Using oauth_callbac

[sh-js]

Hi Chainlit team 👋
I’m trying to implement two authentication methods in the same Chainlit app depending on how the app is opened:

✅ Browser users → OAuth authentication (oauth_callback)

✅ Microsoft Teams tab users → Header-based authentication (header_auth_callback)

Use case

When the app is opened in a normal browser, I want to use Azure AD OAuth redirect flow.

When the app is opened inside Microsoft Teams (as a tab app, not a bot), Teams injects an Azure AD JWT token in the request headers, so I want to validate it using header_auth_callback.

Current Implementation
In app.py I added:

@cl.oauth_callback
async def oauth_callback(
    provider_id: str,
    token: str,
    raw_user_data: dict[str, str],
    default_user: cl.User,
    id_token: str | None = None,
) -> cl.User | None:
    """
    Handle OAuth authentication for browser users.
    Called after Azure AD redirect with authorization code.
    Sets cookie that authenticates both HTTP and WebSocket requests.
    """
    return await oauth_callback_function(provider_id, token, raw_user_data, default_user, id_token)


@cl.header_auth_callback
async def header_auth_callback(headers: Dict) -> Optional[cl.User]:
    """
    Handle token-based authentication for Teams users.
    Validates Azure AD JWT token from Authorization header.
    Called on each HTTP request that includes: Authorization: Bearer <token>
    WebSocket authentication is handled by socket_patch.py (same validation logic).
    """
    return await header_auth_callback_function(headers)

Problem
When I open the app in a regular browser, Chainlit still triggers header_auth_callback, which causes authentication to fail because the browser request doesn’t include the Teams Authorization header.
It looks like header_auth_callback is executed on every request, even when OAuth should be used instead.

Questions

Is it currently supported to use both oauth_callback and header_auth_callback in the same app?

Is there a recommended way to conditionally choose authentication based on request context (e.g., presence of headers, Teams environment, etc.)?
Should header_auth_callback return None when no Authorization header exists, or is there a better pattern?
Is there any official example combining OAuth with header-based auth?
Goal
I want:
Browser → OAuth login
Teams tab → Header JWT validation
Shared session after authentication
Thanks in advance for your help!

[dosubot]

Chainlit does not currently support a robust way to combine both oauth_callback and header_auth_callback in the same app without issues. When both are enabled, header_auth_callback is triggered on every request—even for browser users—so if it returns None (e.g., no Authorization header), the frontend can get stuck in an authentication loop, causing repeated login attempts and UI blinking. This is a known limitation and there is no official example or recommended pattern for combining these two methods cleanly in Chainlit right now [source].

The common workaround is to have header_auth_callback check for the Authorization header and return None if it's missing, but this doesn't fully solve the problem because the callback is still called on every request, which can cause frontend issues [source]. Some users try to short-circuit the callback if a session cookie is already present, but this is not always reliable and doesn't address the root cause [source].

There are no official examples or documentation for combining OAuth and header-based authentication in Chainlit, and users report difficulties and bugs with this approach [source]. For now, the most stable approach is to use only one authentication method at a time. If you need both, you may need to implement custom logic outside of Chainlit or wait for improved multi-method authentication support in future releases.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[github-actions]

This issue is stale because it has been open for 14 days with no activity.