macOS and iOS clients stuck in grant access loop

#1

I have NC 15 installed currently in a snap container and a Docker container behind a nginx reverse proxy and both have the same issue. I can login via the web, but sync clients get stuck in a login/grant access loop.

On my Mac I add a new account, enter the HTTPS URL that my proxy terminates, I get a NC login prompt, I enter my credentials, they are accepted and I get a ‘Grant Access’ button. Clicking on it takes me back to the ‘Log in’ button. Pressing that takes me directly to the Grant Access button and so forth. When I login via the web and go to Settings > Security I see a token for my sync client.

I don’t see anything odd in the nginx logs or the NC logs. I started out with a Docker but then I decided to stop that and try a snap instead. Exact same issue with both systems.

While troubleshooting things, I tried using the IP to the NC host instead of my domain, hence bypassing my proxy, and I was able to connect without issue (got past grant access). The problem is that will only work if my phone/computer are on the local network, and I’d prefer to use my domain.

Any suggestions of what I can do to either troubleshoot this or fix it? I should note that my nginx proxy is running in a docker container.

#2

Here are some configs:

Nginx Config

server {
    listen 80;
    server_name	nextcloud.domain.tld;
    return 301 https://$server_name$request_uri;
}

server {
    listen 		443 ssl;
    server_name 	nextcloud.domain.tld;
    ssl			on;
    ssl_certificate     /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    ssl_session_cache shared:le_nginx_SSL:1m;
    ssl_session_timeout 1440m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot

    client_max_body_size 4096M;

    location /.well-known {
            alias /var/www/nextcloud.domain.tld/.well-known;
    }

    location / {
        include conf.d/proxy_set_header.inc;
        proxy_pass http://172.22.1.12:81;
    }
}

Nextcloud Config

<?php
$CONFIG = array (
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/snap/nextcloud/current/htdocs/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/snap/nextcloud/current/nextcloud/extra-apps',
      'url' => '/extra-apps',
      'writable' => true,
    ),
  ),
  'supportedDatabases' =>
  array (
    0 => 'mysql',
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/tmp/sockets/redis.sock',
    'port' => 0,
  ),
  'instanceid' => 'ocuko9445oth',
  'passwordsalt' => 'SALT',
  'secret' => 'PASSWORD',
  'trusted_domains' =>
  array (
    0 => 'nextcloud.domain.tld',
    1 => '172.22.1.12:81',
    2 => '172.22.1.10',
  ),
  'datadirectory' => '/var/snap/nextcloud/common/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '15.0.7.0',
  'overwrite.cli.url' => 'https://nextcloud.domain.tld',
  'overwritehost' => 'nextcloud.domain.tld',
  'overwriteprotocol' => 'http',
  'overwritewebroot' => '/',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/sockets/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'PASSWORD',
  'installed' => true,
  'maintenance' => false,
);
#3

As I mentioned above, my NC install lives behind a proxy. I’m running nginx inside of a Docker container. When I tail the logs while trying to log in this is what I see.

172.22.1.104 - - [13/May/2019:11:21:16 -0600] "GET /index.php/login/flow/grant?clientIdentifier=&stateToken=qdHVWU9JZFVzzdtMiU9BiNZUMvgvcKCtgfxHOm8oKIDnk34c7CW4NSKxeL4SXask HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Macintosh) mirall/2.5.1final (build 20181204) (Nextcloud)" "-"
172.22.1.104 - - [13/May/2019:11:21:16 -0600] "GET /index.php/login/flow/grant?clientIdentifier=&stateToken=qdHVWU9JZFVzzdtMiU9BiNZUMvgvcKCtgfxHOm8oKIDnk34c7CW4NSKxeL4SXask HTTP/1.1" 200 7444 "-" "Mozilla/5.0 (Macintosh) mirall/2.5.1final (build 20181204) (Nextcloud)" "-"
172.22.1.104 - - [13/May/2019:11:21:16 -0600] "GET /index.php/core/js/oc.js?v=d3dc0e9b HTTP/1.1" 200 5595 "-" "Mozilla/5.0 (Macintosh) mirall/2.5.1final (build 20181204) (Nextcloud)" "-"
172.22.1.104 - - [13/May/2019:11:21:33 -0600] "POST /index.php/login/flow HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Macintosh) mirall/2.5.1final (build 20181204) (Nextcloud)" "-"
172.22.1.104 - - [13/May/2019:11:21:34 -0600] "GET /index.php/login/flow HTTP/1.1" 200 7981 "-" "Mozilla/5.0 (Macintosh) mirall/2.5.1final (build 20181204) (Nextcloud)" "-"
172.22.1.104 - - [13/May/2019:11:21:34 -0600] "GET /index.php/core/js/oc.js?v=d3dc0e9b HTTP/1.1" 200 5595 "-" "Mozilla/5.0 (Macintosh) mirall/2.5.1final (build 20181204) (Nextcloud)" "-"

From what I can tell this all looks good. Not sure what else to try to get this working.

#4

After a lot of banging, I found out the solution. I had a hunch the issue was with my proxy since I could connect directly via the IP. I used curl to identify the issue: curl -IL nextcloud.example.com. The actual issue was how NC was interacting with my proxy.

What I saw was the proxy was redirecting the http traffic to https, and then NC redirected from https://domain.tld to http://domain.tld/login, back to http. Then the proxy redirected it back to https of that domain, which is when people succeeded. I guessed this bouncing back and forth from http to https is what was causing the issue.

What ended up fixing the issue was updating my NC config so it wouldn’t keep redirecting back to http. I did this by adding the following lines to my config.

  'overwrite.cli.url' => 'https://nextcloud.example.com',
  'overwriteprotocol' => 'https',
  'trusted_proxies' => ['10.0.0.2'],

I added/updated all three lines at the same time so I’m not sure what actually solved the issue, but I think it was the overwriteprotocol is what did it. In the trusted_proxies line, add the IP of the server that is acting as the proxy in front of Nextcloud.

1 Like