From 645d908ca5b4d5cd38b805d7b63d3019a44ddbe9 Mon Sep 17 00:00:00 2001
From: poprhythm <james.kolpack@gmail.com>
Date: Thu, 26 Feb 2026 01:37:28 +0000
Subject: [PATCH] Add Authelia OIDC SSO to Open WebUI

- Add open-webui OIDC client to Authelia config
- Configure open-webui with OIDC env vars pointing to Authelia
- Secret managed via AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI env var in Portainer
---
 authelia/config/configuration.yaml | 14 ++++++++++++++
 ollama/docker-compose.yml          |  6 ++++++
 2 files changed, 20 insertions(+)

diff --git a/authelia/config/configuration.yaml b/authelia/config/configuration.yaml
index 36132ad..e4dc424 100644
--- a/authelia/config/configuration.yaml
+++ b/authelia/config/configuration.yaml
@@ -63,6 +63,20 @@ identity_providers:
         # host copy (/srv/authelia/config/configuration.yml). Never commit the key to git.
         # Generate with: openssl genrsa -out /srv/authelia/config/oidc.key 4096
     clients:
+      - client_id: open-webui
+        client_name: Open WebUI
+        client_secret: '${AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI}'
+        public: false
+        authorization_policy: one_factor
+        token_endpoint_auth_method: client_secret_post
+        redirect_uris:
+          - https://open-webui.kolpacksoftware.com/oauth/oidc/callback
+        scopes:
+          - openid
+          - profile
+          - email
+        userinfo_signed_response_alg: none
+
       - client_id: linkding
         client_name: Linkding
         client_secret: '${AUTHELIA_OIDC_CLIENT_SECRET_LINKDING}'
diff --git a/ollama/docker-compose.yml b/ollama/docker-compose.yml
index 3c9bdd8..844e53e 100644
--- a/ollama/docker-compose.yml
+++ b/ollama/docker-compose.yml
@@ -25,6 +25,12 @@ services:
     environment:
       - OLLAMA_BASE_URL=http://ollama:11434
       - TZ=America/New_York
+      - ENABLE_OAUTH_SIGNUP=true
+      - OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true
+      - OAUTH_PROVIDER_NAME=Authelia
+      - OPENID_PROVIDER_URL=https://auth.kolpacksoftware.com/.well-known/openid-configuration
+      - OAUTH_CLIENT_ID=open-webui
+      - OAUTH_CLIENT_SECRET=${AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI}
     volumes:
       - /srv/open-webui:/app/backend/data
     depends_on: