fix: Default Group ID assignment on SSO/OAUTH and LDAP by Classic298 · Pull Request #19685 · open-webui/open-webui

Classic298 · 2025-12-02T12:04:51Z

Target branch: Verify that the pull request targets the dev branch. Not targeting the dev branch will lead to immediate closure of the PR.
Description: Provide a concise description of the changes made in this pull request down below.
Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: If necessary, update relevant documentation Open WebUI Docs like environment variables, the tutorials, or other documentation sources.
Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
Testing: Perform manual tests to verify the implemented fix/feature works as intended AND does not break any other functionality. Take this as an opportunity to make screenshots of the feature/fix and include it in the PR description.
Agentic AI Code: Confirm this Pull Request is not written by any AI Agent or has at least gone through additional human review AND manual testing. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR.
Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
Title Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
- fix: Bug fix or error correction

Changelog Entry

Description

The DEFAULT_GROUP_ID admin setting (Admin Panel → Settings → General → Default Group) was only being applied to users who signed up via the email/password signup form. Users registering through OAuth/SSO (Azure AD, Google, GitHub, etc.), LDAP, or when manually created by an admin were not being added to the configured default group.

This fix ensures the default group setting is consistently applied across all user registration methods upon initial account creation.

Added

Default group assignment for OAuth/SSO users upon first registration
Default group assignment for LDAP users upon first registration
Default group assignment for users manually created by admins via the "Add User" endpoint
New utility function for default group assignment to eliminate code duplication

Changed

Refactored default group assignment logic into a single utility function to follow DRY principles
Default group is now only assigned during user creation, not re-applied during subsequent group synchronizations

Additional Information

Root Cause Analysis:

The original implementation only added default group assignment logic in the signup endpoint. The following registration flows were missing this logic:

Registration Method	Status Before	Status After
Email/Password Signup	Working	Working
OAuth/SSO	Missing	Fixed
LDAP	Missing	Fixed
Admin Add User	Missing	Fixed

Implementation Details:

Created a centralized utility function for default group assignment
Applied default group assignment at user creation in 4 locations: OAuth/SSO signup, LDAP creation, standard signup, and manual admin creation
Default group is assigned once at creation - subsequent group synchronization operations can modify group membership including removal from the default group if needed

Behavior:

The default group acts as an initial starting point for new users. After creation, group management systems have full control over group membership and may remove users from the default group during synchronization if it's not included in their external provider's group claims.

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

Co-authored-by: Tim Baek <[email protected]> Co-authored-by: Claude <[email protected]>

pr-validator-bot · 2025-12-02T12:05:28Z

👋 Welcome and Thank You for Contributing!

We appreciate you taking the time to submit a pull request to Open WebUI!

⚠️ Important: Testing Requirements

We've recently seen an increase in PRs that have significant issues:

PRs that don't actually fix the bug they claim to fix
PRs that don't implement the feature they describe
PRs that break existing functionality
PRs that are clearly AI-generated without proper testing being done by the author
PRs that simply don't work as intended

These untested PRs consume significant time from maintainers and volunteer contributors who review and test PRs in their free time.
Time that could be spent testing other PRs or improving Open WebUI in other ways.

Before marking your PR as "Ready for Review":

Please explicitly confirm:

✅ You have personally tested ALL changes in this PR
✅ How you tested it (specific steps you took to verify it works)
✅ Visual evidence where applicable (screenshots or videos showing the feature/fix working) - if applicable to your specific PR

If you're not certain your PR works exactly as intended, please leave it in DRAFT mode until you've thoroughly tested it.

Thank you for helping us maintain quality and respecting the time of our community! 🙏

Zyfax · 2025-12-02T12:36:49Z

Tested with OAuth (KeyCloak) and it fixes the issue where new users signing in with OAuth does not get the Default Group defined under Admin Panel, Settings, General.

As I can see and have tested, OI sign-up works (as it did before) and OAuth login (with no OI account registered) also works now with this fix.

siavashvj · 2025-12-02T15:00:26Z

Great job!

Tested and verified for:

SSO created users (Azure/Entra)
Manually created users (email/password, from Admin user settings).

