ContextQMD
Back to Authentik

Integrate with Open WebUI

website/integrations/miscellaneous/open-webui/index.md

latest4.2 KB
Original Source

What is Open WebUI

Open WebUI is a simple, self-hosted AI platform that works entirely offline. It supports tools like Ollama and OpenAI-style APIs and has a built-in engine for RAG tasks.

-- https://openwebui.com/

Preparation

The following placeholders are used in this guide:

  • openwebui.company is the FQDN of the Open WebUI installation.
  • authentik.company is the FQDN of the authentik installation.

:::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. :::

authentik configuration

To support the integration of Open WebUI with authentik, you need to create an application/provider pair in authentik.

Create an application and provider in authentik

  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to Applications > Applications and click Create with Provider to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
  • Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
  • Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
  • Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    • Note the Client ID, Client Secret, and slug values because they will be required later.
    • Set a Strict redirect URI to https://openwebui.company/oauth/oidc/callback.
    • Select any available signing key.
    • Make sure to leave the Encryption Key field empty.
  • Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's My applications page.
  1. Click Submit to save the new application and provider.

Open WebUI configuration

To configure Open WebUI to use authentik, add the following environment variables to your Open WebUI deployment:

:::warning WEBUI_URL is persisted by Open WebUI and must be set before enabling SSO. If you change it later, disable persistent configuration or update the value in the Admin panel. More information is available in the Open WebUI documentation. :::

yaml
OAUTH_CLIENT_ID=<client_id>
OAUTH_CLIENT_SECRET=<client_secret>
OAUTH_PROVIDER_NAME=authentik
OPENID_PROVIDER_URL=https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration
OPENID_REDIRECT_URI=https://openwebui.company/oauth/oidc/callback
WEBUI_URL=https://openwebui.company
# Allows auto-creation of new users using OAuth. Must be paired with ENABLE_LOGIN_FORM=false.
ENABLE_OAUTH_SIGNUP=true
# Disables user/password login form. Required when ENABLE_OAUTH_SIGNUP=true.
ENABLE_LOGIN_FORM=false
OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true

Then restart Open WebUI to apply the changes.

Replace <application_slug> with the authentik application slug created earlier.

Configuration verification

  • Open your web browser and go to https://openwebui.company.
  • Make sure you are logged off any previous session.
  • Click Continue with authentik to log in.
  • After logging in, authentik will redirect you back to https://openwebui.company.
  • If you successfully return to the Open WebUI, the login is working correctly.

:::info Users are automatically created, but an administrator must update their role to at least User via the Web UI. To do so, log in as an administrator and access the Admin Panel (URL: https://openwebui.company/admin/users). Click the user whose role should be increased from Pending to at least User. More details on how to administer Open WebUI can be found here: https://docs.openwebui.com/. :::

Resources