Migrating Open WebUI Users To Authentik

Overview

This will allow you to use OAuth between Open WebUI and Authentik. The problem (as usual) is associating existing users to their identity/account in Authentik. This is how you can do it.

I will be using container based install.

Authentik Configuration

Follow the directions from the Authentik documentation:

1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to Applications > Applications and click Create with Provider to create an application and provider pair.
3. Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
4. Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
5. Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
6. Note the Client ID,Client Secret, and slug values because they will be required later.
7. Set a Strict redirect URI to https://openwebui.company/oauth/oidc/callback.
8. Select any available signing key.
9. Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user’s My applications page.
10. Click Submit to save the new application and provider.

Open WebUI Docker

Set the following as environment variables

Set OAUTH_CLIENT_ID to the Client ID copied from authentik.
Set OAUTH_CLIENT_SECRET to the Client Secret copied from authentik.
Set OAUTH_PROVIDER_NAME to authentik.
Set OPENID_PROVIDER_URL to https://authentik.company/application/o/your-slug-here/.well-known/openid-configuration.
Set OPENID_REDIRECT_URI to https://openwebui.company/oauth/oidc/callback.
If you wish for new users to be created on Open Web UI, set ENABLE_OAUTH_SIGNUP to ‘true’.

Restart the container and you go to you the login screen. You will see a new option below the Sign in button.

Migration

Once verified it’s up and running, you won’t be able to log in using your existing accounts.

Stop the container.

Navigate to the mount point /app/backend/data. There will be a SQLite3 database called webui.db. You can edit it directly but make sure you have a backup.

Download and run a SQLite client. I chose SQLite Browser.

Open the webui.db file and go to the table users. Query it and it will show a list of all the users created in Open WebUI.

Each user will have a column called oauth_sub. If this does not exist, try allowing new user sign ups and create a new account using Authentik. The column will need the sub value from Authentik. To get this in Authentik, go to Admin interface > Applications > Providers > [Open WebUI provider] > Preview. Select a user in the JWT payload.

In the SQLite client, enter the value oidc@[authentik sub]. Using the example above, it will be oidc@cacf7c8633c30e7cbcdebabe969ece

Repeat for each user.

Once complete and ensure the updated webui.db file is in the container mount point, start the container back up.

Summary

This was not the easiest but also not the hardest to do it. It shows the importance of securing your volumes because someone could inject their own credentials.

Integrate with Open WebUI

DB Browser for SQLite

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Infrastructure, Security and tagged idp, oauth, oidc, ollama, openwebui. Bookmark the permalink.

This site uses Akismet to reduce spam. Learn how your comment data is processed.