Skip to content

docs: add OAUTH_AUTHORIZE_PARAMS env var documentation #1146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
rndmcnlly wants to merge 1 commit into
base: dev
Choose a base branch
from
Draft

docs: add OAUTH_AUTHORIZE_PARAMS env var documentation #1146

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/features/access-security/auth/sso/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ The following environment variables are used:
1. `OAUTH_SCOPES` - Scopes to request. Defaults to `openid email profile`
1. `OPENID_REDIRECT_URI` - The redirect URI configured in your OIDC application. This must be set to `<open-webui>/oauth/oidc/callback`.
1. `OAUTH_AUDIENCE` - Optional `audience` value that will be passed to the oauth provider's authorization endpoint as an additional query parameter.
1. `OAUTH_AUTHORIZE_PARAMS` - Optional JSON object of extra query parameters to append to the OIDC authorization redirect URL. Useful for OIDC brokers (CILogon, Keycloak, Dex, etc.) that support parameters to pre-select or restrict the upstream identity provider. For example: `{"idphint": "urn:mace:incommon:ucsc.edu"}` for CILogon, `{"kc_idp_hint": "google"}` for Keycloak, or `{"acr_values": "https://refeds.org/profile/mfa"}` to require MFA. Invalid JSON is logged as a warning and ignored.

:::warning

Expand Down
24 changes: 24 additions & 0 deletions docs/reference/env-configuration.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5164,6 +5164,30 @@ This is useful when you need a JWT access token for downstream validation or whe

:::

#### `OAUTH_AUTHORIZE_PARAMS`

- Type: `str` (JSON object)
- Default: Empty string (`''`)
- Description: A JSON object of extra query parameters to append to the OIDC authorization redirect URL. Its key/value pairs are merged into the kwargs passed to authlib's `authorize_redirect()`, which passes them verbatim to the authorization URL query string. This is useful when using an OIDC broker (such as CILogon, Keycloak, or Dex) that supports parameters to pre-select or restrict the upstream identity provider picker.
- Persistence: This environment variable is a `PersistentConfig` variable.

:::info

**Common examples:**

| Broker | Parameter | Example |
|--------|-----------|---------|
| CILogon | `idphint` | `{"idphint": "urn:mace:incommon:ucsc.edu"}` |
| Keycloak | `kc_idp_hint` | `{"kc_idp_hint": "google"}` |
| Dex | `connector_id` | `{"connector_id": "ldap"}` |
| Any provider | `acr_values` | `{"acr_values": "https://refeds.org/profile/mfa"}` |

Multiple parameters can be combined in a single JSON object, e.g. `{"idphint": "urn:mace:incommon:ucsc.edu", "skin": "myapp"}`.

Invalid JSON is caught and logged as a warning; non-dict JSON (e.g. an array) is silently ignored. `OAUTH_AUDIENCE` behaviour is not affected.

:::

#### `OAUTH_REFRESH_TOKEN_INCLUDE_SCOPE`

- Type: `bool`
Expand Down