diff --git a/Dockerfile b/Dockerfile
index c944f54e6..5e7f80bc8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -27,6 +27,7 @@ RUN npm ci
 
 COPY . .
 ENV APP_BUILD_HASH=${BUILD_HASH}
+ENV NODE_OPTIONS="--max_old_space_size=8192"
 RUN npm run build
 
 ######## WebUI backend ########
diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py
index f531a8728..f9921d9cb 100644
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@@ -278,6 +278,18 @@ ENABLE_OAUTH_SIGNUP = PersistentConfig(
     os.environ.get("ENABLE_OAUTH_SIGNUP", "False").lower() == "true",
 )
 
+ENABLE_OAUTH_ROLE_MAPPING = PersistentConfig(
+    "ENABLE_OAUTH_ROLE_MAPPING",
+    "oauth.enable_role_mapping",
+    os.environ.get("ENABLE_OAUTH_ROLE_MAPPING", "False").lower() == "true",
+)
+
+OAUTH_ROLES_CLAIM = PersistentConfig(
+    "OAUTH_ROLES_CLAIM",
+    "oauth.roles_claim",
+    os.environ.get("OAUTH_ROLES_CLAIM", "roles"),
+)
+
 OAUTH_MERGE_ACCOUNTS_BY_EMAIL = PersistentConfig(
     "OAUTH_MERGE_ACCOUNTS_BY_EMAIL",
     "oauth.merge_accounts_by_email",
diff --git a/backend/open_webui/main.py b/backend/open_webui/main.py
index 4af48906b..77d486fb7 100644
--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@@ -2245,6 +2245,18 @@ async def oauth_callback(provider: str, request: Request, response: Response):
     # Check if the user exists
     user = Users.get_user_by_oauth_sub(provider_sub)
 
+    if user:
+        role = user.role
+        if Users.get_num_users() == 1:
+            role = "admin"
+        elif webui_app.state.config.ENABLE_OAUTH_ROLE_MAPPING:
+            oauth_roles = user_data.get(webui_app.state.config.OAUTH_ROLE_CLAIM)
+            if oauth_roles:
+                for allowed_role in ["pending", "user", "admin"]:
+                    role = allowed_role if allowed_role in oauth_roles else role
+        if role != user.role:
+            Users.update_user_role_by_id(user.id, role)
+
     if not user:
         # If the user does not exist, check if merging is enabled
         if OAUTH_MERGE_ACCOUNTS_BY_EMAIL.value:
@@ -2284,11 +2296,16 @@ async def oauth_callback(provider: str, request: Request, response: Response):
             if not picture_url:
                 picture_url = "/user.png"
             username_claim = webui_app.state.config.OAUTH_USERNAME_CLAIM
-            role = (
-                "admin"
-                if Users.get_num_users() == 0
-                else webui_app.state.config.DEFAULT_USER_ROLE
-            )
+
+            role = webui_app.state.config.DEFAULT_USER_ROLE
+            if Users.get_num_users() == 0:
+                role = "admin"
+            elif webui_app.state.config.ENABLE_OAUTH_ROLE_MAPPING:
+                oauth_roles = user_data.get(webui_app.state.config.OAUTH_ROLE_CLAIM)
+                if oauth_roles:
+                    for allowed_role in ["pending", "user", "admin"]:
+                        role = allowed_role if allowed_role in oauth_roles else role
+
             user = Auths.insert_new_auth(
                 email=email,
                 password=get_password_hash(