NOT tested for:

OWUI-initiated signups (but this did work before as I understand).

Classic298 · 2025-12-02T15:03:57Z

@tjbck

tjbck · 2025-12-02T16:25:19Z

We should create a utility function for this.

tjbck

.

Classic298 · 2025-12-02T17:44:50Z

.

?

rgaricano · 2025-12-02T18:59:36Z

something like this?

Function to add in backend/open_webui/utils/auth.py

def assign_default_group(user_id: str, config, skip_if_group_managed: bool = True) -> bool:
    """
    Assign user to the configured default group if applicable.

    Args:
        user_id: The user ID to assign to the default group
        config: App config object containing DEFAULT_GROUP_ID
        skip_if_group_managed: If True, skip assignment when user is already in groups

    Returns:
        bool: True if user was added to default group, False otherwise
    """
    default_group_id = getattr(config, "DEFAULT_GROUP_ID", "")

    if not default_group_id:
        return False

    # Check if user is already in any groups (for OAuth/LDAP group management)
    if skip_if_group_managed:
        from open_webui.models.groups import Groups
        user_groups = Groups.get_groups_by_member_id(user_id)
        if user_groups:
            # User is already managed by group sync, don't override
            return False

    # Add user to default group
    from open_webui.models.groups import Groups
    try:
        Groups.add_users_to_group(default_group_id, [user_id])
        return True
    except Exception as e:
        log.error(f"Failed to add user {user_id} to default group {default_group_id}: {e}")
        return False

called:

else:
    # Assign default group if OAuth group management is disabled
    from open_webui.utils.auth import assign_default_group
    assign_default_group(user.id, request.app.state.config)

from:

OAuth

open-webui/backend/open_webui/utils/oauth.py

Line 1487 in 140605e
LDAP

open-webui/backend/open_webui/routers/auths.py

Line 460 in 140605e
Signin with Trusted Headers

open-webui/backend/open_webui/routers/auths.py

Line 524 in 140605e
Replace Existing Signup Logic (no external group management system is involved):
- Add default group assignament in the admin user creation endpoint
  Adding:

            from open_webui.utils.auth import assign_default_group
            assign_default_group(user.id, request.app.state.config, skip_if_group_managed=False)

after

open-webui/backend/open_webui/routers/auths.py

Line 834 in 140605e

if user:

default group assignment in the signup endpoint
Replace:

open-webui/backend/open_webui/routers/auths.py

Lines 703 to 705 in 140605e

    
           default_group_id = getattr(request.app.state.config, "DEFAULT_GROUP_ID", "") 
        
           if default_group_id and default_group_id: 
        
               Groups.add_users_to_group(default_group_id, [user.id])

With:

from open_webui.utils.auth import assign_default_group
assign_default_group(user.id, request.app.state.config, skip_if_group_managed=False)

silentoplayz · 2025-12-02T21:10:07Z

I’ve tested this PR and confirmed it works for both:

Manually created users (email/password) via the Admin → Users settings
Self-registered users who sign up through the Open WebUI signup page

LGTM! 👍🏼

Classic298 · 2025-12-02T21:10:35Z

Spirit, specter, ghost, and ghoul, Please don't reject my pull

Blood of dragon, scale of fish, git push --force is my only wish

backend/open_webui/utils/groups.py

Classic298 · 2025-12-02T21:15:26Z

Wingardium Leviosa, swish and flick, Give this PR a big green tick

(or purple)

backend/open_webui/utils/oauth.py

Added default group re-application after trusted header group sync

tjbck · 2025-12-02T21:47:58Z

🙌

) * fix (open-webui#99) Co-authored-by: Tim Baek <[email protected]> Co-authored-by: Claude <[email protected]> * Update auths.py * unified logic * PUSH * remove getattr * rem getattr * whitespace * Update oauth.py * trusted header group sync Added default group re-application after trusted header group sync * not apply after syncs * . * rem --------- Co-authored-by: Tim Baek <[email protected]> Co-authored-by: Claude <[email protected]>

