-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: OAuth/OIDC #483
Comments
Related: #340 |
It would be very good to have integration with AzureAD too. |
Ever since the new user accounts were rolled out, I've been wanting some kind of way to delegate auth as well. In my specific case, my ollama-webui is behind a Tailscale VPN. They have a pretty lightweight set of trusted identity headers when proxied to. It seems like a few other SSO providers like Authelia can be configured to pass along trusted headers. From the ollama-webui side, you'd configure some envvar like I wondering if this approach would cover your auth use cases as well? If so, I might take a stab at a PR implementation. |
Just a heads up. I'm working on integrating https://fastapi-users.github.io/fastapi-users/latest/ into ollama-webui. That will give us OAUTH2 for these clients: https://frankie567.github.io/httpx-oauth/oauth2/#provided-clients. Give me a few weeks. |
thanks @explorigin 🙇 it will be a killer feature in the open llm UI market. |
Sorry, no estimate. I started on it but work/life got crazy. If you need it for work then work on it. I've started with fastapi-users library but that has some considerations:
And that's all before getting to the Oauth configuration that needs to be exposed in a smart manner. So it's not a simple feature. |
I will be interested on testing this when it is available. It would be great to add an option to automatically verify users based on their domain. Keep the good job guys! |
1 for auth via Forwarded Headers, for many selfhosted setups OIDC/OAuth is pretty overkill. (Though still very useful for public instances) |
Not quite what was asked for with OAuth/OIDC for the actual auth, but I've yolo'd in a patch for my own use case with trusted headers, dev...cheahjs:open-webui-fork:feat/trusted-email-header |
Yep, I announced and then ghosted. Sorry. Going through a job change. Don't count on me for this. |
Given the newly merged trusted email header feature, Open WebUI doesn't support federated auth by itself, but it can offload auth to a authenticating proxy. Some example compose stacks (these are not exactly production ready, remember to harden where necessary with your own secrets): Tailscale ServeStarts Tailscale as a sidecar, and exposes Open WebUI via Tailscale Serve. Authorization should be handled using your tailnet's ACL rules. docker-compose.yamlversion: '3.8'
services:
ollama:
volumes:
- ollama:/root/.ollama
container_name: ollama
pull_policy: always
tty: true
restart: unless-stopped
image: ollama/ollama:latest
open-webui:
build:
context: .
args:
OLLAMA_BASE_URL: '/ollama'
dockerfile: Dockerfile
image: ghcr.io/open-webui/open-webui:main
container_name: open-webui
volumes:
- open-webui:/app/backend/data
depends_on:
- ollama
environment:
- 'OLLAMA_BASE_URL=http://ollama:11434'
- 'WEBUI_SECRET_KEY='
- 'WEBUI_AUTH_TRUSTED_EMAIL_HEADER=Tailscale-User-Login'
extra_hosts:
- host.docker.internal:host-gateway
restart: unless-stopped
tailscale:
image: tailscale/tailscale:latest
environment:
- TS_AUTH_ONCE=true
- TS_AUTHKEY=${TS_AUTHKEY}
- TS_EXTRA_ARGS=--advertise-tags=tag:open-webui
- TS_SERVE_CONFIG=/config/serve.json
- TS_STATE_DIR=/var/lib/tailscale
- TS_HOSTNAME=open-webui
volumes:
- tailscale:/var/lib/tailscale
- ./tailscale-serve.json:/config/serve.json
- /dev/net/tun:/dev/net/tun
cap_add:
- net_admin
- sys_module
restart: unless-stopped
volumes:
ollama: {}
open-webui: {}
tailscale: {}
tailscale-serve.json{
"TCP": {
"443": {
"HTTPS": true
}
},
"Web": {
"${TS_CERT_DOMAIN}:443": {
"Handlers": {
"/": {
"Proxy": "http://open-webui:8080"
}
}
}
}
} oauth2-proxy
docker-compose.yamlversion: '3.8'
services:
ollama:
volumes:
- ollama:/root/.ollama
container_name: ollama
pull_policy: always
tty: true
restart: unless-stopped
image: ollama/ollama:latest
open-webui:
build:
context: .
