Nextcloud behind Authelia (OIDC) Internal Server Error (500)

Everyday2234 · March 28, 2023, 6:21pm

Nextcloud version (eg, 20.0.5): 26.0.0
Operating system and version (eg, Ubuntu 20.04): Docker on Debian 11
Apache or nginx version (eg, Apache 2.4.25): 1.23.3 (latest nginx)
PHP version (eg, 7.4): 8.1.17

The issue you are facing: I am trying to get the OIDC login working with Authelia.
Once I get redirected back to nextcloud I receive a 500 error.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

Setup Authelia
Setup Nextcloud with OIDC
Try to login and get the error

The output of your Nextcloud log in Admin > Logging:

(for some reason the Logging Module does not seem to load but I can post the logs from docker)

172.28.0.2 - - [28/Mar/2023:20:01:03 +0200] "GET /login?clear=1 HTTP/1.1" 303 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:03 +0200] "GET /login?clear=1 HTTP/1.1" 200 6750 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:04 +0200] "GET /cron.php HTTP/1.1" 200 51 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:01:04 +0200] "GET /apps/theming/favicon?v=e8ff8c41 HTTP/1.1" 200 6259 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:01:04 +0200] "GET /apps/theming/manifest?v=e8ff8c41 HTTP/1.1" 200 246 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.185"
172.28.0.2 - - [28/Mar/2023:20:01:05 +0200] "GET /apps/oidc_login/oidc HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:27 +0200] "GET /apps/oidc_login/oidc?code=authelia_ac_lGUV591LeoiUttWAa68vqAKO_UN3gotKwqdFpUmZnRE.k0pDNT0y6fONmhaGSgAKa-srW1f-PMxqMtrHL8edp0Q&scope=openid+profile+email+groups&state=0965e478b9001538d8b9503574847e17 HTTP/1.1" 500 3637 "https://auth.<MY_DOMAIN.com>/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'logfile' => '/dev/stdout',
  'apps_paths' => array (
    0 => array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'ocnxx58ab391',
  'passwordsalt' => '<SALT>',
  'secret' => '<SECRET>',
  'trusted_domains' => array (
    0 => 'nextcloud.<mydomain.com>',
    1 => 'auth.<mydomain.com>'
  ),
  'trusted_proxies' => array (
    0 => '172.22.0.0/16',
    1 => '172.28.0.0/16',
    2 => '192.168.0.0/16',
    3 => '172.70.0.0/16'
  ),
  'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '26.0.0.11',
  'overwrite.cli.url' => 'https://nextcloud.<mydomain.com>',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '<MYDBPASSWORD>',
  'installed' => true,
  // Some Nextcloud options that might make sense here
    'allow_user_to_change_display_name' => false,
    'lost_password_link' => 'disabled',

    // URL of provider. All other URLs are auto-discovered from .well-known
    'oidc_login_provider_url' => 'https://auth.<mydomain.com>',

    // Client ID and secret registered with the provider
    'oidc_login_client_id' => 'nextcloud.<mydomain.com>',
    'oidc_login_client_secret' => '<MY_OIDC_SECRET>',

    // Automatically redirect the login page to the provider
    'oidc_login_auto_redirect' => false,

    // Redirect to this page after logging out the user
    //'oidc_login_logout_url' => 'https://auth.<mydomain.com>/logout',

    // If set to true the user will be redirected to the
    // logout endpoint of the OIDC provider after logout
    // in Nextcloud. After successfull logout the OIDC
    // provider will redirect back to 'oidc_login_logout_url' (MUST be set).
    'oidc_login_end_session_redirect' => false,

    // Quota to assign if no quota is specified in the OIDC response (bytes)
    //
    // NOTE: If you want to allow NextCloud to manage quotas, omit this option. Do not set it to
    // zero or -1 or ''.
    //'oidc_login_default_quota' => '1000000000',

    // Login button text
    'oidc_login_button_text' => 'Log in with Authelia',

    // Hide the NextCloud password change form.
    'oidc_login_hide_password_form' => false,

