First login with Desktop/iOS/Android App fails

Hi,

we have problems here with the app/desktop login.

Symptoms

• First login using the app (technically: login flow v2) opens the browser
• log in says: “you are logged in”, then you try to grant access
• you get redirected back to the login page on the browser
• if you try to login a second time, you sometimes get “forbidden state token”

Workarounds

• In our cases, it always (?) seems to work, whenever you are logged in in the browser before you start the process in the app/desktop.
• sometimes it works, when you leave the login window open and start the process anew, it seems the session in the browser remembers a previous login-grant. It is unclear, if a race condition is a problem.
• a hint for a solution: if you tried to log in with a first user the first time, then restart the process and login with a second user and get access, it is the access of the first user (!)

Setup/Versions this happens

• NC 29.x, NC 30.x, NC 31.x (latest at the moment: 29.0.16, 30.0.10, 31.0.4) all dockerized using the community docker with no modifications
• nginx reverse proxy using the recommended settings from the docs
• using / not using the high performance backend (notify_push)
• several client versions, e.g. “3.16.3daily (Ubuntu)”, “com.nextcloud.client v3.31.1”, “iOS …”
• users log in using LDAP/AD,
• some have 2FA enabled, some not, happens with both

Links/reports that we recognized:

• [Bug]: Can’t login from iOS client app #50619
• State token missing (Login Flow V2) #3403
• Current log in issues on iOS #3436
• Access Forbidden State token Missing iOS app - #28 by Scottycooks

checks that we tried to rule out

• “overwriteprotocol” set to “https” - was always the case
• turned the high performance backend off/on
• tried to set all possible IPs into the “trusted proxies” array, since the containers have different IPs once in a while
• we don’t use some old fcgi apache module but the php-fpm docker container
• we don’t use http/3

educated guesses

• we acknowledge @inet_cologne s guess: fix: Redirect user to login if session is terminated by susnux · Pull Request #49208 · nextcloud/server · GitHub that a bug might be introduced and backported to NC31- NC29 and that’s why we can’t really pin-point where in history this got to us.

Anyone more suggestions?
Thanks!

Same issue here (current iOS, current devices and current nextcloud server 31.0.4 and apps).

To be honest, I gave up claiming any further login problems after a couple of weeks ago the main errors were fixed, that was login even was not possible any more with the Nextcloud and Nextcloud Talk apps.
I still often have the same problem as stated here „forbidden token“ or even that from time to time accounts get totally killed from the apps somehow and needs to be reconfigured to work again for an unspecifyable time.
Actually, It‘s not an satisfying situation but all in all access and the apps itself work.
But I would be very happy to have a stable authentication and authorization back again.

@cw4u

Thanks for a reaction.
Do you have LDAP enabled or use your users a non-nextcloud native authentication mechanism?

I figured that this might be an important change to the default.

There have been some recent bugfixes on the files iOS app regarding login, I think it’s in 6.6.1 from a few days ago.

That is not normal at all. Only on files or also talk? On files the logout should be logged in the communication log. Otherwise I suggest to check the Webserver log, which request returned 401.