* refac * refac * fix(i18n): correct Thai translation in sidebar (open-webui#19363) * Update translation.json (open-webui#19364) * refac * refac * fix: translation * refac: search chat postgres * fix(i18n): comprehensive revision and improvement of all Thai translations across the app (open-webui#19377) * Update translation.json (pt-BR) (open-webui#19384) new translations of the newly added items * refac/fix: chat search null byte filter * refac: clean null bytes on load * perf: 50x performance improvement for external embeddings (open-webui#19296) * Update utils.py (open-webui#77) Co-authored-by: Claude <[email protected]> * refactor: address code review feedback for embedding performance improvements (open-webui#92) Co-authored-by: Claude <[email protected]> * fix: prevent sentence transformers from blocking async event loop (open-webui#95) Co-authored-by: Claude <[email protected]> --------- Co-authored-by: Claude <[email protected]> * refac * refac * refac: models workspace optimization * feat/enh: move chats in folder on delete Co-Authored-By: expruc <[email protected]> * refac: rm folder id on chat archive * chore (open-webui#19389) * Upd:i18n es-ES_Spanish Translation_v0.6.37 (open-webui#19388) * Upd:i18n es-ES_Spanish Translation_v0.6.37 ### es-ES Spanish Translation v0.6.37 Added new strings. * Corrected string * refac * refac * refac * refac * chore: user header forward minimize code changes throughout codebase (open-webui#19392) * Update external.py * remove unused imports * Update ollama.py * Update ollama.py * Update ollama.py * Update openai.py * chore: google-genai bump * chore: Update README (open-webui#19398) * refac: disable single tilde * refac: sources and citations * refac * refac * enh: group members selector * refac * fix: kokorojs tts * refac * refac * refac/fix: refresh folder chat list * refac: folder page chat list * chore: format * refac * chore: CHANGELOG 0.6.37 (open-webui#19126) * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * refac * refac * refac: styling * refac: prompt suggestions component Co-Authored-By: Classic298 <[email protected]> * refac * refac * refac: styling * chore: format * refac: styling * refac * refac: styling * refac * chore: format * i18n: improve Chinese translation * fix: hybrid search * fix * refac/fix: oauth * fix: tool server save error handling * chore: bump * doc: changelog * Update docker-build.yaml * refac * Update translation.json (pt-BR) New translations of the items added in the latest version. * fix: "No connection adapters were found" routers/images.py (open-webui#19435) * Update knowledge.py (open-webui#19434) * refac/fix: db operations * Update translation.json (open-webui#19445) Co-authored-by: Tim Baek <[email protected]> * refac/breaking: docling params * fix: inline citations * refac/fix: group member user list * feat/enh: async embedding processing setting Co-Authored-By: Classic298 <[email protected]> * refac * feat/enh: tool server function name filter list * refac * refac: styling * feat/enh: show user count in channels * fix: ENABLE_CHAT_RESPONSE_BASE64_IMAGE_URL_CONVERSION env var * refac * feat: user list in channels * chore: version bump * refac * refac: styling * chore: add chardet (open-webui#19458) * Update pyproject.toml * Update requirements-min.txt * Update requirements.txt * Update requirements-min.txt * Update requirements.txt * Update pyproject.toml * refac * refac * refac * fix: i18n * chore: format * CHANGELOG: 0.6.39 (open-webui#19446) * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * refac/enh: copy formatted table * doc: changelog * fix: changelog * fix: postgres user list issue * chore: bump * chore: bump python-socketio==5.14.0 * Update CHANGELOG.md (open-webui#19463) * Update CHANGELOG.md * Update CHANGELOG.md * refac: channel user list order by * fix/refac: workspace shared model list * Merge pull request open-webui#19464 from aleixdorca/dev i18n: Update Catalan translation.json * fix: user preview profile image * refac/fix: function name filter type * refac * refac * fix: update dependency to prevent rediss:// failure (open-webui#19488) * Update pyproject.toml * Update requirements.txt * Update requirements-min.txt * i18n: de-de (open-webui#19471) * fix: async save docs to vector db * chore: dep bump pypdf to ver 6.4.0 (open-webui#19508) * Update pyproject.toml * Update requirements.txt * chore: Update pymilvus dep (open-webui#19507) * Update requirements.txt * Update pyproject.toml * chore: update transformers dependency to fix issue open-webui#19512 (open-webui#19513) * Update pyproject.toml * Update requirements.txt * Update requirements.txt * Update pyproject.toml * feat: also consider OAUTH_ROLES_SEPARATOR for string claims themselves (open-webui#19514) * i18n: improve Chinese translation (open-webui#19497) * refac * refac * refac/enh: knowledge base name on icon hover * refac/enh: drop profile_image_url field in responses * fix: correct role check on OAuth login (open-webui#19476) When a users role is switched from admin to user in the OAuth provider their groups are not correctly