feat(config): add config OAUTH_CODE_CHALLENGE_METHOD

Add support to enable OIDC code challenge method (PKCE).
2025-08-18 02:35:53 +08:00 · 2025-03-26 18:24:49 +01:00 · 2025-03-26 18:24:49 +01:00 · 5c658a4879
commit 5c658a4879
parent 9cb1104f09
1 changed files with 16 additions and 3 deletions
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@ -456,6 +456,12 @@ OAUTH_SCOPES = PersistentConfig(
    os.environ.get("OAUTH_SCOPES", "openid email profile"),
 )

+OAUTH_CODE_CHALLENGE_METHOD = PersistentConfig(
+    "OAUTH_CODE_CHALLENGE_METHOD",
+    "oauth.oidc.code_challenge_method",
+    os.environ.get("OAUTH_CODE_CHALLENGE_METHOD", None),
+)
+
 OAUTH_PROVIDER_NAME = PersistentConfig(
    "OAUTH_PROVIDER_NAME",
    "oauth.oidc.provider_name",
@ -601,14 +607,21 @@ def load_oauth_providers():
    ):

        def oidc_oauth_register(client):
+            client_kwargs = {
+                "scope": OAUTH_SCOPES.value,
+            }
+
+            if OAUTH_CODE_CHALLENGE_METHOD.value and OAUTH_CODE_CHALLENGE_METHOD.value == "S256":
+                client_kwargs["code_challenge_method"] = "S256"
+            elif OAUTH_CODE_CHALLENGE_METHOD.value:
+                raise Exception('Code challenge methods other than "%s" not supported. Given: "%s"' % ("S256", OAUTH_CODE_CHALLENGE_METHOD.value))
+
            client.register(
                name="oidc",
                client_id=OAUTH_CLIENT_ID.value,
                client_secret=OAUTH_CLIENT_SECRET.value,
                server_metadata_url=OPENID_PROVIDER_URL.value,
-                client_kwargs={
-                    "scope": OAUTH_SCOPES.value,
-                },
+                client_kwargs=client_kwargs,
                redirect_uri=OPENID_REDIRECT_URI.value,
            )