Merge branch 'dev' into main

Author: Classic298

docs/features/scim.mdx

@@ -0,0 +1,189 @@
+---
+sidebar_position: 20
+title: "🔐 SCIM 2.0: Automated User Provisioning"
+---
+
+# SCIM 2.0 Support
+
+Open WebUI supports SCIM 2.0 (System for Cross-domain Identity Management) for automated user and group provisioning from identity providers like Okta, Azure AD, and Google Workspace.
+
+## Overview
+
+SCIM is an open standard that allows for the automation of user provisioning. When enabled, your identity provider can automatically:
+- Create users in Open WebUI when they're added to your organization
+- Update user information when changes are made
+- Deactivate users when they're removed from your organization
+- Manage group memberships
+
+## Configuration
+
+SCIM is configured entirely through environment variables. There is no UI configuration for SCIM settings.
+
+### Environment Variables
+
+Configure SCIM by setting these environment variables:
+
+- **`SCIM_ENABLED`**: Set to `true` to enable SCIM support (default: `false`)
+- **`SCIM_TOKEN`**: The bearer token for SCIM authentication (required when SCIM is enabled)
+
+:::warning Security Note
+The SCIM token should be a secure, randomly generated string. You can generate one using:
+```bash
+openssl rand -base64 32
+```
+Keep this token secure as it provides access to user management operations.
+:::
+
+### Example Configuration
+
+```bash
+# Enable SCIM
+export SCIM_ENABLED=true
+
+# Set a secure token (replace with your own generated token)
+export SCIM_TOKEN="your-secure-token-here"
+```
+
+## SCIM API Configuration
+
+When configuring your identity provider, use the following settings:
+
+- **SCIM Base URL**: `<your-openwebui-url>/api/v1/scim/v2/`
+- **Authentication**: Bearer Token
+- **Token**: `Bearer <your-scim-token>`
+
+### Example for Popular Identity Providers
+
+#### Okta
+1. In Okta, add the SCIM application
+2. Set the SCIM connector base URL to: `https://your-domain.com/api/v1/scim/v2/`
+3. Set authentication to "HTTP Header"
+4. Add Authorization header with value: `Bearer your-scim-token`
+
+
+## Supported SCIM Operations
+
+Open WebUI's SCIM implementation supports the following operations:
+
+### User Operations
+- **Create User** (`POST /Users`): Create a new user account
+- **Get User** (`GET /Users/{id}`): Retrieve user information
+- **Update User** (`PUT /Users/{id}`, `PATCH /Users/{id}`): Update user attributes
+- **Delete User** (`DELETE /Users/{id}`): Deactivate a user account
+- **List Users** (`GET /Users`): List all users with filtering support
+
+### Group Operations
+- **Create Group** (`POST /Groups`): Create a new group
+- **Get Group** (`GET /Groups/{id}`): Retrieve group information
+- **Update Group** (`PUT /Groups/{id}`, `PATCH /Groups/{id}`): Update group membership
+- **Delete Group** (`DELETE /Groups/{id}`): Remove a group
+- **List Groups** (`GET /Groups`): List all groups with filtering support
+
+### Supported Attributes
+
+#### User Attributes
+- `userName`: The user's email address (required, unique)
+- `name.givenName`: First name
+- `name.familyName`: Last name
+- `emails`: Email addresses
+- `active`: User status (active/inactive)
+- `externalId`: External identifier from the identity provider
+
+#### Group Attributes
+- `displayName`: Group name (required)
+- `members`: Array of user members
+- `externalId`: External identifier from the identity provider
+
+## Filtering Support
+
+The SCIM API supports filtering for both users and groups:
+
+```
+GET /api/v1/scim/v2/Users?filter=userName eq "user@example.com"
+GET /api/v1/scim/v2/Groups?filter=displayName eq "Engineering"
+```
+
+Supported filter operators:
+- `eq`: Equals
+- `ne`: Not equals
+- `co`: Contains
+- `sw`: Starts with
+- `ew`: Ends with
+- `pr`: Present (has value)
+- `gt`: Greater than
+- `ge`: Greater than or equal
+- `lt`: Less than
+- `le`: Less than or equal
+
+## Troubleshooting
+
+### Common Issues
+
+1. **401 Unauthorized Errors**
+   - Verify that `SCIM_ENABLED` is set to `true`
+   - Check that the bearer token in your identity provider matches `SCIM_TOKEN`
+   - Ensure the Authorization header format is: `Bearer <token>`
+
+2. **404 Not Found Errors**
+   - Verify the SCIM base URL ends with `/api/v1/scim/v2/`
+   - Check that the path includes the `/api/v1` prefix
+
+3. **User Creation Failures**
+   - Ensure the `userName` field contains a valid email address
+   - Check that the email is not already in use
+
+### Testing SCIM Endpoints
+
+You can test SCIM endpoints using curl:
+
+```bash
+# Test authentication and list users
+curl -H "Authorization: Bearer your-scim-token" \
+  https://your-domain.com/api/v1/scim/v2/Users
+
+# Get a specific user
+curl -H "Authorization: Bearer your-scim-token" \
+  https://your-domain.com/api/v1/scim/v2/Users/user-id
+
+# Create a test user
+curl -X POST \
+  -H "Authorization: Bearer your-scim-token" \
+  -H "Content-Type: application/scim+json" \
+  -d '{
+    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+    "userName": "test@example.com",
+    "name": {
+      "givenName": "Test",
+      "familyName": "User"
+    },
+    "emails": [{
+      "value": "test@example.com",
+      "primary": true
+    }],
+    "active": true
+  }' \
+  https://your-domain.com/api/v1/scim/v2/Users
+```
+
+## Security Considerations
+
+1. **Use HTTPS**: Always use HTTPS in production to protect the bearer token
+2. **Secure Token Storage**: Store the SCIM token securely and rotate it periodically
+3. **IP Allowlisting**: Consider restricting SCIM API access to your identity provider's IP addresses
+4. **Audit Logging**: SCIM operations are logged for security auditing
+
+## Limitations
+
+- Custom schema extensions are not currently supported
+- Bulk operations are not implemented
+- ETags for resource versioning are not supported
+
+## Integration with SSO
+
+SCIM works best when combined with SSO (Single Sign-On). A typical setup includes:
+1. SCIM for automated user provisioning
+2. OIDC for user authentication
+
+This ensures users are automatically created and can immediately authenticate using their corporate credentials.
+
+For SSO configuration, see the [SSO documentation](/docs/features/sso).

