Nextcloud 32 + OnlyOffice -- "Download with invalid jwt" / "Track with invalid jwt in body"

ℹ️ Support
, , ,
1

Hello,

I am struggling since days and running into a persistent JWT issue between Nextcloud 32.0.5
and OnlyOffice Document Server (Docker) and would appreciate
guidance from someone familiar with the internal JWT validation logic.

Environment

Nextcloud

  • Version: 32.0.5
  • OS: Debian (DietPi on a Odroid HC4)
  • Webserver: NGINX
  • PHP: 8.4 (php8.4-fpm)
  • OnlyOffice App: 9.12.0

OnlyOffice

  • Document Server running in Docker
  • Docker IP: 172.17.0.2
  • Host public IP: ExternalIP
  • OS: Debian 11

Problem

When opening or editing documents, I get the following errors in
Nextcloud:

1) Health check

[onlyoffice] getConvertedUri on check error

2) Callback

[onlyoffice] Track with invalid jwt in body
POST /index.php/apps/onlyoffice/track

3) Download

[onlyoffice] Download with invalid jwt
GET /index.php/apps/onlyoffice/download?doc=...

JWT Configuration

OnlyOffice local.json

"token": {
  "enable": {
    "request": {
      "inbox": true,
      "outbox": true
    },
    "browser": true
  },
  "inbox": {
    "header": "Authorization",
    "inBody": false
  },
  "outbox": {
    "header": "Authorization",
    "inBody": false
  }
}

The secret is correctly set in local.json and matches the one
configured in Nextcloud.

Nextcloud OCC settings

occ config:app:get onlyoffice jwt_secret
occ config:app:get onlyoffice jwt_header
occ config:app:get onlyoffice jwt_header_key

Result:

  • jwt_secret → correct and matches OO
  • jwt_header → Authorization
  • jwt_header_key → Bearer

NGINX (Nextcloud)

Authorization header is passed to PHP-FPM:

fastcgi_param HTTP_AUTHORIZATION $http_authorization;

Special locations for OnlyOffice endpoints:

location = /index.php/apps/onlyoffice/track {
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root/index.php;
    fastcgi_param HTTP_AUTHORIZATION $http_authorization;

    fastcgi_buffering off;
    fastcgi_request_buffering off;

    fastcgi_pass unix:/run/php/php8.4-fpm.sock;
}

Body buffering disabled for callback route.

What has been verified

  • System time synchronized (CET vs UTC difference understood)
  • JWT secret identical on both sides
  • inBody set to false on OnlyOffice
  • Header mode set to Authorization/Bearer
  • No reverse proxy between systems
  • Direct curl from OO container to NC works (HTTP 200/403 as expected
    depending on endpoint)

Example from OO container:

docker exec onlyoffice_server curl -i https://cloud.trialogevent.de/index.php/apps/onlyoffice/empty

Returns 403 (expected without valid token).

Question

At this point, it looks like:

  • Either Nextcloud signs JWT differently than OnlyOffice expects
  • Or OnlyOffice validates a different payload format than NC 32 sends
  • Or something changed in NC32 JWT handling compared to NC30 (which
    worked)

Has anyone successfully run Nextcloud 32 + OnlyOffice (latest) with
header-based JWT (Authorization: Bearer) and inBody=false?

Is there any known change in JWT validation logic in recent Document
Server versions?

Any insight into what specifically causes Download with invalid jwt
would be greatly appreciated.

Thank you.

2

No one has any idea?