Open WebUI - AI Chat Interface
This cluster runs Open WebUI, providing a modern chat interface for the self-hosted Gemma LLM with enterprise-grade authentication via OCI Identity Domain.
Endpoint
Section titled “Endpoint”https://chat.k8s.sudhanva.meHigh-Level Architecture
Section titled “High-Level Architecture”Open WebUI connects to Gemma via the OpenAI-compatible API, with authentication handled by OCI Identity Domain:
flowchart TB
subgraph Internet
User((User))
end
subgraph OCI["Oracle Cloud Infrastructure"]
subgraph Identity["OCI Identity Domain"]
OIDC[OIDC Provider<br/>OAuth 2.0 + OpenID Connect]
JWK[JWK Signing Keys]
end
LB[Network Load Balancer]
subgraph OKE["OKE Cluster"]
subgraph Gateway["Envoy Gateway"]
EG[HTTPS Listeners<br/>TLS Termination]
end
subgraph OpenWebUI["Open WebUI Pod"]
UI[Web Interface<br/>:8080]
OAuth[authlib<br/>OIDC Client]
end
subgraph GemmaPod["Gemma Pod"]
LLM[llama-server<br/>Gemma 3 1B]
end
ESO[External Secrets<br/>Operator]
Secret[K8s Secret<br/>oidc-credentials]
end
Vault[(OCI Vault<br/>Client ID/Secret)]
end
User -->|1. Access| LB
LB --> EG
EG --> UI
UI -->|2. Redirect| OIDC
User -->|3. Login| OIDC
OIDC -->|4. Auth Code| UI
OAuth -->|5. Token Exchange| OIDC
OAuth -->|6. Fetch JWK| JWK
UI -->|7. Chat| LLM
Vault -->|Sync| ESO
ESO --> Secret
Secret --> UI
OIDC Authentication Flow
Section titled “OIDC Authentication Flow”The complete OpenID Connect authentication flow:
sequenceDiagram
participant U as User Browser
participant OW as Open WebUI
participant OIDC as OCI Identity Domain
participant JWK as JWK Endpoint
U->>OW: 1. Visit chat.k8s.sudhanva.me
OW->>U: 2. Show login page
U->>OW: 3. Click "Continue with Oracle"
OW->>U: 4. Redirect to OCI Identity
U->>OIDC: 5. Enter credentials
OIDC->>OIDC: 6. Validate user
OIDC->>U: 7. Redirect with auth code
U->>OW: 8. Callback with code
OW->>OIDC: 9. Exchange code for tokens
Note over OW,JWK: Token Validation
OW->>JWK: 10. Fetch public keys
JWK-->>OW: 11. Return JWK set
OW->>OW: 12. Validate ID token
OW->>U: 13. Session created
U->>OW: 14. Start chatting!
Features
Section titled “Features”| Feature | Description |
|---|---|
| Chat Interface | Modern, responsive ChatGPT-like UI |
| OCI OIDC Authentication | Secure SSO via OCI Identity Domain |
| Gemma Integration | Pre-configured to use Gemma 3 1B |
| Conversation History | Persistent chat storage (2GB PVC) |
| Model Selection | Switch between available models |
| OAuth User Signup | Auto-create users on first OIDC login |
Resource Allocation
Section titled “Resource Allocation”Open WebUI is configured with generous resources within free tier limits:
| Resource | Request | Limit | Notes |
|---|---|---|---|
| Memory | 1 GB | 4 GB | Ample headroom for UI operations |
| CPU | 0.5 core | 2 cores | Burst capacity for responsiveness |
| Storage | 2 GB PVC | - | Persistent user data and chats |
OCI Identity Domain Configuration
Section titled “OCI Identity Domain Configuration”Application Setup
Section titled “Application Setup”The OIDC application is created via Terraform in tf-oke/identity.tf:
flowchart LR
subgraph Terraform
TF[identity.tf]
Vars[terraform.tfvars]
end
subgraph OCI["OCI Identity Domain"]
App[OIDC Application<br/>open-webui]
Scopes[Allowed Scopes<br/>openid, profile, email]
Grants[Grant Types<br/>Authorization Code<br/>Refresh Token]
Redirect[Redirect URI<br/>chat.k8s.sudhanva.me<br/>/oauth/oidc/callback]
end
subgraph Vault["OCI Vault"]
ClientID[client-id]
ClientSecret[client-secret]
ProviderURL[provider-url]
end
TF -->|Creates| App
Vars -->|Provides| TF
App --> Scopes
App --> Grants
App --> Redirect
TF -->|Stores| Vault
Required OCI Console Settings
Section titled “Required OCI Console Settings”Navigate to OCI Console → Identity & Security → Domains → Default → Applications → open-webui:
1. OAuth Configuration
Section titled “1. OAuth Configuration”| Setting | Required Value | Location |
|---|---|---|
