feat: new OAUTH_AUDIENCE config (#19768)

* feat: new config AUTH0_AUDIENCE * feat: OAUTH_AUDIENCE config
2025-12-15 19:37:47 +01:00 · 2025-12-06 08:45:34 -07:00
parent 0617ede0eb
commit 492c8bac09
2 changed files with 13 additions and 1 deletions
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@@ -629,6 +629,11 @@ OAUTH_ACCESS_TOKEN_REQUEST_INCLUDE_CLIENT_ID = (
    == "true"
 )

+OAUTH_AUDIENCE = PersistentConfig(
+    "OAUTH_AUDIENCE",
+    "oauth.audience",
+    os.environ.get("OAUTH_AUDIENCE", ""),
+)

 def load_oauth_providers():
    OAUTH_PROVIDERS.clear()
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@@ -55,6 +55,7 @@ from open_webui.config import (
    OAUTH_ALLOWED_DOMAINS,
    OAUTH_UPDATE_PICTURE_ON_LOGIN,
    OAUTH_ACCESS_TOKEN_REQUEST_INCLUDE_CLIENT_ID,
+    OAUTH_AUDIENCE,
    WEBHOOK_URL,
    JWT_EXPIRES_IN,
    AppConfig,
@@ -126,6 +127,7 @@ auth_manager_config.OAUTH_ALLOWED_DOMAINS = OAUTH_ALLOWED_DOMAINS
 auth_manager_config.WEBHOOK_URL = WEBHOOK_URL
 auth_manager_config.JWT_EXPIRES_IN = JWT_EXPIRES_IN
 auth_manager_config.OAUTH_UPDATE_PICTURE_ON_LOGIN = OAUTH_UPDATE_PICTURE_ON_LOGIN
+auth_manager_config.OAUTH_AUDIENCE = OAUTH_AUDIENCE


 FERNET = None
@@ -1270,7 +1272,12 @@ class OAuthManager:
        client = self.get_client(provider)
        if client is None:
            raise HTTPException(404)
-        return await client.authorize_redirect(request, redirect_uri)
+        
+        kwargs = {}
+        if (auth_manager_config.OAUTH_AUDIENCE):
+            kwargs["audience"] = auth_manager_config.OAUTH_AUDIENCE
+
+        return await client.authorize_redirect(request, redirect_uri, **kwargs)

    async def handle_callback(self, request, provider, response):
        if provider not in OAUTH_PROVIDERS: