feat: sync OIDC name/email for existing users on login

[jannikstdl]

Pull Request Checklist

Note to first-time contributors: Please open a discussion post in Discussions to discuss your idea/fix with the community before creating a pull request, and describe your changes before submitting a pull request.

This is to ensure large feature PRs are discussed with the community first, before starting work on it. If the community does not want this feature or it is not relevant for Open WebUI as a project, it can be identified in the discussion before working on the feature and submitting the PR.

Before submitting, make sure you've checked the following:

• Target branch: Verify that the pull request targets the dev branch. Not targeting the dev branch will lead to immediate closure of the PR.
• Description: Provide a concise description of the changes made in this pull request down below.
• Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
• Documentation: If necessary, update relevant documentation Open WebUI Docs like environment variables, the tutorials, or other documentation sources.
• Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
• Testing: Perform manual tests to verify the implemented fix/feature works as intended AND does not break any other functionality. Take this as an opportunity to make screenshots of the feature/fix and include it in the PR description.
• Agentic AI Code: Confirm this Pull Request is not written by any AI Agent or has at least gone through additional human review AND manual testing. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR.
• Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
• Title Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
  • BREAKING CHANGE: Significant changes that may affect compatibility
  • build: Changes that affect the build system or external dependencies
  • ci: Changes to our continuous integration processes or workflows
  • chore: Refactor, cleanup, or other non-functional code changes
  • docs: Documentation update or addition
  • feat: Introduces a new feature or enhancement to the codebase
  • fix: Bug fix or error correction
  • i18n: Internationalization or localization changes
  • perf: Performance improvement
  • refactor: Code restructuring for better maintainability, readability, or scalability
  • style: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.)
  • test: Adding missing tests or correcting existing tests
  • WIP: Work in progress, a temporary label for incomplete or ongoing work

Changelog Entry

Description

• Add an opt-in OAuth/OIDC profile sync switch for existing users: OAUTH_SYNC_PROFILE_ON_LOGIN (default False).
• When enabled, update name and email on login for accounts matched by provider + sub.
• Keep profile picture sync behavior unchanged (OAUTH_UPDATE_PICTURE_ON_LOGIN).
• Keep auth/user email consistent by updating auth.email when user.email is synced.

Added

• New config key: OAUTH_SYNC_PROFILE_ON_LOGIN (oauth.sync_profile_on_login, default False).

Changed

• Existing-user OAuth callback now runs name/email sync only when OAUTH_SYNC_PROFILE_ON_LOGIN is enabled.
• Email sync now updates both user.email and auth.email.

Deprecated

• None.

Removed

• None.

Fixed

• Prevent stale profile data (name/email) for existing OAuth/OIDC users when IdP attributes change.

Security

• Existing email conflict protection remains: if incoming email belongs to another account, login continues and email is not overwritten.

Breaking Changes

• BREAKING CHANGE: None.

---

Additional Information

• Implementation updates:
  • backend/open_webui/config.py
  • backend/open_webui/utils/oauth.py
• Validation performed:
  • python3 -m py_compile backend/open_webui/config.py backend/open_webui/utils/oauth.py

Screenshots or Videos

• Not applicable (backend-only change).

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.

[pr-validator-bot]

👋 Welcome and Thank You for Contributing!

We appreciate you taking the time to submit a pull request to Open WebUI!

⚠️ Important: Testing Requirements

We've recently seen an increase in PRs that have significant issues:

• PRs that don't actually fix the bug they claim to fix
• PRs that don't implement the feature they describe
• PRs that break existing functionality
• PRs that are clearly AI-generated without proper testing being done by the author
• PRs that simply don't work as intended

These untested PRs consume significant time from maintainers and volunteer contributors who review and test PRs in their free time.
Time that could be spent testing other PRs or improving Open WebUI in other ways.

Before marking your PR as "Ready for Review":

Please explicitly confirm:

1. ✅ You have personally tested ALL changes in this PR
2. ✅ How you tested it (specific steps you took to verify it works)
3. ✅ Visual evidence where applicable (screenshots or videos showing the feature/fix working) - if applicable to your specific PR

If you're not certain your PR works exactly as intended, please leave it in DRAFT mode until you've thoroughly tested it.

Thank you for helping us maintain quality and respecting the time of our community! 🙏

[pr-validator-bot]

⚠️ Warning: Possible Non-Atomic / Scope Creep PR Detected

Your PR was subjected to automated review by AI to determine if it could fall under Open WebUI's non-atomicity ruleset or scope creep.

This PR appears to contain multiple unrelated changes that could be split into separate pull requests.

🔍 AI Analysis Summary

Primary Intent: Add timeout configurations to HTTP requests in audio.py for transcription and TTS services

Secondary Changes Detected:

• Add OAuth profile synchronization feature for existing OIDC users (name/email sync)
• New import AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST introduced

📝 Detailed Analysis and Full Report (click to expand)

This PR touches two completely independent modules for distinct purposes. (1) Audio.py changes add timeout parameters to HTTP requests - this is a fix/optimization to prevent hanging requests in transcription and TTS functions. (2) OAuth.py changes add a new feature to synchronize mutable user profile fields (name/email) when existing users log in via OIDC. These are compound intentions - the Pre-factor test confirms they could have been merged as separate PRs: the OAuth profile sync feature could have been submitted independently, and the audio timeout configuration could have been submitted as a separate fix/optimization. The changes affect different architectural layers (Authentication vs Audio processing) with no technical dependency between them.

Why Atomic PRs With Narrow Scopes Matter

Atomic PRs (single-purpose PRs) are:

• Easier to review - Reviewers can focus on one thing at a time
• Easier to test - Each change can be verified independently
• Easier to revert - If something breaks, we can revert just the problematic change
• Faster to merge - Smaller, focused PRs get reviewed and merged quicker

What Makes a PR Atomic / Narrow in Scope?

An atomic PR should contain one semantic change:

• ✅ Just one bug fix (even if it touches multiple files)
• ✅ Just one feature (even if it requires changes across multiple files)
• ✅ Just i18n/translation updates
• ✅ Just documentation updates
• ✅ Just refactoring of one specific thing
• ✅ Just one performance improvement

What To Do

This is an automated analysis. If you believe this assessment is incorrect and your PR is actually atomic (all changes serve one unified purpose), please explain in a comment below.

Consider splitting this PR into separate, focused pull requests. Each PR should address one specific thing.

For example, if you have a bug fix and a new feature, submit them as two separate PRs.

[tjbck]

9478c5e