| Authorization Code | ✅ Enabled | OAuth configuration |
| Refresh Token | ✅ Enabled | OAuth configuration |
| Redirect URL | https://chat.k8s.sudhanva.me/oauth/oidc/callback | OAuth configuration |
2. Token Issuance Policy (Scopes)
Section titled “2. Token Issuance Policy (Scopes)”Under Resources → Token Issuance Policy, add these scopes:
| Scope | Purpose |
|---|---|
openid | Required for OIDC (ID token) |
profile | Access user’s name |
email | Access user’s email |
3. Access Signing Certificate
Section titled “3. Access Signing Certificate”Navigate to Settings → Domain settings → Edit domain settings:
| Setting | Required Value | Purpose |
|---|---|---|
| Configure client access | ✅ Enabled | Allows public access to JWK endpoint |
flowchart TB
subgraph Problem["Without Public JWK Access"]
App1[Open WebUI] -->|GET /admin/v1/SigningCert/jwk| JWK1[JWK Endpoint]
JWK1 -->|401 Unauthorized| App1
App1 -->|Cannot validate ID token| Fail[Login Failed]
end
subgraph Solution["With Public JWK Access Enabled"]
App2[Open WebUI] -->|GET /admin/v1/SigningCert/jwk| JWK2[JWK Endpoint]
JWK2 -->|200 OK + Keys| App2
App2 -->|Validate ID token| Success[Login Success]
end
Secrets Management
Section titled “Secrets Management”OIDC credentials flow from OCI Vault to the cluster:
flowchart LR
subgraph Terraform
TF[identity.tf<br/>vault.tf]
TFVARS[terraform.tfvars]
end
subgraph OCI["OCI Vault"]
CID[Secret: client-id]
SEC[Secret: client-secret]
URL[Secret: provider-url]
end
subgraph Kubernetes
ESO[External Secrets<br/>Operator]
ExtSec[ExternalSecret<br/>oidc-credentials-sync]
K8sSec[Secret<br/>oidc-credentials]
Pod[Open WebUI Pod]
end
TFVARS -->|Variables| TF
TF -->|Creates| CID
TF -->|Creates| SEC
TF -->|Creates| URL
CID --> ESO
SEC --> ESO
URL --> ESO
ESO -->|Watches| ExtSec
ExtSec -->|Creates| K8sSec
K8sSec -->|Env Vars| Pod
Terraform Variables
Section titled “Terraform Variables”Set in tf-oke/terraform.tfvars:
# OIDC Configuration for Open WebUIoidc_client_id = "your-client-id-from-oci"oidc_client_secret = "your-client-secret-from-oci"oidc_provider_url = "https://idcs-xxxxx.identity.oraclecloud.com/.well-known/openid-configuration"Environment Variables
Section titled “Environment Variables”Open WebUI receives these environment variables from the oidc-credentials secret:
| Variable | Source | Description |
|---|---|---|
OAUTH_CLIENT_ID | Vault secret | Application client ID |
OAUTH_CLIENT_SECRET | Vault secret | Application client secret |
OPENID_PROVIDER_URL | Vault secret | OIDC discovery endpoint |
ENABLE_OAUTH_SIGNUP | Deployment | true - Create users on first login |
ENABLE_LOGIN_FORM | Deployment | false - OIDC only, no password login |
OAUTH_PROVIDER_NAME | Deployment | Oracle - Button text |
OAUTH_SCOPES | Deployment | openid profile email |
User Management
Section titled “User Management”Adding Users
Section titled “Adding Users”Only users assigned to the Open WebUI application in OCI Identity can login:
- Go to OCI Console → Identity & Security → Domains → Default
- Click Applications → open-webui
- Under Users, click Assign
- Select users to grant access
Removing Users
Section titled “Removing Users”- Same path as above
- Under Users, find the user
- Click Revoke
First-Time Login
Section titled “First-Time Login”When a user logs in for the first time:
- They are redirected to OCI Identity Domain
- After authentication, redirected back to Open WebUI
- Open WebUI creates a local user account (ENABLE_OAUTH_SIGNUP=true)
- User can start chatting immediately
Troubleshooting
Section titled “Troubleshooting”Common OIDC Errors
Section titled “Common OIDC Errors”401 Unauthorized on JWK Fetch
Section titled “401 Unauthorized on JWK Fetch”httpx.HTTPStatusError: Client error '401 Unauthorized' for url'https://idcs-xxx.identity.oraclecloud.com/admin/v1/SigningCert/jwk'Cause: The “Access signing certificate” setting is disabled in OCI Identity Domain.
