Home Explore Help
Register Sign In
OpenSource
/
open-webui
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #7551 from jonassvatos/patch-1

feat: Add OAUTH_ALLOWED_DOMAINS
Timothy Jaeryang Baek 4 months ago
parent
8718067894 d42de65298
commit
f264d82d13
2 changed files with 11 additions and 0 deletions
Split View Show Diff Stats
  1. 6 0
      backend/open_webui/config.py
  2. 5 0
      backend/open_webui/utils/oauth.py

+ 6 - 0
backend/open_webui/config.py
View File 

@@ -429,6 +429,12 @@ OAUTH_ADMIN_ROLES = PersistentConfig(
 
     [role.strip() for role in os.environ.get("OAUTH_ADMIN_ROLES", "admin").split(",")],
 
 )
 
 
+OAUTH_ALLOWED_DOMAINS = PersistentConfig(
 
+    "OAUTH_ALLOWED_DOMAINS",
 
+    "oauth.allowed_domains",
 
+    [domain.strip() for domain in os.environ.get("OAUTH_ALLOWED_DOMAINS", "*").split(",")],
 
+)
 
+
 
 
 def load_oauth_providers():
 
     OAUTH_PROVIDERS.clear()

+ 5 - 0
backend/open_webui/utils/oauth.py
View File 

@@ -26,6 +26,7 @@ from open_webui.config import (
 
     OAUTH_USERNAME_CLAIM,
 
     OAUTH_ALLOWED_ROLES,
 
     OAUTH_ADMIN_ROLES,
 
+    OAUTH_ALLOWED_DOMAINS,
 
     WEBHOOK_URL,
 
     JWT_EXPIRES_IN,
 
     AppConfig,
 
@@ -49,6 +50,7 @@ auth_manager_config.OAUTH_PICTURE_CLAIM = OAUTH_PICTURE_CLAIM
 
 auth_manager_config.OAUTH_USERNAME_CLAIM = OAUTH_USERNAME_CLAIM
 
 auth_manager_config.OAUTH_ALLOWED_ROLES = OAUTH_ALLOWED_ROLES
 
 auth_manager_config.OAUTH_ADMIN_ROLES = OAUTH_ADMIN_ROLES
 
+auth_manager_config.OAUTH_ALLOWED_DOMAINS = OAUTH_ALLOWED_DOMAINS
 
 auth_manager_config.WEBHOOK_URL = WEBHOOK_URL
 
 auth_manager_config.JWT_EXPIRES_IN = JWT_EXPIRES_IN
 
 
@@ -156,6 +158,9 @@ class OAuthManager:
 
         if not email:
 
             log.warning(f"OAuth callback failed, email is missing: {user_data}")
 
             raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
 
+        if "*" not in auth_manager_config.OAUTH_ALLOWED_DOMAINS and email.split("@")[-1] not in auth_manager_config.OAUTH_ALLOWED_DOMAINS:
 
+            log.warning(f"OAuth callback failed, e-mail domain is not in the list of allowed domains: {user_data}")
 
+            raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
 
 
         # Check if the user exists
 
         user = Users.get_user_by_oauth_sub(provider_sub)