feat(web-app-openwebui): add OIDC support via env.j2 with feature flag

Enables OIDC login by adding feature flag (features.oidc), rendering OIDC-related environment variables, and introducing OPENWEBUI_OIDC_ENABLED. Conversation: https://chatgpt.com/share/68d18e02-d6b8-800f-aaab-920c61b9284a
2025-09-24 11:06:24 +02:00 · 2025-09-22 19:57:55 +02:00
parent e20a709f04
commit 70d395ed15
4 changed files with 48 additions and 2 deletions
--- a/roles/web-app-openwebui/config/main.yml
+++ b/roles/web-app-openwebui/config/main.yml
@@ -6,6 +6,7 @@ features:
  logout:           true
  javascript:       false
  local_ai:         true
+  oidc:             true
 server:
  domains:
    canonical:
--- a/roles/web-app-openwebui/schema/main.yml
+++ b/roles/web-app-openwebui/schema/main.yml
--- a/roles/web-app-openwebui/templates/env.j2
+++ b/roles/web-app-openwebui/templates/env.j2
@@ -1,5 +1,49 @@
-# Open WebUI
+# Documentation: https://docs.openwebui.com/getting-started/env-configuration/
+
+# =========================
+# Open WebUI Base Settings
+# =========================
 OLLAMA_BASE_URL={{ OLLAMA_BASE_LOCAL_URL }}
 OFFLINE_MODE={{ OPENWEBUI_OFFLINE_MODE | ternary(1, 0) }}
 HF_HUB_OFFLINE={{ OPENWEBUI_HF_HUB_OFFLINE | ternary(1, 0) }}
-ENABLE_PERSISTENT_CONFIG=False
+ENABLE_PERSISTENT_CONFIG=false
+
+{% if OPENWEBUI_OIDC_ENABLED %}
+# =========================
+# OIDC / OAuth2 Settings
+# =========================
+# Enable sign-up/login via OIDC provider
+ENABLE_OAUTH_SIGNUP=true
+
+# Client credentials (must match Keycloak client)
+OAUTH_CLIENT_ID={{ OIDC.CLIENT.ID }}
+OAUTH_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}
+
+# Well-known configuration URL from Keycloak
+OPENID_PROVIDER_URL={{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}
+
+# Redirect URI (must match what is configured in Keycloak client)
+OPENID_REDIRECT_URI={{ (domains | get_url(application_id, WEB_PROTOCOL)) ~ '/oauth/oidc/callback' }}
+
+# Display name of the provider in the login button
+OAUTH_PROVIDER_NAME={{ OIDC.BUTTON_TEXT }}
+
+# Scopes to request (openid is required; email/profile recommended)
+OAUTH_SCOPES=openid email profile
+
+# =========================
+# Optional: Role Management
+# =========================
+# Enable automatic role mapping from token claims
+# ENABLE_OAUTH_ROLE_MANAGEMENT=true
+# OAUTH_ROLES_CLAIM=roles
+# OAUTH_ALLOWED_ROLES=user
+# OAUTH_ADMIN_ROLES=admin
+
+# =========================
+# Optional: Group Management
+# =========================
+# ENABLE_OAUTH_GROUP_MANAGEMENT=true
+# ENABLE_OAUTH_GROUP_CREATION=false
+# OAUTH_GROUP_CLAIM={{ RBAC.GROUP.CLAIM }}
+{% endif %}
--- a/roles/web-app-openwebui/vars/main.yml
+++ b/roles/web-app-openwebui/vars/main.yml
@@ -15,3 +15,4 @@ OPENWEBUI_OFFLINE_MODE:               "{{ applications | get_app_conf(applicatio
 OPENWEBUI_HF_HUB_OFFLINE:             "{{ applications | get_app_conf(application_id, 'docker.services.openwebui.hf_hub_offline') }}"
 OPENWEBUI_VOLUME:                     "{{ applications | get_app_conf(application_id, 'docker.volumes.openwebui') }}"
 OPENWEBUI_PORT_PUBLIC:                "{{ ports.localhost.http[application_id] }}"
+OPENWEBUI_OIDC_ENABLED:               "{{ applications | get_app_conf(application_id, 'features.oidc') }}"