Issue with sign in with 2fa behind proxy

ℹ️ Support
, ,
1

Steps to reproduce

  1. open nextcloud app on ios
  2. sign in to https://cloud.my.domain
  3. enter 2FA code from Authenticator App

Expected behaviour

Successful sign in to my account

Actual behaviour

I get the following error with topt: (actual domain replaced with my.domain and parameters after login/flow/grant? removed)

NSURLErrorDomain error
The operation couldn’t be completed.
-999.)_WKRecoveryAttempterErrorKey
<WKReloadFrameErrorRecoveryAttemp
ter: 0x28348f300>
NSErrorFailingURLStringKey https://
cloud.my.domain/login/challenge/
totp?redirect_url=/login/flow/grant?[…]
NSErrorFailingURLKey https://
cloud.my.domain/login/challenge/
totp?redirect_url=/login/flow/grant?[…]

I believe this is similar to a 502 on non apple clients

and when using email, I get this error:

The operation couldn’t be completed.
(NSURLErrorDomain error
-999.)_WKRecoveryAttempterErrorKey

NSErrorFailingURLKeyhttps://
cloud.braun.house/login/flow/grant?
clientldentifier=&user=&direct=0&state
Token=[token removed]

Are clientIdentifier etc. meant to be empty?

The weird thing is, that after I click on “ok”, it displays nextcloud as a logged in website, it just doesn’t actually link it to the app.

Sign in for non 2FA accounts works fine

Security Setups and Warnings says “all checks passed”

Server configuration

Unraid with nextcloud docker and Nginx Proxy manager

https://cloud.my.domain → Nginx Proxy Manager (with letsencrypt certificate, force https, http/2, HSTS, netfinger etc. specified according to nextcloud documentation) → http://192.168.xx.yy:httpport

Version: (see admin page)
25.0.3

Updated from an older version or fresh install:
fresh install, restored from previous server running on Ubuntu, also version 25.0.3 though

The content of config/config.php:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'id',
  'passwordsalt' => 'salt',
  'secret' => 'secret,
  'trusted_domains' => 
  array (
    0 => '192.168.xx.yy:port,
    1 => 'cloud.my.domain',
  ),
  'trusted_proxies' => 
  array (
    0 => '192.168.xx.yy',
  ),
  'overwrite.cli.url' => 'https://cloud.my.domain',
  'dbtype' => 'mysql',
  'version' => '25.0.3.2',
  'dbname' => 'nextcloud',
  'dbhost' => 'ip',
  'dbport' => 'port',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'dbuser',
  'dbpassword' => 'dbpasswd',
  'installed' => true,
  'overwriteprotocol' => 'https',
  'default_phone_region' => 'DE',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' => 
  array (
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
);

If you need more details, I’ll happily provide them, however, it feels like to solution is something like adding another location-forwarding thing to the nginx config…