    // Use ID Token instead of UserInfo
    'oidc_login_use_id_token' => true,

    // Attribute map for OIDC response. Available keys are:
    //   * id:           Unique identifier for username
    //   * name:         Full name
    //                      If set to null, existing display name won't be overwritten
    //   * mail:         Email address
    //                      If set to null, existing email address won't be overwritten
    //   * quota:        Nextcloud storage quota
    //   * home:         Home directory location. A symlink or external storage to this location is used
    //   * ldap_uid:     LDAP uid to search for when running in proxy mode
    //   * groups:       Array or space separated string of NC groups for the user
    //   * login_filter: Array or space separated string. If 'oidc_login_filter_allowed_values' is
    //                      set, it is checked against these values.
    //   * photoURL:     The URL of the user avatar. The nextcloud server will download the picture
    //                      at user login. This may lead to security issues. Use with care.
    //                      This will only be effective if oidc_login_update_avatar is enabled.
    //   * is_admin:     If this value is truthy, the user is added to the admin group (optional)
    //
    // The attributes in the OIDC response are flattened by adding the nested
    // array key as the prefix and an underscore. Thus,
    //
    //     $profile = [
    //         'id' => 1234,
    //         'attributes' => [
    //             'uid' => 'myuid',
    //             'abc' => 'xyz'
    //         ],
    //         'list' => ['one', 'two']
    //     ];
    //
    // would become,
    //
    //     $profile = [
    //         'id' => 1234,
    //         'attributes' => [
    //             'uid' => 'myuid',
    //             'abc' => 'xyz'
    //         ],
    //         'attributes_uid' => 'myuid',
    //         'attributes_abc' => 'xyz',
    //         'list' => ['one', 'two'],
    //         'list_0' => 'one',
    //         'list_1' => 'two',
    //         'list_one' => 'one',
    //         'list_two' => 'two',
    //     ]
    //
    // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
    //
    // note: on Keycloak, OIDC name claim = "${given_name} ${family_name}" or one of them if any is missing
    //
    'oidc_login_attributes' => array (
        'id' => 'preferred_username',
        'name' => 'name',
        'mail' => 'email',
        //'quota' => 'ownCloudQuota',
        //'home' => 'homeDirectory',
        //'ldap_uid' => 'uid',
        'groups' => 'groups',
        //'login_filter' => 'realm_access_roles',
        //'photoURL' => 'picture',
        //'is_admin' => 'ownCloudAdmin',
    ),

    // Default group to add users to (optional, defaults to nothing)
    'oidc_login_default_group' => 'oidc',

    // DEPRECATED: This option will be removed in a future release. Use
    // 'login_filter' and 'oidc_login_filter_allowed_values' instead.
    //
    // Allow only users in configured group(s) to access Nextcloud. In case the user
    // is not assigned to this group (read from oidc_login_attributes) the login
    // will not be allowed for this user.
    //
    // Must be specified as an array of groups that are allowed to access Nextcloud.
    // e.g. 'oidc_login_allowed_groups' => array('group1', 'group2')
    //'oidc_login_allowed_groups' => 'oidc',

    // Allow only users in configured value(s) to access Nextcloud. In case the user
    // is not assigned to this value (read from oidc_login_attributes) the login
    // will not be allowed for this user.
    //
    // Must be specified as an array of values (e.g. roles) that are allowed to
    // access Nextcloud. e.g. 'oidc_login_filter_allowed_values' => array('role1', 'role2')
    //'oidc_login_filter_allowed_values' => null,

    // Use external storage instead of a symlink to the home directory
    // Requires the files_external app to be enabled
    'oidc_login_use_external_storage' => false,

    // Set OpenID Connect scope
    'oidc_login_scope' => 'openid profile email groups',

    // Run in LDAP proxy mode
    // In this mode, instead of creating users of its own, OIDC login
    // will get the existing user from an LDAP database and only
    // perform authentication with OIDC. All user data will be derived
    // from the LDAP database instead of the OIDC user response
    //
    // The `id` attribute in `oidc_login_attributes` must return the
    // "Internal Username" (see expert settings in LDAP integration)
    'oidc_login_proxy_ldap' => false,

    // Disable creation of users new to Nextcloud from OIDC login.
    // A user may be known to the IdP but not (yet) known to Nextcloud.
    // This setting controls what to do in this case.
    // - 'true' (default): if the user authenticates to the IdP but is not known to Nextcloud,
    //     then they will be returned to the login screen and not allowed entry;
    // - 'false': if the user authenticates but is not yet known to Nextcloud,
    //     then the user will be automatically created; note that with this setting,
    //     you will be allowing (or relying on) a third-party (the IdP) to create new users
    'oidc_login_disable_registration' => true,

    // Fallback to direct login if login from OIDC fails
    // Note that no error message will be displayed if enabled
    'oidc_login_redir_fallback' => true,

    // Use an alternative login page
    // This page will be php-included instead of a redirect if specified
    // In the example below, the PHP file `login.php` in `assets`
    // in nextcloud base directory will be included
    // Note: the PHP variable $OIDC_LOGIN_URL is available for redirect URI
    // Note: you may want to try setting `oidc_login_logout_url` to your
    // base URL if you face issues regarding re-login after logout
    'oidc_login_alt_login_page' => 'assets/login.php',

