diff --git a/docs/features/auth/sso/index.mdx b/docs/features/auth/sso/index.mdx index 0e7d9f74..f6dbb3f5 100644 --- a/docs/features/auth/sso/index.mdx +++ b/docs/features/auth/sso/index.mdx @@ -17,11 +17,11 @@ Check out our [troubleshooting guide](https://docs.openwebui.com/troubleshooting ::: -:::danger - -Right now, you can only configure one OAUTH provider at a time. -You cannot have Microsoft **and** Google as providers simultaneously. +:::danger Only One OIDC Provider Supported +Right now, you can only configure **one** OpenID Connect (OIDC) provider at a time via `OPENID_PROVIDER_URL`. +You cannot have Microsoft **and** Google as OIDC providers simultaneously. +*However, there is a community workaround for using both! See our [Dual OAuth Tutorial](/tutorials/tips/dual-oauth-configuration) for more details.* ::: ## OAuth Configuration Overview @@ -131,6 +131,9 @@ The following environment variables are used: ::: +:::tip Community Workaround: Multi-Provider OAuth +If you need to support both Microsoft and Google simultaneously, check out our **[Dual OAuth Configuration Tutorial](/tutorials/tips/dual-oauth-configuration)**. +::: ### OAuth Role Management Any OAuth provider that can be configured to return roles in the access token can be used to manage roles in Open WebUI. diff --git a/docs/tutorials/tips/dual-oauth-configuration.mdx b/docs/tutorials/tips/dual-oauth-configuration.mdx new file mode 100644 index 00000000..9dd3e8ca --- /dev/null +++ b/docs/tutorials/tips/dual-oauth-configuration.mdx @@ -0,0 +1,64 @@ +--- +title: Dual OAuth Configuration (Microsoft & Google) +sidebar_label: Dual OAuth Configuration +sidebar_position: 100 +description: Learn how to configure both Microsoft and Google OAuth providers simultaneously in Open WebUI using an unofficial community workaround. +--- + +# 🔐 Dual OAuth Configuration (Microsoft & Google) + +:::caution Unofficial Workaround +This configuration is a community-contributed workaround and is **not officially supported** by the Open WebUI team. While it works in current versions, behavior may change in future updates. This tutorial serves as a demonstration for advanced users. +::: + +## Overview + +While Open WebUI officially supports only one **OpenID Connect (OIDC)** provider at a time via the `OPENID_PROVIDER_URL` variable, it is possible to support both **Microsoft** and **Google** simultaneously. + +The trick is to configure one provider (e.g., Microsoft) as the primary OIDC provider and the other (e.g., Google) as a standard OAuth provider by utilizing Open WebUI's built-in support for specific providers. + +## Prerequisites + +- Access to your Open WebUI environment variables (Docker or local). +- Client IDs and Secrets from both [Google Cloud Console](https://console.cloud.google.com/) and [Microsoft Azure/Entra ID](https://entra.microsoft.com/). +- `OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true` must be enabled to ensure users are mapped to the same account regardless of the provider used. + +## Configuration logic + +Open WebUI uses `OPENID_PROVIDER_URL` as a generic "catch-all" for OIDC. However, it also has native modules for Google and Microsoft. By leaving the `OPENID_PROVIDER_URL` for Microsoft and providing only the Client IDs for Google, the system can internalize both flows. + +## Environment Variables + +Add the following to your `docker-compose.yaml` or environment config: + +```bash +# Enable signup and account merging (CRITICAL) +ENABLE_OAUTH_SIGNUP=true +OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true + +# 1. Microsoft as the primary OIDC provider +# This uses the generic OIDC flow via the OPENID_PROVIDER_URL +MICROSOFT_CLIENT_ID=your_microsoft_client_id +MICROSOFT_CLIENT_SECRET=your_microsoft_client_secret +MICROSOFT_CLIENT_TENANT_ID=your_tenant_id +MICROSOFT_REDIRECT_URI=https://your-webui.com/oauth/microsoft/callback +OPENID_PROVIDER_URL=https://login.microsoftonline.com/your_tenant_id/v2.0/.well-known/openid-configuration + +# 2. Google as a secondary OAuth provider +# Note: Do NOT provide an OPENID_PROVIDER_URL for Google. +# The system will use its internal Google OAuth implementation. +GOOGLE_CLIENT_ID=your_google_client_id +GOOGLE_CLIENT_SECRET=your_google_client_secret +``` + +## Why This Works + +1. **Microsoft** is handled via the generic OIDC flow because `OPENID_PROVIDER_URL` is set to the Microsoft endpoint. +2. **Google** is handled via the dedicated internal Google OAuth module because the system detects `GOOGLE_CLIENT_ID` but sees that the global `OPENID_PROVIDER_URL` is already "claimed" by Microsoft or simply isn't needed for the built-in Google module. +3. **Account Merging**: Since both providers return the user's email, `OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true` ensures the user logs into the same profile whether they click "Sign in with Google" or "Sign in with Microsoft." + +## Troubleshooting + +- **Redirect Mismatch**: Ensure your Redirect URIs in both consoles match your `WEBUI_URL`. +- **Merge Failures**: Double-check that `OAUTH_MERGE_ACCOUNTS_BY_EMAIL` is set to `true`. +- **Microsoft Logout**: Microsoft often requires the `OPENID_PROVIDER_URL` to handle the logout redirect correctly. If logout fails, ensure this URL is correct for your tenant.