docs/features/sso/keycloak.mdx

@@ -148,4 +148,4 @@ ENABLE_OAUTH_GROUP_MANAGEMENT=true
 # (Optional) Enable Just-In-Time group creation
 ENABLE_OAUTH_GROUP_CREATION=true
 # The claim key for groups in the token
-OAUTH_GROUPS_CLAIM=groups
+OAUTH_GROUP_CLAIM=groups

docs/getting-started/env-configuration.md

@@ -146,19 +146,19 @@ is also being used and set to `True`. Failure to do so will result in the inabil
 
 - Type: `bool`
 - Default: `True`
-- Description: Controls whether admin users can export data.
+- Description: Controls whether admins can export data, chats and the database in the admin panel. Database exports only work for SQLite databases for now.
 
 #### `ENABLE_ADMIN_CHAT_ACCESS`
 
 - Type: `bool`
 - Default: `True`
-- Description: Enables admin users to access all chats. When disabled, admins can no longer access user's chats in the admin panel. If you disable this, you will likely want to also disable `ENABLE_ADMIN_EXPORT`, as the exports also contains user chats.
+- Description: Enables admin users to directly access the chats of other users. When disabled, admins can no longer accesss user's chats in the admin panel. If you disable this, consider disabling `ENABLE_ADMIN_EXPORT` too, if you are using SQLite, as the exports also contain user chats.
 
-#### `ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS`
+#### `BYPASS_ADMIN_ACCESS_CONTROL`
 
 - Type: `bool`
 - Default: `True`
-- Description: When disabled, admin users are treated like regular users for workspace access and only see knowledge bases, models, prompts, and tools they have **explicit permission to access** through the existing access control system. If set to `True`, admins have access to all created items in the workspace area regardless of access permissions.
+- Description: When disabled, admin users are treated like regular users for workspace access (models, knowledge, prompts and tools) and only see items they have **explicit permission to access** through the existing access control system. This also applies to the visibility of models in the model selector - admins will be treated as regular users: base models and custom models they do not have **explicit permission to access**, will be hidden. If set to `True` (Default), admins have access to **all created items** in the workspace area and all models in the model selector, **regardless of access permissions**.
 
 #### `ENABLE_USER_WEBHOOKS`
 
@@ -271,7 +271,7 @@ It is recommended to set this to a high single-digit or low double-digit value i
 
 - Type: `bool`
 - Default: `False`
-- Description: Bypasses model access control.
+- Description: Bypasses model access control. When set to `true`, all users (and admins alike) will have access to all models, regardless of the model's privacy setting (Private, Public, Shared with certain groups). This is useful for smaller or individual Open WebUI installations where model access restrictions may not be needed.
 
 #### `WEBUI_BUILD_HASH`
 
@@ -663,6 +663,12 @@ The format for the JSON response is strictly:
 - Description: Specifies the code interpreter engine to use.
 - Persistence: This environment variable is a `PersistentConfig` variable.
 
