168 lines
4 KiB
Text
168 lines
4 KiB
Text
|
OPENUI OAUTH FIX - QUICK IMPLEMENTATION
|
||
|
|
=========================================
|
||
|
|
|
||
|
|
PROBLEM:
|
||
|
|
--------
|
||
|
|
Open-UI gets: {"error":"invalid_client","error_description":"Client not registered."}
|
||
|
|
Works fine in Claude.ai but fails after gateway restart.
|
||
|
|
|
||
|
|
ROOT CAUSE:
|
||
|
|
-----------
|
||
|
|
OAuth clients stored in RAM only → lost on restart
|
||
|
|
Open-UI can register new client but then can't use it if gateway restarts
|
||
|
|
|
||
|
|
SOLUTION:
|
||
|
|
---------
|
||
|
|
Use persistent file storage for OAuth clients instead of RAM
|
||
|
|
|
||
|
|
|
||
|
|
3 SIMPLE STEPS:
|
||
|
|
===============
|
||
|
|
|
||
|
|
STEP 1: Deploy oauth_storage.py
|
||
|
|
------
|
||
|
|
|
||
|
|
The file is ready at:
|
||
|
|
gateway-proxy/oauth_storage.py
|
||
|
|
|
||
|
|
No changes needed - just copy it to your gateway-proxy folder if not there already.
|
||
|
|
|
||
|
|
|
||
|
|
STEP 2: Update gateway_proxy.py (3 edits)
|
||
|
|
--------
|
||
|
|
|
||
|
|
EDIT 2A - Around line 27 (with other imports):
|
||
|
|
|
||
|
|
ADD THIS:
|
||
|
|
from .oauth_storage import load_oauth_clients, save_oauth_clients
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
EDIT 2B - Around line 52 (where REGISTERED_CLIENTS is defined):
|
||
|
|
|
||
|
|
CHANGE THIS:
|
||
|
|
REGISTERED_CLIENTS: dict[str, dict] = {}
|
||
|
|
|
||
|
|
TO THIS:
|
||
|
|
REGISTERED_CLIENTS = load_oauth_clients()
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
EDIT 2C - In oauth_register() function, after line 383:
|
||
|
|
|
||
|
|
AFTER:
|
||
|
|
REGISTERED_CLIENTS[client_id] = client_info
|
||
|
|
|
||
|
|
ADD THIS NEW LINE:
|
||
|
|
save_oauth_clients(REGISTERED_CLIENTS)
|
||
|
|
|
||
|
|
So it looks like:
|
||
|
|
REGISTERED_CLIENTS[client_id] = client_info
|
||
|
|
save_oauth_clients(REGISTERED_CLIENTS) # <-- ADD THIS
|
||
|
|
|
||
|
|
|
||
|
|
STEP 3: Update docker-compose.yml
|
||
|
|
---------
|
||
|
|
|
||
|
|
Add a volume to the gateway-proxy service:
|
||
|
|
|
||
|
|
Find:
|
||
|
|
gateway-proxy:
|
||
|
|
build:
|
||
|
|
context: ./gateway-proxy
|
||
|
|
...
|
||
|
|
|
||
|
|
Add volumes section (if not present):
|
||
|
|
volumes:
|
||
|
|
- gateway-data:/data
|
||
|
|
|
||
|
|
And at the bottom of docker-compose.yml, add:
|
||
|
|
|
||
|
|
volumes:
|
||
|
|
gateway-data:
|
||
|
|
|
||
|
|
Example:
|
||
|
|
gateway-proxy:
|
||
|
|
build:
|
||
|
|
context: ./gateway-proxy
|
||
|
|
...
|
||
|
|
volumes:
|
||
|
|
- gateway-data:/data
|
||
|
|
|
||
|
|
volumes:
|
||
|
|
gateway-data:
|
||
|
|
|
||
|
|
|
||
|
|
STEP 4: Restart
|
||
|
|
-------
|
||
|
|
|
||
|
|
docker-compose down
|
||
|
|
docker-compose up -d
|
||
|
|
|
||
|
|
|
||
|
|
VERIFY IT WORKS:
|
||
|
|
================
|
||
|
|
|
||
|
|
After restart, check:
|
||
|
|
|
||
|
|
1. OAuth clients are saved:
|
||
|
|
docker exec mcp-gateway ls -la /data/oauth_clients.json
|
||
|
|
|
||
|
|
2. Check contents:
|
||
|
|
docker exec mcp-gateway cat /data/oauth_clients.json | jq '.'
|
||
|
|
|
||
|
|
3. Test in Open-UI:
|
||
|
|
- Add gateway: http://mcp.wilddragon.net:8000
|
||
|
|
- Should NOT ask to authorize again (because client is persisted)
|
||
|
|
- Should work normally
|
||
|
|
|
||
|
|
|
||
|
|
WHY THIS WORKS:
|
||
|
|
===============
|
||
|
|
|
||
|
|
Before: Gateway starts → RAM is empty → Open-UI registers new client → Client stored in RAM →
|
||
|
|
Gateway restarts → RAM cleared → Client is GONE → Open-UI can't authenticate
|
||
|
|
|
||
|
|
After: Gateway starts → Loads clients from /data/oauth_clients.json → Open-UI registers once →
|
||
|
|
Stored on disk → Gateway restarts → Loads same clients from disk → Open-UI can use existing client
|
||
|
|
|
||
|
|
|
||
|
|
FILE LOCATIONS:
|
||
|
|
===============
|
||
|
|
|
||
|
|
Ready to use:
|
||
|
|
✅ gateway-proxy/oauth_storage.py (already created)
|
||
|
|
✅ OPENUI_OAUTH_FIX.md (detailed docs)
|
||
|
|
⏳ gateway-proxy/gateway_proxy.py (needs 3 small edits)
|
||
|
|
⏳ docker-compose.yml (add volume)
|
||
|
|
|
||
|
|
|
||
|
|
TROUBLESHOOTING:
|
||
|
|
================
|
||
|
|
|
||
|
|
If /data/oauth_clients.json doesn't get created:
|
||
|
|
1. Check Docker volume was added to compose file
|
||
|
|
2. Check gateway logs: docker logs mcp-gateway | grep oauth_storage
|
||
|
|
3. Ensure /data folder exists in container: docker exec mcp-gateway ls /data
|
||
|
|
|
||
|
|
If Open-UI still says "Client not registered":
|
||
|
|
1. Check file exists: docker exec mcp-gateway ls -la /data/oauth_clients.json
|
||
|
|
2. Check contents: docker exec mcp-gateway cat /data/oauth_clients.json
|
||
|
|
3. Check for save errors in logs: docker logs mcp-gateway | grep "Failed to save"
|
||
|
|
|
||
|
|
If you want to force re-auth:
|
||
|
|
1. Delete the stored clients: docker exec mcp-gateway rm /data/oauth_clients.json
|
||
|
|
2. Restart: docker-compose restart gateway-proxy
|
||
|
|
3. Open-UI will need to register again
|
||
|
|
|
||
|
|
|
||
|
|
TESTING PERSISTENCE:
|
||
|
|
====================
|
||
|
|
|
||
|
|
1. Open-UI authorizes and gets token (works)
|
||
|
|
2. Test API works: curl with token (works)
|
||
|
|
3. Restart gateway: docker-compose restart gateway-proxy
|
||
|
|
4. Use same token to test API again (should still work!)
|
||
|
|
|
||
|
|
If step 4 works, persistence is working correctly.
|