diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py index 15d209941..68d16d791 100644 --- a/backend/open_webui/config.py +++ b/backend/open_webui/config.py @@ -429,6 +429,12 @@ OAUTH_ADMIN_ROLES = PersistentConfig( [role.strip() for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split(",")], ) +OAUTH_ALLOWED_DOMAINS = PersistentConfig( + "OAUTH_ALLOWED_DOMAINS", + "oauth.allowed_domains", + [domain.strip() for domain in os.environ.get("OAUTH_ALLOWED_DOMAINS", "*").split(",")], +) + def load_oauth_providers(): OAUTH_PROVIDERS.clear() diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py index 722b1ea73..e0ddb70d4 100644 --- a/backend/open_webui/utils/oauth.py +++ b/backend/open_webui/utils/oauth.py @@ -26,6 +26,7 @@ from open_webui.config import ( OAUTH_USERNAME_CLAIM, OAUTH_ALLOWED_ROLES, OAUTH_ADMIN_ROLES, + OAUTH_ALLOWED_DOMAINS, WEBHOOK_URL, JWT_EXPIRES_IN, AppConfig, @@ -49,6 +50,7 @@ auth_manager_config.OAUTH_PICTURE_CLAIM = OAUTH_PICTURE_CLAIM auth_manager_config.OAUTH_USERNAME_CLAIM = OAUTH_USERNAME_CLAIM auth_manager_config.OAUTH_ALLOWED_ROLES = OAUTH_ALLOWED_ROLES auth_manager_config.OAUTH_ADMIN_ROLES = OAUTH_ADMIN_ROLES +auth_manager_config.OAUTH_ALLOWED_DOMAINS = OAUTH_ALLOWED_DOMAINS auth_manager_config.WEBHOOK_URL = WEBHOOK_URL auth_manager_config.JWT_EXPIRES_IN = JWT_EXPIRES_IN @@ -156,6 +158,9 @@ class OAuthManager: if not email: log.warning(f"OAuth callback failed, email is missing: {user_data}") raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED) + if "*" not in auth_manager_config.OAUTH_ALLOWED_DOMAINS and email.split("@")[-1] not in auth_manager_config.OAUTH_ALLOWED_DOMAINS: + log.warning(f"OAuth callback failed, e-mail domain is not in the list of allowed domains: {user_data}") + raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED) # Check if the user exists user = Users.get_user_by_oauth_sub(provider_sub)