+#### `CODE_INTERPRETER_BLACKLISTED_MODULES`
+
+- Type: `str` (comma-separated list of module names)
+- Default: None
+- Description: Specifies a comma-separated list of Python modules that are blacklisted and cannot be imported or used within the code interpreter. This enhances security by preventing access to potentially sensitive or system-level functionalities.
+
 #### `CODE_INTERPRETER_PROMPT_TEMPLATE`
 
 - Type: `str`
@@ -1988,13 +1994,19 @@ When enabling `GOOGLE_DRIVE_INTEGRATION`, ensure that you have configured `GOOGL
 - Description: Maximum number of search results to crawl.
 - Persistence: This environment variable is a `PersistentConfig` variable.
 
-#### `WEB_SEARCH_CONCURRENT_REQUESTS`
+#### `WEB_LOADER_CONCURRENT_REQUESTS`
 
 - Type: `int`
 - Default: `10`
-- Description: Number of concurrent requests to crawl web pages returned from search results.
+- Description: Specifies the number of concurrent requests used by the web loader to fetch content from web pages returned by search results. This directly impacts how many pages can be crawled simultaneously.
 - Persistence: This environment variable is a `PersistentConfig` variable.
 
+:::info
+
+This environment variable was previously named "WEB_SEARCH_CONCURRENT_REQUESTS". If you were using the old name, please update your configurations to use "WEB_LOADER_CONCURRENT_REQUESTS" as the old variable name is now deprecated and will not be recognized. This renaming clarifies its function, as it specifically controls the concurrency of the web *loader* component that fetches content from search results, not the initial search engine query itself.
+
+:::
+
 #### `WEB_SEARCH_ENGINE`
 
 - Type: `str`
@@ -3160,6 +3172,22 @@ If `OAUTH_PICTURE_CLAIM` is set to `''` (empty string), then the OAuth picture c
 - Description: Specifies the LDAP attribute that contains the user's group memberships. `memberOf` is a standard attribute for this purpose in Active Directory environments.
 - Persistence: This environment variable is a `PersistentConfig` variable.
 
+## SCIM
+
+#### `SCIM_ENABLED`
+
+- Type: `bool`
+- Default: `False`
+- Description: Enables or disables SCIM 2.0 (System for Cross-domain Identity Management) support for automated user and group provisioning from identity providers like Okta, Azure AD, and Google Workspace.
+- Persistence: This environment variable is a `PersistentConfig` variable.
+
+#### `SCIM_TOKEN`
+
+- Type: `str`
+- Default: `""`
+- Description: Sets the bearer token for SCIM authentication. This token must be provided by identity providers when making SCIM API requests. Generate a secure random token (e.g., using `openssl rand -base64 32`) and configure it in both Open WebUI and your identity provider.
+- Persistence: This environment variable is a `PersistentConfig` variable.
+
 ## User Permissions
 
 ### Chat Permissions
@@ -3663,14 +3691,28 @@ More information about this setting can be found [here](https://docs.sqlalchemy.
 
 :::
 
+#### `DATABASE_ENABLE_SQLITE_WAL`
+
+- Type: `bool`
+- Default: `False`
+- Description: Enables or disables SQLite WAL (Write-Ahead Logging) mode. When enabled, SQLite transactions can be managed more efficiently, allowing multiple readers and one writer concurrently, which can improve database performance, especially under high concurrency. **This setting only applies to SQLite databases.**
+
+#### `DATABASE_DEDUPLICATE_INTERVAL`
+
+- Type: `float`
+- Default: `0.0`
+- Description: Sets a time interval in seconds during which certain database write operations (e.g., updating a user's `last_active_at` timestamp) will be deduplicated. If a write operation is attempted within this interval for the same entity, it will be skipped. A value of `0.0` disables deduplication. Enabling this can reduce write conflicts and improve performance, but may result in less real-time accuracy for the affected fields.
+
 ### Redis
 
 #### `REDIS_URL`
 
 - Type: `str`
-- Example: `redis://localhost:6379/0`
-- Example with TLS: `rediss://localhost:6379/0`
-- Description: Specifies the URL of the Redis instance for the app state.
+- Description: Specifies the URL of the Redis instance or cluster host for storing application state.
+- Examples:
+  - `redis://localhost:6379/0`
+  - `rediss://:password@localhost:6379/0` _(with password and TLS)_
+  - `rediss://redis-cluster.redis.svc.cluster.local:6379/0 ?ssl_cert_reqs=required&ssl_certfile=/tls/redis/tls.crt &ssl_keyfile=/tls/redis/tls.key&ssl_ca_certs=/tls/redis/ca.crt` _(with mTLS)_
 
 :::info
 
@@ -3689,6 +3731,18 @@ When deploying Open WebUI in a multi-node/worker cluster with a load balancer, y
 - Default: `26379`
 - Description: Sentinel port for app state Redis.
 
