1 month ago · 754f631a07
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@@ -515,6 +515,13 @@ ENABLE_OAUTH_GROUP_CREATION = PersistentConfig(
 
				     os.environ.get("ENABLE_OAUTH_GROUP_CREATION", "False").lower() == "true",
			
 
				 )
			
 
				 
			
 
				+
			
 
				+OAUTH_BLOCKED_GROUPS = PersistentConfig(
			
 
				+    "OAUTH_BLOCKED_GROUPS",
			
 
				+    "oauth.blocked_groups",
			
 
				+    os.environ.get("OAUTH_BLOCKED_GROUPS", "[]"),
			
 
				+)
			
 
				+
			
 
				 OAUTH_ROLES_CLAIM = PersistentConfig(
			
 
				     "OAUTH_ROLES_CLAIM",
			
 
				     "oauth.roles_claim",
			
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@@ -3,6 +3,7 @@ import logging
 
				 import mimetypes
			
 
				 import sys
			
 
				 import uuid
			
 
				+import json
			
 
				 
			
 
				 import aiohttp
			
 
				 from authlib.integrations.starlette_client import OAuth
			
@@ -24,6 +25,7 @@ from open_webui.config import (
 
				     ENABLE_OAUTH_ROLE_MANAGEMENT,
			
 
				     ENABLE_OAUTH_GROUP_MANAGEMENT,
			
 
				     ENABLE_OAUTH_GROUP_CREATION,
			
 
				+    OAUTH_BLOCKED_GROUPS,
			
 
				     OAUTH_ROLES_CLAIM,
			
 
				     OAUTH_GROUPS_CLAIM,
			
 
				     OAUTH_EMAIL_CLAIM,
			
@@ -59,6 +61,7 @@ auth_manager_config.OAUTH_MERGE_ACCOUNTS_BY_EMAIL = OAUTH_MERGE_ACCOUNTS_BY_EMAI
 
				 auth_manager_config.ENABLE_OAUTH_ROLE_MANAGEMENT = ENABLE_OAUTH_ROLE_MANAGEMENT
			
 
				 auth_manager_config.ENABLE_OAUTH_GROUP_MANAGEMENT = ENABLE_OAUTH_GROUP_MANAGEMENT
			
 
				 auth_manager_config.ENABLE_OAUTH_GROUP_CREATION = ENABLE_OAUTH_GROUP_CREATION
			
 
				+auth_manager_config.OAUTH_BLOCKED_GROUPS = OAUTH_BLOCKED_GROUPS
			
 
				 auth_manager_config.OAUTH_ROLES_CLAIM = OAUTH_ROLES_CLAIM
			
 
				 auth_manager_config.OAUTH_GROUPS_CLAIM = OAUTH_GROUPS_CLAIM
			
 
				 auth_manager_config.OAUTH_EMAIL_CLAIM = OAUTH_EMAIL_CLAIM
			
@@ -142,6 +145,12 @@ class OAuthManager:
 
				         log.debug("Running OAUTH Group management")
			
 
				         oauth_claim = auth_manager_config.OAUTH_GROUPS_CLAIM
			
 
				 
			
 
				+        try:
			
 
				+            blocked_groups = json.loads(auth_manager_config.OAUTH_BLOCKED_GROUPS)
			
 
				+        except Exception as e:
			
 
				+            log.exception(f"Error loading OAUTH_BLOCKED_GROUPS: {e}")
			
 
				+            blocked_groups = []
			
 
				+
			
 
				         user_oauth_groups = []
			
 
				         # Nested claim search for groups claim
			
 
				         if oauth_claim:
			
@@ -208,7 +217,11 @@ class OAuthManager:
 
				 
			
 
				         # Remove groups that user is no longer a part of
			
 
				         for group_model in user_current_groups:
			
 
				-            if user_oauth_groups and group_model.name not in user_oauth_groups:
			
 
				+            if (
			
 
				+                user_oauth_groups
			
 
				+                and group_model.name not in user_oauth_groups
			
 
				+                and group_model.name not in blocked_groups
			
 
				+            ):
			
 
				                 # Remove group from user
			
 
				                 log.debug(
			
 
				                     f"Removing user from group {group_model.name} as it is no longer in their oauth groups"
			
@@ -238,6 +251,7 @@ class OAuthManager:
 
				                 user_oauth_groups
			
 
				                 and group_model.name in user_oauth_groups
			
 
				                 and not any(gm.name == group_model.name for gm in user_current_groups)
			
 
				+                and group_model.name not in blocked_groups
			
 
				             ):
			
 
				                 # Add user to group
			
 
				                 log.debug(