open-webui
issue: Error Logout with Google Oauth
Check Existing Issues
- [x] I have searched the existing issues and discussions.
- [x] I am using the latest version of Open WebUI.
Installation Method
Pip Install
Open WebUI Version
0.6.2
Ollama Version (if applicable)
No response
Operating System
Windows Server 2016
Browser (if applicable)
Chrome
Confirmation
- [x] I have read and followed all instructions in
README.md. - [x] I am using the latest version of both Open WebUI and Ollama.
- [x] I have included the browser console logs.
- [x] I have included the Docker container logs.
- [x] I have listed steps to reproduce the bug in detail.
Expected Behavior
When user is login with Google Oauth, he can logout without problem
Actual Behavior
After version 0.6 when user is login with Google Oauth, it is missing to logout:
Steps to Reproduce
- Login with Google Oauth
- Logout
Logs & Screenshots
Additional Information
No response
Missed this when checking issues before posting a discussion about OIDC: https://github.com/open-webui/open-webui/discussions/12605.
I'm experiencing the same issue with Google OAuth on Chrome.
but it doesn't appear on Firefox.
OS: Amazon Linux release 2023.6.20250317 (Amazon Linux) OpenWebUI Version: 0.6.2 Browser: Google Chrome 135.0.7049.42
openwebui-1 | 2025-04-10 08:45:00.117 | ERROR | open_webui.routers.auths:signout:552 - OpenID signout error: - {}
openwebui-1 | 2025-04-10 08:45:00.118 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 10.0.10.72:0 - "GET /api/v1/auths/signout HTTP/1.1" 500 - {}
I cannot log out at all from the default user. Using verision 0.6.2. No auth, just standard user/password logged in user.
I can logout from user/password logged in user, but not able to log out with Microsoft oauth. (0.6.2)
on 0.6.0 everything is working as expected on 0.6.1 I cannot log out from user/password AND from Microsoft oauth. on 0.6.2 I can logout from user/password logged in user, but not able to log out with Microsoft oauth.
I managed to fix unable to Sign Out issue by setting env OPENID_PROVIDER_URL=https://accounts.google.com/.well-known/openid-configuration.
For context, previously I only had these Google related envs
-
GOOGLE_CLIENT_ID -
GOOGLE_CLIENT_SECRET
I managed to fix unable to Sign Out issue by setting env
OPENID_PROVIDER_URL=https://accounts.google.com/.well-known/openid-configuration.For context, previously I only had these Google related envs
GOOGLE_CLIENT_IDGOOGLE_CLIENT_SECRET
Using Microsoft OAuth authentication here, saw the suggestion to set OPENID_PROVIDER_URL which fixed the issue for me.
@gvo didnt work for me, to which url you set it to ? I have tried both https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration and https://login.microsoftonline.com/{my_tenant_id}/v2.0/.well-known/openid-configuration but didnt work...
@gvo didnt work for me, to which url you set it to ? I have tried both https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration and https://login.microsoftonline.com/{my_tenant_id}/v2.0/.well-known/openid-configuration but didnt work...
Exactly as you have https://login.microsoftonline.com/{redacted_tenant_id}/v2.0/.well-known/openid-configuration. Tested on both 0.6.2 and 0.6.5
@gvo for me not working... could you share with me please the other env. variables (related to Oauth) that you are setting ? maybe I m not setting all needed variables
I have the same issue, and created a duplicate ticket, before I became aware of this one. https://github.com/open-webui/open-webui/issues/12920
Any updates, regarding suggested solutions? I am using Microsoft Oauth.
on 0.6.0 everything is working as expected on 0.6.1 I cannot log out from user/password AND from Microsoft oauth. on 0.6.2 I can logout from user/password logged in user, but not able to log out with Microsoft oauth.
As of v0.6.5:
- only login form: login/logout works, but buggy for multi user scenario
- only microsoft oauth: login works reliably, logout does not work
- login form + microsoft oauth: login and logout work, but this setup is not desirable for our use case
Hi,
I had that problem as well, using v0.6.5 and Microsoft.
ENABLE_LOGIN_FORM=False
ENABLE_OAUTH_SIGNUP=True
OAUTH_MERGE_ACCOUNTS_BY_EMAIL=True
OPENID_PROVIDER_URL=https://login.microsoftonline.com/.../v2.0/.well-known/openid-configuration
MICROSOFT_CLIENT_ID=...
MICROSOFT_CLIENT_SECRET=...
MICROSOFT_CLIENT_TENANT_ID=...
CORS_ALLOW_ORIGIN=*
WEBUI_SECRET_KEY=...
WEBUI_URL=https://...
WEBUI_SESSION_COOKIE_SECURE=True
Adding OPENID_PROVIDER_URL seem to solve the problem, together with setting the "Front-channel logout URL" in Entra Id.
https://open-webi.url/auth
Hi,
I had that problem as well, using v0.6.5 and Microsoft.
ENABLE_LOGIN_FORM=False ENABLE_OAUTH_SIGNUP=True OAUTH_MERGE_ACCOUNTS_BY_EMAIL=True OPENID_PROVIDER_URL=https://login.microsoftonline.com/.../v2.0/.well-known/openid-configuration MICROSOFT_CLIENT_ID=... MICROSOFT_CLIENT_SECRET=... MICROSOFT_CLIENT_TENANT_ID=... CORS_ALLOW_ORIGIN=* WEBUI_SECRET_KEY=... WEBUI_URL=https://... WEBUI_SESSION_COOKIE_SECURE=TrueAdding OPENID_PROVIDER_URL seem to solve the problem, together with setting the "Front-channel logout URL" in Entra Id.
https://open-webi.url/auth
Thank you @athoik ! Just a note, you can find the URI under this section:
Browse to Identity > Applications > App registrations >
If we provide a wrong or empty OPENID_PROVIDER_URL, the sign out function will raise error when aiohttp client session try to get an invalid url address. The error type would be <class 'aiohttp.client_exceptions.InvalidUrlClientError'> and its string representation repr is InvalidUrlClientError.
try:
async with ClientSession() as session:
async with session.get(OPENID_PROVIDER_URL.value) as resp:
https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/auths.py#L558
The python logger as following is catch the string of client_exceptions which is the URL input for get function. In this issue, since OPENID_PROVIDER_URL is empty string "", the str of the exception for InvalidUrlClientError is also an empty string. Thus, maybe for stronger log mode, we can provide exception type or repr.
except Exception as e:
log.error(f"OpenID signout error: {str(e)}")
raise HTTPException(
status_code=500,
detail="Failed to sign out from the OpenID provider.",
)
Same issue, I don't see Open-Webui even attempting to make a logout call to the end_session_endpoint Rest of the OIDC config works fine.
Quick check looks like logout call is only made when ENABLE_OAUTH_SIGNUP=true, being a persistent variable appears you can only set before the first run and cannot be changed via the GUI.
So if this was not defined on first run, OIDC seems to partially work.
Perhaps a manual DB update?
Perhaps I am reading the code wrong in /backend/open_webui/routers/auths.py
