refac

backend/open_webui/env.py

@@ -465,6 +465,10 @@ ENABLE_COMPRESSION_MIDDLEWARE = (
     os.environ.get("ENABLE_COMPRESSION_MIDDLEWARE", "True").lower() == "true"
 )
 
+ENABLE_OAUTH_SESSION_TOKENS_COOKIES = (
+    os.environ.get("ENABLE_OAUTH_SESSION_TOKENS_COOKIES", "True").lower() == "true"
+)
+
 
 ####################################
 # SCIM Configuration

backend/open_webui/routers/auths.py

@@ -28,6 +28,7 @@ from open_webui.env import (
     WEBUI_AUTH_TRUSTED_GROUPS_HEADER,
     WEBUI_AUTH_COOKIE_SAME_SITE,
     WEBUI_AUTH_COOKIE_SECURE,
+    ENABLE_OAUTH_SESSION_TOKENS_COOKIES,
     WEBUI_AUTH_SIGNOUT_REDIRECT_URL,
     ENABLE_INITIAL_ADMIN_SIGNUP,
     SRC_LOG_LEVELS,
@@ -678,6 +679,7 @@ async def signout(request: Request, response: Response):
     response.delete_cookie("oui-session")
 
     if ENABLE_OAUTH_SIGNUP.value:
+        # TODO: update this to use oauth_session_tokens in User Object
         oauth_id_token = request.cookies.get("oauth_id_token")
         if oauth_id_token and OPENID_PROVIDER_URL.value:
             try:
@@ -687,7 +689,11 @@ async def signout(request: Request, response: Response):
                             openid_data = await resp.json()
                             logout_url = openid_data.get("end_session_endpoint")
                             if logout_url:
-                                response.delete_cookie("oauth_id_token")
+
+                                if ENABLE_OAUTH_SESSION_TOKENS_COOKIES:
+                                    response.delete_cookie("oauth_id_token")
+                                    response.delete_cookie("oauth_access_token")
+                                    response.delete_cookie("oauth_refresh_token")
 
                                 return JSONResponse(
                                     status_code=200,

backend/open_webui/utils/auth.py

@@ -285,8 +285,14 @@ def get_current_user(
                     # Delete the token cookie
                     response.delete_cookie("token")
                     # Delete OAuth token if present
+
                     if request.cookies.get("oauth_id_token"):
                         response.delete_cookie("oauth_id_token")
+                    if request.cookies.get("oauth_access_token"):
+                        response.delete_cookie("oauth_access_token")
+                    if request.cookies.get("oauth_refresh_token"):
+                        response.delete_cookie("oauth_refresh_token")
+
                     raise HTTPException(
                         status_code=status.HTTP_401_UNAUTHORIZED,
                         detail="User mismatch. Please sign in again.",

backend/open_webui/utils/oauth.py

@@ -626,6 +626,15 @@ class OAuthManager:
         )
 
         if ENABLE_OAUTH_SIGNUP.value:
+            oauth_id_token = token.get("id_token")
+            response.set_cookie(
+                key="oauth_id_token",
+                value=oauth_id_token,
+                httponly=True,
+                samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
+                secure=WEBUI_AUTH_COOKIE_SECURE,
+            )
+
             oauth_access_token = token.get("access_token")
             response.set_cookie(
                 key="oauth_access_token",
@@ -635,12 +644,13 @@ class OAuthManager:
                 secure=WEBUI_AUTH_COOKIE_SECURE,
             )
 
-            oauth_id_token = token.get("id_token")
+            oauth_refresh_token = token.get("refresh_token")
             response.set_cookie(
-                key="oauth_id_token",
-                value=oauth_id_token,
+                key="oauth_refresh_token",
+                value=oauth_refresh_token,
                 httponly=True,
                 samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
                 secure=WEBUI_AUTH_COOKIE_SECURE,
             )
+
         return response