+#### `REDIS_CLUSTER`
+
+- Type: `bool`
+- Default: `False`
+- Description: Connect to a Redis Cluster instead of a single instance or using Redis Sentinels. If `True`, `REDIS_URL` must also be defined.
+
+:::info
+
+This option has no effect if `REDIS_SENTINEL_HOSTS` is defined.
+
+:::
+
 #### `REDIS_KEY_PREFIX`
 
 - Type: `str`
@@ -3723,7 +3777,7 @@ When deploying Open WebUI in a multi-node/worker cluster with a load balancer, y
 
 - Type: `str`
 - Default: `${REDIS_URL}`
-- Description: Specifies the URL of the Redis instance for websocket communication. It is distinct from `REDIS_URL` and in practice, it is recommended to set both.
+- Description: Specifies the URL of the Redis instance or cluster host for websocket communication. It is distinct from `REDIS_URL` and in practice, it is recommended to set both.
 
 :::info
 
@@ -3742,6 +3796,18 @@ When deploying Open WebUI in a multi-node/worker cluster with a load balancer, y
 - Default: `26379`
 - Description: Sentinel port for websocket Redis.
 
+#### `WEBSOCKET_REDIS_CLUSTER`
+
+- Type: `bool`
+- Default: `${REDIS_CLUSTER}`
+- Description: Specifies that websocket should communicate with a Redis Cluster instead of a single instance or using Redis Sentinels. If `True`, `WEBSOCKET_REDIS_URL` and/or `REDIS_URL` must also be defined.
+
+:::info
+
+This option has no effect if `WEBSOCKET_SENTINEL_HOSTS` is defined.
+
+:::
+
 ### Uvicorn Settings
 
 #### `UVICORN_WORKERS`

docs/tutorials/integrations/langfuse.md

@@ -1,6 +1,6 @@
 ---
 sidebar_position: 20
-title: "💥 Monitoring and Debugging with Langfuse"
+title: "🪢 Monitoring and Debugging with Langfuse"
 ---
 
 # Langfuse Integration with Open WebUI
@@ -20,7 +20,7 @@ _Langfuse integration steps_
 
 [Pipelines](https://github.com/open-webui/pipelines/) in Open WebUI is an UI-agnostic framework for OpenAI API plugins. It enables the injection of plugins that intercept, process, and forward user prompts to the final LLM, allowing for enhanced control and customization of prompt handling.
 
-To trace your application data with Langfuse, you can use the [Langfuse pipeline](https://github.com/open-webui/pipelines/blob/d4fca4c37c4b8603be7797245e749e9086f35130/examples/filters/langfuse_filter_pipeline.py), which enables real-time monitoring and analysis of message interactions.
+To trace your application data with Langfuse, you can use the [Langfuse pipeline](https://github.com/open-webui/pipelines/blob/039f9c54f8e9f9bcbabde02c2c853e80d25c79e4/examples/filters/langfuse_v3_filter_pipeline.py), which enables real-time monitoring and analysis of message interactions.
 
 ## Quick Start Guide
 
@@ -47,10 +47,10 @@ In the _Admin Settings_, create and save a new connection of type OpenAI API wit
 
 ### Step 4: Adding the Langfuse Filter Pipeline
 
-Next, navigate to _Admin Settings_ -> _Pipelines_ and add the Langfuse Filter Pipeline. Specify that Pipelines is listening on http://host.docker.internal:9099 (as configured earlier) and install the [Langfuse Filter Pipeline](https://github.com/open-webui/pipelines/blob/main/examples/filters/langfuse_filter_pipeline.py) by using the _Install from Github URL_ option with the following URL:
+Next, navigate to _Admin Settings_ -> _Pipelines_ and add the Langfuse Filter Pipeline. Specify that Pipelines is listening on http://host.docker.internal:9099 (as configured earlier) and install the [Langfuse Filter Pipeline](https://github.com/open-webui/pipelines/blob/039f9c54f8e9f9bcbabde02c2c853e80d25c79e4/examples/filters/langfuse_v3_filter_pipeline.py) by using the _Install from Github URL_ option with the following URL:
 
 ```
-https://github.com/open-webui/pipelines/blob/main/examples/filters/langfuse_filter_pipeline.py
+https://github.com/open-webui/pipelines/blob/main/examples/filters/langfuse_v3_filter_pipeline.py
 ```
 
 Now, add your Langfuse API keys below. If you haven't signed up to Langfuse yet, you can get your API keys by creating an account [here](https://cloud.langfuse.com).