Support intro
Sorry to hear you’re facing problems. 
The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.
If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.
Getting help
In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.
Before clicking submit: Please check if your query is already addressed via the following resources:
- Official documentation (searchable and regularly updated)
- How to topics and FAQs
- Forum search
(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).
Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. 
The Basics
- Nextcloud Server version (e.g., 29.x.x):
32.0.2
- Operating system and version (e.g., Ubuntu 24.04):
debian 13
- Web server and version (e.g, Apache 2.4.25):
- 2.4.65-2
- Reverse proxy and version _(e.g. nginx 1.27.2)
traefik
- PHP version (e.g, 8.3):
8.3.28
- Is this the first time you’ve seen this error? (Yes / No):
yes
- When did this problem seem to first start?
replace me
- Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
official nextcloud docker image
- Are you using CloudfIare, mod_security, or similar? (Yes / No)
No
Summary of the issue you are facing:
I am trying to achieve authentication with users X509 certificates through keycloak. I have 3 containers with docker-compose:
- traefik
- keycloak
- nextcloud
For OpenID I am using user_oidc app.
I achieve the authentication on the keycloak side and is able to see in the browser option to select certificate and confirm the certificate. Also, I see in the keycloak that user was logged in. But with the last redirection I got:
Access forbidden
- Failed to contact the OIDC provider token endpoint
And 403 response
Steps to replicate it (hint: details matter!):
The key point I am stuck with that I am using 2 routes on the traefik the one for browser certificate auth with TLS and the second one without to allow nextcloud read /.well-known/openid-configuration. But I could not find out how to provide 2 different URIs for user_oidc in such case.
Log entries
Nextcloud
Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.
PASTE HERE
Web Browser
If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.
GET
scheme
https
host
nextcloud.3-psi.com
filename
/index.php/apps/user_oidc/code
state
13YAVM1RHF4RHN4DIFINSZ10J4MBFVEV
session_state
f17fd993-9975-4e80-b2e2-aed6956362ce
iss
https://auth.3-psi.com/realms/3-psi
code
87e11aff-87d5-40d6-a213-85709c02af00.f17fd993-9975-4e80-b2e2-aed6956362ce.5fd0196e-e4bc-4a04-ad32-2e743f53dc16
Address
192.168.20.205:443
Status
403
VersionHTTP/2
Transferred6.66 kB (4.96 kB size)
Referrer Policyno-referrer
Request PriorityHighest
DNS ResolutionSystem
Web server / Reverse Proxy
The output of your Apache/nginx/system log in /var/log/____:
2026-01-16T11:24:45Z DBG github.com/traefik/traefik/v3/pkg/middlewares/snicheck/snicheck.go:43 > TLS options difference: SNI:no-mtls@file, Header:mtls@file host=auth.3-psi.com req.Host=auth.3-psi.com req.TLS.ServerName=nextcloud.3-psi.com
2026-01-16T11:24:46Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 192b05d160d3f836
2026-01-16T11:24:49Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 192b05d160d3f836
2026-01-16T11:24:49Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 643a9fc86dcf459e
2026-01-16T11:24:49Z DBG log/log.go:245 > http: TLS handshake error from 192.168.20.206:37350: tls: client didn't provide a certificate
Configuration
Nextcloud
The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):
192.168.20.1 - - [16/Jan/2026:11:07:09 +0000] "GET /index.php/apps/user_oidc/code?state=13YAVM1RHF4RHN4DIFINSZ10J4MBFVEV&session_state=f17fd993-9975-4e80-b2e2-aed6956362ce&iss=https%3A%2F%2Fauth.3-psi.com%2Frealms%2F3-psi&code=87e11aff-87d5-40d6-a213-85709c02af00.f17fd993-9975-4e80-b2e2-aed6956362ce.5fd0196e-e4bc-4a04-ad32-2e743f53dc16 HTTP/1.1" 403 6669 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:146.0) Gecko/20100101 Firefox/146.0"
Apps
The output of occ app:list (if possible).
Enabled:
activity: 5.0.0-dev.0
admin_audit: 1.22.0
bruteforcesettings: 5.0.0-dev.0
cloud_federation_api: 1.16.0
comments: 1.22.0
contactsinteraction: 1.13.1
dashboard: 7.12.0
dav: 1.34.2
federatedfilesharing: 1.22.0
federation: 1.22.0
files: 2.4.0
files_reminders: 1.5.0
files_sharing: 1.24.1
files_trashbin: 1.22.0
firstrunwizard: 5.0.0-dev.0
logreader: 5.0.0-dev.0
lookup_server_connector: 1.20.0
nextcloud_announcements: 4.0.0-dev.0
notifications: 5.0.0-dev.0
oauth2: 1.20.0
password_policy: 4.0.0-dev.0
photos: 5.0.0-dev.1
privacy: 4.0.0-dev.0
profile: 1.1.0
provisioning_api: 1.22.0
recommendations: 5.0.0-dev.0
serverinfo: 4.0.0-dev.0
settings: 1.15.1
sharebymail: 1.22.0
support: 4.0.0-dev.0
survey_client: 4.0.0-dev.0
systemtags: 1.22.0
text: 6.0.1
theming: 2.7.0
twofactor_backupcodes: 1.21.0
updatenotification: 1.22.0
user_oidc: 8.3.0
user_status: 1.12.0
viewer: 5.0.0-dev.0
weather_status: 1.12.0
webhook_listeners: 1.3.0
workflowengine: 2.14.0
Disabled:
app_api: 32.0.0 (installed 32.0.0)
circles: 32.0.0 (installed 32.0.0)
encryption: 2.20.0
files_downloadlimit: 5.0.0-dev.0 (installed 5.0.0-dev.0)
files_external: 1.24.0
files_pdfviewer: 5.0.0-dev.0 (installed 5.0.0-dev.0)
files_versions: 1.25.0 (installed 1.25.0)
related_resources: 3.0.0-dev.0 (installed 3.0.0-dev.0)
suspicious_login: 10.0.0-dev.0
twofactor_nextcloud_notification: 6.0.0-dev.0
twofactor_totp: 14.0.0
user_ldap: 1.23.0
Tips for increasing the likelihood of a response
- Use the
preformatted textformatting option in the editor for all log entries and configuration output. - If screenshots are useful, feel free to include them.
- If possible, also include key error output in text form so it can be searched for.
- Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.
