I am trying to integrate OpenWebUi With a FastAPI multi-tenant gateway (layer2) behind Apache + Kerberos (layer1). Kerberos authentication works, and Apache successfully injects:
X-Forwarded-User: user1 X-Forwarded-Email: [email protected] X-Tenant-ID: tenant1 OpenWebUI is configured with following environment variables:
FORWARDED_AUTH=True WEBUI_AUTH=False WEBUI_AUTH_TRUSTED_HEADER=True WEBUI_AUTH_TRUSTED_EMAIL_HEADER=X-Forwarded-Email WEBUI_AUTH_TRUSTED_HEADER_NAME=X-Forwarded-User TENANT_HEADER=X-Tenant-ID Direct curl to OpenWebUi works:
curl -I -H "X-Forwarded-User:user1" \ -H "X-Forwarded-Email:[email protected]" \ -H "X-Tenant-ID:tenant1" \ http://127.0.0.1:3000/api/config returns HTTP 200 with:
x-debug-user: user1 x-debug-email: [email protected] x-debug-tenant: tenant1 So OpenWebUI does receive the correct headers.
The issue is that when accessing OpenWebUI through a browser, OpenWebUI first pops up the notification "You don't have permission to access this resource", then is stuck on "Signing into OpenWebUI" forever. UI loads partially, but is stuck on the previous message.
How can I configure OpenWebUi trusted-header authentication mode so that:
Browser → Apache → OpenWebUI
OpenWebUI accepts X-Forwarded-Email + X-Forwarded-User
OpenWebUI does not try its internal password/DB-based signin
OpenWebUI UI loads normally
My goal is to have following in place:
Users cannot authenticate themselves by entering username/password, OpenWebUI needs to pick up their current credential - username
The computer users are accessing OpenWebUI from is assigned tenantID. This tenantID is attached along with the username to chat requests, so every chat is tied to user:tenantID
With this setup, in chat history users should be able to see only the chats sent from a computer they started the chat on. For example, if user1 starts a chat from computer1, they should not be able to see that chat when when accessing from computer2.