updated when ENABLE_OAUTH_GROUP_MANAGEMENT is enabled. * enh/feat: toggle folders & user perm * refac * fix: button without type (open-webui#19534) * refac: chat history data structure * enh: redis dict for internal models state Co-Authored-By: cw.a <[email protected]> * Update catalan translation.json (open-webui#19536) * feat/enh: channels unread messages count * refac/fix: files batch/add endpoint * feat/enh: group export endpoint * refac: hide channel add button for users * refac * refac * refac * feat: dm channels * refac * refac * refac * refac * chore: format * refac * refac * refac: styling * refac * Update french translation.json (open-webui#19547) * refac: db * refac * refac: rm print * refac * refac/fix: db migration issue * refac: hide active user count in sidebar user menu * refac: profile preview * enh: dm active user indicator * refac: styling * refac: user table db migration * refac: oauth_sub -> oauth migration * refac * refac: api_key table migration * refac: user oauth display * refac * enh/refac: deprecate USER_POOL * refac * refac: pin icons * refac: admin user list active indicator * refac * feat/enh: pinned messages in channels * refac * refac: styling * refac: styling * refac/enh: channel message * refac * refac/fix: ollama model delete * refac/fix: temp chat image generation * refac: db group * refac * refac: styling * refac * Update middleware.py * refac * refac: knowledge file delete behaviour * enh: message reaction user names * refac * refac * refac * refac: styling * refac * refac: styling * refac: styling * refac * refac * feat/enh: group channel * refac * feat/enh: add/remove users from group channel * refac * refac * feat/enh: dm from user profile preview * Update translation.json (pt-BR) (open-webui#19603) translations of the new items that have been included * refac * refac * refac * refac * refac * chore: otel bump * chore: otel bump * i18n: improve Chinese translation (open-webui#19651) * fix: audit * feat/enh: user status * refac * refac * Chore: dep bump (open-webui#19667) * Update pyproject.toml * Update requirements-min.txt * Update requirements.txt --------- Co-authored-by: Tim Baek <[email protected]> * refac * feat: signin rate limit * Update milvus_multitenancy.py (open-webui#19680) * refac * refac * fix/adjust web search to properly block domains (open-webui#19670) Co-authored-by: Tim Baek <[email protected]> * refac * refac * refac * refac: styling * refac: show connection type for custom models * refac * refac * feat/enh: kb files db migration * refac * refac/perf: has_access_to_file optimization * enh: group members endpoint * refac * refac * feat: Adds document intelligence model configuration (open-webui#19692) * Adds document intelligence model configuration Enables the configuration of the Document Intelligence model to be used by the RAG pipeline. This allows users to specify the model they want to use for document processing, providing flexibility and control over the extraction process. * Added Titel to Document Intelligence Model Config Added Titel to Document Intelligence Model Config * Fix dropdown backgrounds (open-webui#19693) * refac * fix: Update milvus.py (open-webui#19602) * Update milvus.py * Update milvus.py * Update milvus.py * Update milvus.py * Update milvus.py --------- Co-authored-by: Tim Baek <[email protected]> * Update milvus_multitenancy.py (open-webui#19695) * Update translation.json (open-webui#19696) * chore: format * fix: Default Group ID assignment on SSO/OAUTH and LDAP (open-webui#19685) * fix (open-webui#99) Co-authored-by: Tim Baek <[email protected]> Co-authored-by: Claude <[email protected]> * Update auths.py * unified logic * PUSH * remove getattr * rem getattr * whitespace * Update oauth.py * trusted header group sync Added default group re-application after trusted header group sync * not apply after syncs * . * rem --------- Co-authored-by: Tim Baek <[email protected]> Co-authored-by: Claude <[email protected]> * Update translation.json (open-webui#19697) * Update translation.json * Update translation.json * chore: bump * refac * chore: 0.6.41 Changelog (open-webui#19473) * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * chore: format * Fixes for requirements and audio --------- Co-authored-by: Timothy Jaeryang Baek <[email protected]> Co-authored-by: Siwadon S. (Jay) <[email protected]> Co-authored-by: Classic298 <[email protected]> Co-authored-by: joaoback <[email protected]> Co-authored-by: Claude <[email protected]> Co-authored-by: expruc <[email protected]> Co-authored-by: _00_ <[email protected]> Co-authored-by: Shirasawa <[email protected]> Co-authored-by: Alexandr Promakh <[email protected]> Co-authored-by: Aleix Dorca <[email protected]> Co-authored-by: gerhardj-b <[email protected]> Co-authored-by: Tobias Genannt <[email protected]> Co-authored-by: stevessr <[email protected]> Co-authored-by: cw.a <[email protected]> Co-authored-by: RomualdYT <[email protected]> Co-authored-by: Poccia <[email protected]> Co-authored-by: Henne <[email protected]> Co-authored-by: Matthew Kusz <[email protected]>

