Merge pull request #709 from open-webui/mcp-oauth

Update env-configuration.md
2026-01-02 17:59:41 +07:00 · 2025-09-25 13:13:02 +02:00
parent ffe3667b4e 93967a9aad
commit 1d0d047148
2 changed files with 16 additions and 9 deletions
--- a/docs/features/sso/index.mdx
+++ b/docs/features/sso/index.mdx
@@ -39,15 +39,16 @@ You cannot have Microsoft **and** Google as providers simultaneously.

 | Environment Variable                  | Default   | Description                                                                                                                             |
 |---------------------------------------|-----------|-----------------------------------------------------------------------------------------------------------------------------------------|
-| `WEBUI_URL`                          | —         | **Required.** Your public WebUI address, e.g., `http://localhost:8080`.                                                                |
-| `ENABLE_OAUTH_PERSISTENT_CONFIG`      | `true`    | Persist OAuth config to the database; set to `false` for stateless/containerized environments.                                          |
-| `ENABLE_OAUTH_SIGNUP`                 | `false`   | Allows account creation upon OAuth login (separate from `ENABLE_SIGNUP`).                                                               |
-| `OAUTH_MERGE_ACCOUNTS_BY_EMAIL`       | `false`   | Merge OAuth logins based on matching email (⚠️ caution: can be insecure if provider doesn't verify emails).                             |
-| `OAUTH_UPDATE_PICTURE_ON_LOGIN`       | `true`    | Update user profile pictures from OAuth provider with each login.                                                                       |
-| `OAUTH_PICTURE_CLAIM`                 | `picture` | Field in the claim containing the profile picture. Set to empty string to disable picture updates (users receive default icon).         |
-| `WEBUI_AUTH_SIGNOUT_REDIRECT_URL`     | *empty*   | Redirect users to this URL after signout. E.g., `https://your-company.com/logout-success`                                               |
-| `OAUTH_SESSION_TOKEN_ENCRYPTION_KEY`  | `WEBUI_SECRET_KEY` | **Required.** A secret key for encrypting OAuth tokens stored on the server. Must be shared across all instances in a cluster. |
-| `ENABLE_OAUTH_ID_TOKEN_COOKIE`        | `true`    | For backward compatibility. Controls if the legacy `oauth_id_token` cookie is set. Recommended to set to `false`.                       |
+| `WEBUI_URL`                          | —                   | **Required.** Your public WebUI address, e.g., `http://localhost:8080`.                                                        |
+| `ENABLE_OAUTH_PERSISTENT_CONFIG`      | `true`             | Persist OAuth config to the database; set to `false` for stateless/containerized environments.                                 |
+| `ENABLE_OAUTH_SIGNUP`                 | `false`            | Allows account creation upon OAuth login (separate from `ENABLE_SIGNUP`).                                                      |
+| `OAUTH_MERGE_ACCOUNTS_BY_EMAIL`       | `false`            | Merge OAuth logins based on matching email (⚠️ caution: can be insecure if provider doesn't verify emails).                    |
+| `OAUTH_UPDATE_PICTURE_ON_LOGIN`       | `true`             | Update user profile pictures from OAuth provider with each login.                                                              |
+| `OAUTH_PICTURE_CLAIM`                 | `picture`          | Field in the claim containing the profile picture. Set to empty string to disable picture updates (users receive default icon).|
+| `WEBUI_AUTH_SIGNOUT_REDIRECT_URL`     | *empty*            | Redirect users to this URL after signout. E.g., `https://your-company.com/logout-success`                                      |
+| `OAUTH_SESSION_TOKEN_ENCRYPTION_KEY`  | `WEBUI_SECRET_KEY` | A secret key for encrypting OAuth tokens stored on the server. Must be shared across all instances in a cluster.               |
+| `OAUTH_CLIENT_INFO_ENCRYPTION_KEY`    | `WEBUI_SECRET_KEY` | A secret key for encrypting OAuth client information stored on the server - used for OAuth 2.1 authentication for MCP servers. |
+| `ENABLE_OAUTH_ID_TOKEN_COOKIE`        | `true`             | For backward compatibility. Controls if the legacy `oauth_id_token` cookie is set. Recommended to set to `false`.              |

 :::warning

--- a/docs/getting-started/env-configuration.md
+++ b/docs/getting-started/env-configuration.md
@@ -2946,6 +2946,12 @@ If the OAuth picture claim is disabled by setting `OAUTH_PICTURE_CLAIM` to `''`
 - Description: Controls whether the **legacy** `oauth_id_token` cookie (unsafe, not recommended, token can go stale/orphaned) is set in the browser upon a successful OAuth login. This is provided for **backward compatibility** with custom tools or older versions that might rely on scraping this cookie. **The new, recommended approach is to use the server-side session management.**
 - Usage: For new and secure deployments, **it is recommended to set this to `False`** to minimize the information exposed to the client-side. Keep it as `True` only if you have integrations that depend on the old cookie-based method.

+#### `OAUTH_CLIENT_INFO_ENCRYPTION_KEY`
+
+- Type: `str`
+- Default: Falls back to the value of `WEBUI_SECRET_KEY`.
+- Description: Specifies the secret key used to encrypt and decrypt OAuth client tokens stored server-side in the database. This is a critical security component for OAuth client tokens. If not set, it defaults to using the main `WEBUI_SECRET_KEY`, but it is highly recommended to set it to a unique, securely generated value for production environments. `OAUTH_CLIENT_INFO_ENCRYPTION_KEY` is used in conjunction with OAuth 2.1 MCP server authentication.
+
 #### `OAUTH_SESSION_TOKEN_ENCRYPTION_KEY`

 - Type: `str`