( "OAUTH_PROVIDER_NAME", "oauth.oidc.provider_name", @@ -601,14 +607,21 @@ def load_oauth_providers(): ): def oidc_oauth_register(client): + client_kwargs = { + "scope": OAUTH_SCOPES.value, + } + + if OAUTH_CODE_CHALLENGE_METHOD.value and OAUTH_CODE_CHALLENGE_METHOD.value == "S256": + client_kwargs["code_challenge_method"] = "S256" + elif OAUTH_CODE_CHALLENGE_METHOD.value: + raise Exception('Code challenge methods other than "%s" not supported. Given: "%s"' % ("S256", OAUTH_CODE_CHALLENGE_METHOD.value)) + client.register( name="oidc", client_id=OAUTH_CLIENT_ID.value, client_secret=OAUTH_CLIENT_SECRET.value, server_metadata_url=OPENID_PROVIDER_URL.value, - client_kwargs={ - "scope": OAUTH_SCOPES.value, - }, + client_kwargs=client_kwargs, redirect_uri=OPENID_REDIRECT_URI.value, )