mirror of
https://github.com/open-webui/open-webui
synced 2024-12-29 15:25:29 +00:00
Add OAUTH_ALLOWED_DOMAINS for ability to restrict from which e-mail domains can users sign-up via OAuth
This commit is contained in:
parent
c4ea31357f
commit
d42de65298
@ -429,6 +429,12 @@ OAUTH_ADMIN_ROLES = PersistentConfig(
|
|||||||
[role.strip() for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split(",")],
|
[role.strip() for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split(",")],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
OAUTH_ALLOWED_DOMAINS = PersistentConfig(
|
||||||
|
"OAUTH_ALLOWED_DOMAINS",
|
||||||
|
"oauth.allowed_domains",
|
||||||
|
[domain.strip() for domain in os.environ.get("OAUTH_ALLOWED_DOMAINS", "*").split(",")],
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def load_oauth_providers():
|
def load_oauth_providers():
|
||||||
OAUTH_PROVIDERS.clear()
|
OAUTH_PROVIDERS.clear()
|
||||||
|
@ -26,6 +26,7 @@ from open_webui.config import (
|
|||||||
OAUTH_USERNAME_CLAIM,
|
OAUTH_USERNAME_CLAIM,
|
||||||
OAUTH_ALLOWED_ROLES,
|
OAUTH_ALLOWED_ROLES,
|
||||||
OAUTH_ADMIN_ROLES,
|
OAUTH_ADMIN_ROLES,
|
||||||
|
OAUTH_ALLOWED_DOMAINS,
|
||||||
WEBHOOK_URL,
|
WEBHOOK_URL,
|
||||||
JWT_EXPIRES_IN,
|
JWT_EXPIRES_IN,
|
||||||
AppConfig,
|
AppConfig,
|
||||||
@ -49,6 +50,7 @@ auth_manager_config.OAUTH_PICTURE_CLAIM = OAUTH_PICTURE_CLAIM
|
|||||||
auth_manager_config.OAUTH_USERNAME_CLAIM = OAUTH_USERNAME_CLAIM
|
auth_manager_config.OAUTH_USERNAME_CLAIM = OAUTH_USERNAME_CLAIM
|
||||||
auth_manager_config.OAUTH_ALLOWED_ROLES = OAUTH_ALLOWED_ROLES
|
auth_manager_config.OAUTH_ALLOWED_ROLES = OAUTH_ALLOWED_ROLES
|
||||||
auth_manager_config.OAUTH_ADMIN_ROLES = OAUTH_ADMIN_ROLES
|
auth_manager_config.OAUTH_ADMIN_ROLES = OAUTH_ADMIN_ROLES
|
||||||
|
auth_manager_config.OAUTH_ALLOWED_DOMAINS = OAUTH_ALLOWED_DOMAINS
|
||||||
auth_manager_config.WEBHOOK_URL = WEBHOOK_URL
|
auth_manager_config.WEBHOOK_URL = WEBHOOK_URL
|
||||||
auth_manager_config.JWT_EXPIRES_IN = JWT_EXPIRES_IN
|
auth_manager_config.JWT_EXPIRES_IN = JWT_EXPIRES_IN
|
||||||
|
|
||||||
@ -156,6 +158,9 @@ class OAuthManager:
|
|||||||
if not email:
|
if not email:
|
||||||
log.warning(f"OAuth callback failed, email is missing: {user_data}")
|
log.warning(f"OAuth callback failed, email is missing: {user_data}")
|
||||||
raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
|
raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
|
||||||
|
if "*" not in auth_manager_config.OAUTH_ALLOWED_DOMAINS and email.split("@")[-1] not in auth_manager_config.OAUTH_ALLOWED_DOMAINS:
|
||||||
|
log.warning(f"OAuth callback failed, e-mail domain is not in the list of allowed domains: {user_data}")
|
||||||
|
raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
|
||||||
|
|
||||||
# Check if the user exists
|
# Check if the user exists
|
||||||
user = Users.get_user_by_oauth_sub(provider_sub)
|
user = Users.get_user_by_oauth_sub(provider_sub)
|
||||||
|
Loading…
Reference in New Issue
Block a user