Error connecting desktop app to self-deployed nextcloud: "state token does not match"

Nextcloud version (eg, 12.0.2): 16.0.4 (as a docker image)
Operating system and version (eg, Ubuntu 17.04): armbian stretch

The issue you are facing:

My nextcloud is deployed through docker behing a nginx proxy with a public domain with correct setup of ssl.
Web access works well.

When trying to connect the desktop app to the nextcloud instance (using its public name), I get an error “access denied. State token does not match”

e.g: trying to connect with URL
I get to the authentication page, after login, I get the error

However I am able to connect if I provide the LAN IP of nextcloud as URL (e.g:

Admin > Logging: generates no log in the when trying to authenticate (all log messages are old and not relevant to this issue)

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
  'passwordsalt' => *no*,
  'secret' => *nono*,
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => '',
    2 => '',
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'pgsql',
  'version' => '',
  'overwrite.cli.url' => 'http://localhost',
  'dbname' => 'no',
  'dbhost' => 'nono',
  'dbport' => 'nonono',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_admin',
  'dbpassword' => 'nonononono',
  'installed' => true,
  'instanceid' => 'dunno',

The output of your Apache/nginx/system log in /var/log/____:

Logs are pretty empty. I see a request from the client to /login/flow/grant ending in 403 in apache2 logs though maybe?

Had a similar problem.
Solution: Configure HSTS (HTTP Strict Transport Security) on the nginx proxy that internally forwarded to the Nextcloud container.

Can you connect via Android/iOS App with QR-Code?

@himbeere I already posted, the issue is opened and no progress has been made so far

I added HSTS on the reverse proxy, the problem still persist. Since we are talking about security, I configured nginx to redirect each HTTP request to its HTTPS counterpart (not related afaik).
I also tested connecting my phone with the QR code and it works, the QR code showed me the public domain, everything seems fine on this part. I don’t get why desktop clients are failing.

Okay, in case someone had the same issue, here is what was wrong in my conf:

The nginx reverse proxy should forward client infos through X-Forward ‘like’ headers

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

This is somewhat documented in this section

1 Like