Mobile app manual login stuck on "device connected, close this window" - QR code login works fine (NC 34, behind NPM, LAN/VPN only)

ℹ️ Support
, , , , , ,
1

Nextcloud version: 34.0.0.12
Setup: Self-hosted, Nginx Proxy Manager reverse proxy, accessed only via LAN/VPN
Trusted domain: cloud.internal

Issue:
Login works fine everywhere except one specific flow:

  • Browser login (PC, laptop, mobile, any browser): works
  • Desktop app: works
  • Mobile app via QR code: works
  • Mobile app via manual credential login: broken

Hey y’all,

I’m running into a strange login issue and couldn’t find an existing thread that matches it exactly, so I’m posting here in case someone has hit the same thing.

When using the manual login flow on the mobile app, it opens the system browser, I log in successfully, and the page says “device/account connected, close this window and go back to the app.” But when I return to the app, it’s still waiting for the browser login to complete — the browser never automatically redirects back to the app (no custom URL scheme handoff happens).
I’m using self-signed certificates that are trusted in each and every device that connects to my VPN/Internet LAN, and everything regarding TLS/HTTPS and certificates should not be nor cause a problem. Everything uses https and npm handles tls completion and sends the traffic to the nextcloud_app inside the npm-network.
Container name: nextcloud_app
Network_id: npm-network

Dokcer: latest

Nginx-Proxy-Manger: latest

Relevant config (config.php via occ config:list system):

"overwriteprotocol": "https",
"overwrite.cli.url": "https://cloud.internal",
"trusted_proxies": "<NPM network subnet>",
"forwarded_for_headers": [
    "HTTP_X_FORWARDED_FOR",
    "HTTP_X_FORWARDED_PROTO"
],
"trusted_domains": ["cloud.internal"]

Note: no overwritehost set. Not sure if that’s relevant since this is LAN/VPN only with no public domain involved.

What I’ve checked:

  • NPM is correctly passing X-Forwarded-Proto/Host (browser login works fine, so the proxy config itself seems OK for normal auth)
  • nextcloud.log doesn’t show obvious errors at the moment the “device connected” message appears

Has anyone seen this specific manual-login-vs-QR-code discrepancy before? Wondering if it’s related to how the login flow v2 polling/redirect works differently for manual vs QR, possibly something with the custom URL scheme (nc://login/...) not being picked up by the Android system browser in this reverse-proxy setup.

Thanks in advance for any pointers(*c)!