Add oauth role mapping

also add node env to allow local build to succeed
2025-01-18 00:30:51 +00:00 · 2024-10-03 11:12:14 +02:00 · 2024-10-03 11:12:14 +02:00 · 9a691c0387
commit 9a691c0387
parent 1d225dd804
3 changed files with 35 additions and 5 deletions
--- a/1
+++ b/1
@ -27,6 +27,7 @@ RUN npm ci

 COPY . .
 ENV APP_BUILD_HASH=${BUILD_HASH}
+ENV NODE_OPTIONS="--max_old_space_size=8192"
 RUN npm run build

 ######## WebUI backend ########
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@ -278,6 +278,18 @@ ENABLE_OAUTH_SIGNUP = PersistentConfig(
    os.environ.get("ENABLE_OAUTH_SIGNUP", "False").lower() == "true",
 )

+ENABLE_OAUTH_ROLE_MAPPING = PersistentConfig(
+    "ENABLE_OAUTH_ROLE_MAPPING",
+    "oauth.enable_role_mapping",
+    os.environ.get("ENABLE_OAUTH_ROLE_MAPPING", "False").lower() == "true",
+)
+
+OAUTH_ROLES_CLAIM = PersistentConfig(
+    "OAUTH_ROLES_CLAIM",
+    "oauth.roles_claim",
+    os.environ.get("OAUTH_ROLES_CLAIM", "roles"),
+)
+
 OAUTH_MERGE_ACCOUNTS_BY_EMAIL = PersistentConfig(
    "OAUTH_MERGE_ACCOUNTS_BY_EMAIL",
    "oauth.merge_accounts_by_email",
--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@ -2245,6 +2245,18 @@ async def oauth_callback(provider: str, request: Request, response: Response):
    # Check if the user exists
    user = Users.get_user_by_oauth_sub(provider_sub)

+    if user:
+        role = user.role
+        if Users.get_num_users() == 1:
+            role = "admin"
+        elif webui_app.state.config.ENABLE_OAUTH_ROLE_MAPPING:
+            oauth_roles = user_data.get(webui_app.state.config.OAUTH_ROLE_CLAIM)
+            if oauth_roles:
+                for allowed_role in ["pending", "user", "admin"]:
+                    role = allowed_role if allowed_role in oauth_roles else role
+        if role != user.role:
+            Users.update_user_role_by_id(user.id, role)
+
    if not user:
        # If the user does not exist, check if merging is enabled
        if OAUTH_MERGE_ACCOUNTS_BY_EMAIL.value:
@ -2284,11 +2296,16 @@ async def oauth_callback(provider: str, request: Request, response: Response):
            if not picture_url:
                picture_url = "/user.png"
            username_claim = webui_app.state.config.OAUTH_USERNAME_CLAIM
-            role = (
-                "admin"
-                if Users.get_num_users() == 0
-                else webui_app.state.config.DEFAULT_USER_ROLE
-            )
+
+            role = webui_app.state.config.DEFAULT_USER_ROLE
+            if Users.get_num_users() == 0:
+                role = "admin"
+            elif webui_app.state.config.ENABLE_OAUTH_ROLE_MAPPING:
+                oauth_roles = user_data.get(webui_app.state.config.OAUTH_ROLE_CLAIM)
+                if oauth_roles:
+                    for allowed_role in ["pending", "user", "admin"]:
+                        role = allowed_role if allowed_role in oauth_roles else role
+
            user = Auths.insert_new_auth(
                email=email,
                password=get_password_hash(