Issue: MCP with OAuth 2.1 Authorization/Token retrival is broken in v0.6.41 #19823
Description
Check Existing Issues
- I have searched for any existing and/or related issues.
- I have searched for any existing and/or related discussions.
- I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
- I am using the latest version of Open WebUI.
Installation Method
Docker
Open WebUI Version
v0.6.41
Ollama Version (if applicable)
No response
Operating System
Docker Ubuntu
Browser (if applicable)
No response
Confirmation
- I have read and followed all instructions in
README.md. - I am using the latest version of both Open WebUI and Ollama.
- I have included the browser console logs.
- I have included the Docker container logs.
- I have provided every relevant configuration, setting, and environment variable used in my setup.
- I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
- I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
- Start with the initial platform/version/OS and dependencies used,
- Specify exact install/launch/configure commands,
- List URLs visited, user input (incl. example values/emails/passwords if needed),
- Describe all options and toggles enabled or changed,
- Include any files or environmental changes,
- Identify the expected and actual result at each stage,
- Ensure any reasonably skilled user can follow and hit the same issue.
Expected Behavior
High level behaviour is:
You can add a MCP tool with OAuth 2.1 and dynamic client registration
Conenction test is green.
You can save it.
When you try to enable it in a chat you are redirected for authorization.
When you authorize you get back to open-webui, but the too is still disabled
If you dig into the logs you see something like:
ERROR | open_webui.models.oauth_sessions:create_session:142 - Error creating OAuth session: (sqlite3.IntegrityError) NOT NULL constraint failed: oauth_session.expires_at
This happens becasue reqeust to token enpoint fails with 401, but is treated as a token. And that token doesn not have the expires_in property.
Why does it fail with 401?
When exchaning the code for a token open-web ui sends wrong client_id and client_secret.
If the registered client_id = "ID1" and client_secret = "PWD1" it will send:
client_id: "ID1,ID1"
client_secret: "PWD1,PWD1"
Which looks like the root cause of this and most likely other observed behaviours.
My guess would be that the authentication library will concatinate the ID and secret defiend in the Client with the additionaly passed ones.
See:
open-webui/backend/open_webui/utils/oauth.py
Line 747 in 6f1486f
Please also consider token refresh do avoid the same problem.
This initial flow did work in v0.6.39
Thank you !
Actual Behavior
You enable the MCP tool and is able to use it in the chat.
Steps to Reproduce
Described in expected
Logs & Screenshots
None
Additional Information
No response