args:
OLLAMA_BASE_URL: '/ollama'
dockerfile: Dockerfile
image: ghcr.io/open-webui/open-webui:main
container_name: open-webui
volumes:
- open-webui:/app/backend/data
depends_on:
- ollama
environment:
- 'OLLAMA_BASE_URL=http://ollama:11434'
- 'WEBUI_SECRET_KEY='
- 'WEBUI_AUTH_TRUSTED_EMAIL_HEADER=X-Forwarded-Email'
extra_hosts:
- host.docker.internal:host-gateway
restart: unless-stopped
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
command: --config /oauth2-proxy.cfg --alpha-config /oauth2-proxy.yaml
hostname: oauth2-proxy
volumes:
- "./oauth2-proxy.yaml:/oauth2-proxy.yaml"
- "./oauth2-proxy.cfg:/oauth2-proxy.cfg"
restart: unless-stopped
ports:
- 4180:4180/tcp oauth2-proxy.cfghttp_address="0.0.0.0:4180"
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
email_domains="example.com"
cookie_secure="false"
redirect_url="http://localhost:4180/oauth2/callback" oauth2-proxy.yamlupstreams:
- id: open-webui
path: /
uri: http://open-webui:8080
injectRequestHeaders:
- name: X-Forwarded-Email
values:
- claim: email
providers:
# Provide a list of providers to use for authentication
# https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/ For anyone running Open WebUI inside of GCP, I've deployed Identity Aware Proxy with gcp-iap-auth as a reverse proxy to extract the email from the JWT. |
@cheahjs I believe a lot of people would find this tutorial useful, if you could make a PR here: https://github.com/open-webui/docs, we'd greatly appreciate it! Thanks for all the effort to make Open WebUI even better thus far! |
I agree super well done documentation! |
any luck setting this up with Authelia? |
I don't currently have time to test out an Authelia deployment, but the docs for setting up the necessary headers is over at https://www.authelia.com/integration/trusted-header-sso/introduction/ |
@cellulosa I can confirm this works with Authelia with the Remote-Email header too! Thanks @cheahjs !! |
Confirmed I've got this working with Traefik Authentik 🎉 services:
open-webui:
...
environment:
WEBUI_AUTH_TRUSTED_EMAIL_HEADER: 'X-authentik-email'
networks:
- traefik-servicenet
labels:
traefik.enable: true
traefik.http.routers.open-webui.middlewares: authentik
traefik.http.middlewares.open-webui-auth.headers.customrequestheaders.X-authentik-email: "true" Large example available here: #929 (comment) |
Nevermind, I managed! For all those interested: Set the email header in open-webui:
environment:
- WEBUI_AUTH_TRUSTED_EMAIL_HEADER=Remote-Email Make sure to pass it in the {
servers {
trusted_proxies static private_ranges
}
}
(authelia) {
forward_auth authelia:9091 {
uri /api/verify?rd=https://auth.{$MY_DOMAIN}/
copy_headers Remote-Email
}
}
chat.{$MY_DOMAIN} {
import authelia
reverse_proxy open-webui:8080
} Were
|
This sound absolutely fantastic! Is it possible to transmit the users role (admin, user etc) as trusted header, too? |
Anybody knows how to implement this using Keycloak? |
On my Side Woking well with Oauth2-proxy. Below is the working config to add to your docker compose:
|
For oauth2-proxy and keycloak, logout can be done by following url
Refer to /src/routes/(app)/prompts/ layout.svelte, If we can find a way to change sign-out button as below, it may solve logout problem
|
re: #483 (comment) FYI Authentik auth seems to now be broken with the release of v0.1.124. Tried with both the same config as I had for v0.1.123 (auth enabled), and with a fresh deployment with empty DB etc... and auth disabled. I suspect it has something to do with this: #929 (comment) |
@sammcj Just pushed a fix for trusted header support, let me know if the issue persists! |
comment moved to #929 (comment) |
As mentioned by hkng, I think a post-logout redirect is needed. For the sake of completeness, a mechanism to correctly change the user when the user of the current token mismatches the trusted email header would be nice. As of now, changing the header value does not cause open-webui to change user until the sign out button is clicked. |
Hi! I was wondering if oauth2-proxy is still working (or probably im just setting it up wrong!) when I visit mydomain.com/oauth2/auth I can see these headers:
and ive tried setting both of these in docker-compose like:
So I think my headers are getting set, but when I visit openwebui I see:
|
Is there a way to redirect the user after a successful authentication using For example, I have my Open WebUI embedded in an html block of a Moodle instance (seperate server) which utilizes a PHP script to call |
im confused. The Documentation says a lot about ENV variables for OAuth. For instance: |
Is your feature request related to a problem? Please describe.
Add feature to enable account creation via OAuth/OIDC
Describe the solution you'd like
Integrating ollama-webui with auth providers such as Authentik, Keycloak, etc
Describe alternatives you've considered
N/A
Additional context
Being able to create a local account as an admin upon initialization should remain, but afterwards the admin account should be able to add the relevant information to change the default login page to redirect to a self-hosted OAuth/OIDC provider
The text was updated successfully, but these errors were encountered: