UniqAI/open-webui
1
0
Fork 0
mirror of https://github.com/open-webui/open-webui synced 2025-02-07 21:47:29 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

feat: implement OAuth logout functionality for keyclock to terminate sso session

Browse Source
This commit is contained in:
Zaiban Ali 2024-12-07 13:49:12 +01:00
parent c4ea31357f
commit d5ce85f34a
3 changed files with 33 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
backend/open_webui/apps/webui/routers/auths.py
View File

@ -29,7 +29,11 @@ from open_webui.env import (
SRC_LOG_LEVELS, SRC_LOG_LEVELS,
) )
from fastapi import APIRouter, Depends, HTTPException, Request, status from fastapi import APIRouter, Depends, HTTPException, Request, status
from fastapi.responses import Response from fastapi.responses import RedirectResponse, Response
from open_webui.config import (
OAUTH_PROVIDER_NAME,
OAUTH_LOGOUT_URL,
)
from pydantic import BaseModel from pydantic import BaseModel
from open_webui.utils.misc import parse_duration, validate_email_format from open_webui.utils.misc import parse_duration, validate_email_format
from open_webui.utils.utils import ( from open_webui.utils.utils import (
@ -498,8 +502,17 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
@router.get("/signout") @router.get("/signout")
async def signout(response: Response): async def signout(request: Request, response: Response):
response.delete_cookie("token") response.delete_cookie("token")
if OAUTH_PROVIDER_NAME.value == "keycloak" and OAUTH_LOGOUT_URL:
id_token = request.cookies.get("id_token", None)
if id_token:
logout_url = f"{OAUTH_LOGOUT_URL}?id_token_hint={id_token}"
response.delete_cookie("id_token")
return RedirectResponse(url=logout_url)
# Fall back to the default signout
return {"status": True} return {"status": True}

6
backend/open_webui/config.py
View File

@ -384,6 +384,12 @@ OAUTH_PROVIDER_NAME = PersistentConfig(
os.environ.get("OAUTH_PROVIDER_NAME", "SSO"), os.environ.get("OAUTH_PROVIDER_NAME", "SSO"),
) )
OAUTH_LOGOUT_URL = PersistentConfig(
"OAUTH_LOGOUT_URL",
"oauth.oidc.logout_url",
os.environ.get("OAUTH_LOGOUT_URL", ""),
)
OAUTH_USERNAME_CLAIM = PersistentConfig( OAUTH_USERNAME_CLAIM = PersistentConfig(
"OAUTH_USERNAME_CLAIM", "OAUTH_USERNAME_CLAIM",
"oauth.oidc.username_claim", "oauth.oidc.username_claim",

12
backend/open_webui/utils/oauth.py
View File

@ -20,6 +20,7 @@ from open_webui.config import (
OAUTH_MERGE_ACCOUNTS_BY_EMAIL, OAUTH_MERGE_ACCOUNTS_BY_EMAIL,
OAUTH_PROVIDERS, OAUTH_PROVIDERS,
ENABLE_OAUTH_ROLE_MANAGEMENT, ENABLE_OAUTH_ROLE_MANAGEMENT,
OAUTH_PROVIDER_NAME,
OAUTH_ROLES_CLAIM, OAUTH_ROLES_CLAIM,
OAUTH_EMAIL_CLAIM, OAUTH_EMAIL_CLAIM,
OAUTH_PICTURE_CLAIM, OAUTH_PICTURE_CLAIM,
@ -253,9 +254,18 @@ class OAuthManager:
secure=WEBUI_SESSION_COOKIE_SECURE, secure=WEBUI_SESSION_COOKIE_SECURE,
) )
if OAUTH_PROVIDER_NAME.value == "keycloak":
id_token = token.get("id_token")
response.set_cookie(
key="id_token",
value=id_token,
httponly=True,
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
secure=WEBUI_SESSION_COOKIE_SECURE,
)
# Redirect back to the frontend with the JWT token # Redirect back to the frontend with the JWT token
redirect_url = f"{request.base_url}auth#token={jwt_token}" redirect_url = f"{request.base_url}auth#token={jwt_token}"
return RedirectResponse(url=redirect_url) return RedirectResponse(url=redirect_url, headers=response.headers)
oauth_manager = OAuthManager() oauth_manager = OAuthManager()