NC 22.2.3 as OAuth2 Provider: Auth fails in client due to empty oauth.state in redirectUri

Hi there,

I’m trying to set-up Nextcloud and DokuWiki so that NC is the OAuth2 Identity Provider for DokuWiki. DokuWiki offers plug-ins for this (this one supplemented by this one).

I have successfully created a client in NC Admin > Security and set-up the DokuWiki plug-ins accordingly (client secret, client id, mapping of the user field names, etc). The Log-in flow works like a charm and my user can grant access to DokuWiki. An entry for DokuWiki is created under “Settings” > “Security” > “Devices & sessions” successfully.

However, after granting access, Nextcloud is supposed to redirect the user’s browser to a DokuWiki URL to facilitate authentication.
Unfortunately this fails; DokuWiki complains that “OAuth: State not found in session, are you sure you stored it?”.

This does not seem to be a DokuWiki/plug-in problem, because NC indeed does not send a value for state at all. This is the URL that NC redirects after granting access:
https://<mycorrectdomain.tld>/wiki/index.php?state=&code=zL0Oq…[very long code]…wfrHvnDc
and as you can see, the ?state=-parameter is empty.

  • When I peek into the file responsible for constructing this redirection URI (/cloud/core/Controller/ClientFlowLoginController.php around line 357) and try to debug-output the value of $this->session->get('oauth.state') it is empty as well.
  • When I retry from scratch, the “grant access” dialogue is starting over and a new session is added to the list in the user’s profile.
  • I checked out the issue tracker on github, and while #28261 was close and interesting, it doesn’t seem to be exactly the cause.

I have Nextcloud 22.2.3 running on uberspace with Redis, APCu and PHP 7.4 (session.save_handler is set to files, not redis). NC is running under /cloud/ subfolder, DokuWiki under /wiki/, without problems so far.) Nothing of interest in nextcloud.log.

I’d be grateful for any hints on where to start digging.
If you need any more information, let me know.


Just for reference: There’s a new dokuwiki-plugin-oauthnextcloud available. Login via Nextcloud works, but the plugin is still in early development :+1:

I have same problem with missing state.
But only if OAuth called out of an iframe - i embed my site as nextloud externel site.
So if i start OAuth from there - no state is giving after grant access to my site.
If i call my site direct and start OAuth Process everything is fine.

i’m using PHP 7.4

tried with

and also