Classic298 and others added 2 commits December 2, 2025 13:02

fix (#99)

d38aac2

Co-authored-by: Tim Baek <[email protected]> Co-authored-by: Claude <[email protected]>

Update auths.py

75dbcdd

Classic298 changed the title ~~fix (#99)~~ fix: Default Group ID assignment on SSO/OAUTH and LDAP Dec 2, 2025

Classic298 requested a review from tjbck December 2, 2025 15:00

Classic298 marked this pull request as ready for review December 2, 2025 15:00

tjbck requested changes Dec 2, 2025

View reviewed changes

unified logic

c33835c

tjbck reviewed Dec 2, 2025

View reviewed changes

backend/open_webui/utils/groups.py Show resolved Hide resolved

PUSH

0b0a8bb

Classic298 added 2 commits December 2, 2025 22:18

remove getattr

95540b1

rem getattr

fc6c912

tjbck reviewed Dec 2, 2025

View reviewed changes

backend/open_webui/utils/oauth.py Outdated Show resolved Hide resolved

Classic298 added 6 commits December 2, 2025 22:23

whitespace

9345783

Update oauth.py

ea6ad5e

trusted header group sync

1597c9c

Added default group re-application after trusted header group sync

not apply after syncs

26f1666

.

e684df2

rem

0298e44

tjbck merged commit a49e1d8 into open-webui:dev Dec 2, 2025
0 of 2 checks passed

Classic298 deleted the patch-3 branch December 2, 2025 21:48

Uh oh!

Comments

Conversation

Classic298 commented Dec 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changelog Entry

Description

Added

Changed

Additional Information

Contributor License Agreement

Uh oh!

pr-validator-bot commented Dec 2, 2025

👋 Welcome and Thank You for Contributing!

⚠️ Important: Testing Requirements

Before marking your PR as "Ready for Review":

Uh oh!

Zyfax commented Dec 2, 2025

Uh oh!

siavashvj commented Dec 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Classic298 commented Dec 2, 2025

Uh oh!

tjbck commented Dec 2, 2025

Uh oh!

tjbck left a comment

Choose a reason for hiding this comment

Uh oh!

Classic298 commented Dec 2, 2025

Uh oh!

rgaricano commented Dec 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

silentoplayz commented Dec 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Classic298 commented Dec 2, 2025

Uh oh!

Uh oh!

Classic298 commented Dec 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

tjbck commented Dec 2, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

Classic298 commented Dec 2, 2025 •

edited

Loading

siavashvj commented Dec 2, 2025 •

edited

Loading

rgaricano commented Dec 2, 2025 •

edited

Loading

silentoplayz commented Dec 2, 2025 •

edited

Loading

Classic298 commented Dec 2, 2025 •

edited

Loading