Fix:
- Navigate to OCI Console → Identity & Security → Domains → Default
- Go to Settings → Domain settings
- Click Edit domain settings
- Enable Configure client access under “Access signing certificate”
- Save changes
- Restart Open WebUI:
kubectl rollout restart deploy/open-webui
401 Unauthorized on Metadata Fetch
Section titled “401 Unauthorized on Metadata Fetch”httpx.HTTPStatusError: Client error '401 Unauthorized' for url'https://idcs-xxx.identity.oraclecloud.com/.well-known/openid-configuration'Cause: The OPENID_PROVIDER_URL is incorrectly formatted (e.g., includes :443 port or missing discovery path).
Fix: Ensure the provider URL in terraform.tfvars follows this format:
oidc_provider_url = "https://idcs-xxxxx.identity.oraclecloud.com/.well-known/openid-configuration"Then run terraform apply and restart Open WebUI.
invalid_scope Error
Section titled “invalid_scope Error”Error: invalid_scope - Scope 'openid' is not configured for the applicationCause: Required OIDC scopes not enabled in OCI Identity Domain.
Fix:
- Navigate to Applications → open-webui → Resources → Token Issuance Policy
- Add scopes:
openid,profile,email - Save changes
Login Redirect Loop
Section titled “Login Redirect Loop”Cause: Redirect URI mismatch between OCI application config and actual callback URL.
Fix: Verify the redirect URI matches exactly:
https://chat.k8s.sudhanva.me/oauth/oidc/callback“User Not Assigned” Error
Section titled ““User Not Assigned” Error”Cause: User not assigned to the Open WebUI application in OCI Identity Domain.
Fix: Assign the user (see User Management section above).
405 Method Not Allowed on Callback
Section titled “405 Method Not Allowed on Callback”POST /oauth/oidc/callback HTTP/1.1" 405Cause: OCI Identity Domain uses response_mode=form_post which sends the callback via POST. Older versions of Open WebUI only accepted GET requests.
Fix: Ensure you’re running Open WebUI version with form_post support (added September 2025):
# Restart to pull latest imagekubectl rollout restart deploy/open-webui
# Wait for pod to be readykubectl get pods -l app=open-webui -wThe :main tag includes this fix. If using a pinned version, ensure it’s from after September 2025.
Check OIDC Configuration
Section titled “Check OIDC Configuration”Verify the secret is synced correctly:
# Check ExternalSecret statuskubectl get externalsecret oidc-credentials-sync
# View secret contents (base64 decoded)kubectl get secret oidc-credentials -o jsonpath='{.data.client-id}' | base64 -dkubectl get secret oidc-credentials -o jsonpath='{.data.provider-url}' | base64 -dView Open WebUI Logs
Section titled “View Open WebUI Logs”# Follow logskubectl logs -f deploy/open-webui
# Check for OIDC errorskubectl logs deploy/open-webui | grep -i "oauth\|oidc\|401\|error"Connection to Gemma Failed
Section titled “Connection to Gemma Failed”Check Gemma pod is healthy:
kubectl get pods -l app=gemmakubectl logs -f deploy/gemma -c llama-serverKubernetes Manifests
Section titled “Kubernetes Manifests”| File | Purpose |
|---|---|
argocd/apps/open-webui/deployment.yaml | Pod specification with OIDC env vars |
argocd/apps/open-webui/service.yaml | ClusterIP service on port 8080 |
argocd/apps/open-webui/httproute.yaml | Gateway routing for chat.k8s.sudhanva.me |
argocd/infrastructure/managed-secrets/secrets.yaml | ExternalSecret for oidc-credentials |
argocd/infrastructure/envoy-gateway/config.yaml | HTTPS listener for chat subdomain |
argocd/infrastructure/envoy-gateway/dnsendpoint.yaml | DNS record for chat.k8s.sudhanva.me |
Configuration Checklist
Section titled “Configuration Checklist”Use this checklist when setting up Open WebUI with OIDC:
- Terraform creates OCI Identity Domain application
- Terraform stores credentials in OCI Vault
- Enable Authorization Code grant type in OCI Console
- Enable Refresh Token grant type in OCI Console
- Add openid, profile, email scopes
- Enable Configure client access for signing certificate
- Assign users to the application
- ExternalSecret syncs to
oidc-credentialssecret - Open WebUI pod starts without errors
- OIDC login works end-to-end