Error connecting desktop app to self-deployed nextcloud: "state token does not match"

Nimamoh · September 22, 2019, 12:11am

Nextcloud version (eg, 12.0.2): 16.0.4 (as a docker image)
Operating system and version (eg, Ubuntu 17.04): armbian stretch

The issue you are facing:

My nextcloud is deployed through docker behing a nginx proxy with a public domain with correct setup of ssl.
Web access works well.

When trying to connect the desktop app to the nextcloud instance (using its public name), I get an error “access denied. State token does not match”

e.g: trying to connect with URL https://nextcloud.mydomain.com
I get to the authentication page, after login, I get the error

However I am able to connect if I provide the LAN IP of nextcloud as URL (e.g: http://192.168.0.66)

Admin > Logging: generates no log in the when trying to authenticate (all log messages are old and not relevant to this issue)

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'passwordsalt' => *no*,
  'secret' => *nono*,
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'cloud.mydomain.com',
    2 => '192.168.0.66',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'pgsql',
  'version' => '16.0.4.1',
  'overwrite.cli.url' => 'http://localhost',
  'dbname' => 'no',
  'dbhost' => 'nono',
  'dbport' => 'nonono',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_admin',
  'dbpassword' => 'nonononono',
  'installed' => true,
  'instanceid' => 'dunno',
);

The output of your Apache/nginx/system log in /var/log/____:

Logs are pretty empty. I see a request from the client to /login/flow/grant ending in 403 in apache2 logs though

himbeere · September 22, 2019, 8:06am

https://github.com/nextcloud/desktop/issues/1284 maybe?

stoniemahonie · September 22, 2019, 8:46am

Had a similar problem.
Solution: Configure HSTS (HTTP Strict Transport Security) on the nginx proxy that internally forwarded to the Nextcloud container.

Can you connect via Android/iOS App with QR-Code?

Nimamoh · September 22, 2019, 12:10pm

@himbeere I already posted, the issue is opened and no progress has been made so far

@stoniemahonie
I added HSTS on the reverse proxy, the problem still persist. Since we are talking about security, I configured nginx to redirect each HTTP request to its HTTPS counterpart (not related afaik).
I also tested connecting my phone with the QR code and it works, the QR code showed me the public domain, everything seems fine on this part. I don’t get why desktop clients are failing.

Nimamoh · September 22, 2019, 2:25pm

Okay, in case someone had the same issue, here is what was wrong in my conf:

The nginx reverse proxy should forward client infos through X-Forward ‘like’ headers

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

This is somewhat documented in this section https://docs.nextcloud.com/server/15/admin_manual/configuration_server/reverse_proxy_configuration.html