    // For development, you may disable TLS verification. Default value is `true`
    // which should be kept in production
    'oidc_login_tls_verify' => true,

    // If you get your groups from the oidc_login_attributes, you might want
    // to create them if they are not already existing, Default is `false`.
    'oidc_create_groups' => false,

    // Enable use of WebDAV via OIDC bearer token.
    'oidc_login_webdav_enabled' => false,

    // Enable authentication with user/password for DAV clients that do not
    // support token authentication (e.g. DAVx⁵)
    'oidc_login_password_authentication' => false,

    // The time in seconds used to cache public keys from provider.
    // The default value is 1 day.
    'oidc_login_public_key_caching_time' => 86400,

    // The minimum time in seconds to wait between requests to the jwks_uri endpoint.
    // Avoids that the provider will be DoSed when someone requests with unknown kids.
    // The default is 10 seconds.
    'oidc_login_min_time_between_jwks_requests' => 10,

    // The time in seconds used to cache the OIDC well-known configuration from the provider.
    // The default value is 1 day.
    'oidc_login_well_known_caching_time' => 86400,

    // If true, nextcloud will download user avatars on login.
    // This may lead to security issues as the server does not control
    // which URLs will be requested. Use with care.
    'oidc_login_update_avatar' => false,

    // If true, the default Nextcloud proxy won't be used to make internals OIDC call.
    // The default is false.
    //'oidc_login_skip_proxy' => false,

    // Code challenge method for PKCE flow.
    // Possible values are:
    //	- 'S256'
    //	- 'plain'
    // The default value is empty, which won't apply the PKCE flow.
    //'oidc_login_code_challenge_method' => '',
);

The output of your Apache/nginx/system log in /var/log/____:

172.28.0.2 - - [28/Mar/2023:19:58:04 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.18"
172.28.0.2 - - [28/Mar/2023:19:58:04 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 280 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:04 +0200] "GET /ocs/v2.php/apps/serverinfo/api/v1//basicdata?format=json HTTP/1.1" 200 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:05 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 279 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:05 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 280 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.18"
172.28.0.2 - - [28/Mar/2023:19:58:05 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 280 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:05 +0200] "GET /ocs/v2.php/apps/serverinfo/api/v1//basicdata?format=json HTTP/1.1" 200 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:06 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 280 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:06 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 279 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.18"
172.28.0.2 - - [28/Mar/2023:19:58:07 +0200] "GET /ocs/v2.php/apps/serverinfo/api/v1//basicdata?format=json HTTP/1.1" 200 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:07 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 280 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:07 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 280 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:07 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 280 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.18"
172.28.0.2 - - [28/Mar/2023:19:58:08 +0200] "GET /ocs/v2.php/apps/serverinfo/api/v1//basicdata?format=json HTTP/1.1" 200 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:08 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 279 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:08 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 276 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:09 +0200] "GET /ocs/v2.php/apps/serverinfo/api/v1//basicdata?format=json HTTP/1.1" 200 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:09 +0200] "GET /apps/serverinfo/update HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.18"
172.28.0.2 - - [28/Mar/2023:19:58:09 +0200] "GET /settings/admin/logging HTTP/1.1" 200 11494 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:10 +0200] "GET /ocs/v2.php/search/providers?from=%2Fsettings%2Fadmin%2Flogging HTTP/1.1" 200 226 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:10 +0200] "GET /apps/logreader/settings HTTP/1.1" 200 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:10 +0200] "GET /ocs/v2.php/apps/user_status/api/v1/statuses/Pascal3366 HTTP/1.1" 200 127 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.18"
172.28.0.2 - - [28/Mar/2023:19:58:10 +0200] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 154 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:10 +0200] "GET /cron.php HTTP/1.1" 200 51 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:10 +0200] "GET /apps/logreader/get?offset=0&count=50&levels=11111 HTTP/1.1" 500 3638 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.19"
172.28.0.2 - - [28/Mar/2023:19:58:10 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 611 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.18"
172.28.0.2 - - [28/Mar/2023:19:58:40 +0200] "GET /settings/user/sync-clients HTTP/1.1" 200 12281 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:58:40 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 611 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:58:41 +0200] "GET /core/img/googleplay.png HTTP/1.1" 200 17919 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.250.121"
172.28.0.2 - - [28/Mar/2023:19:58:41 +0200] "GET /ocs/v2.php/search/providers?from=%2Fsettings%2Fuser%2Fsync-clients HTTP/1.1" 200 226 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:58:42 +0200] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 154 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:58:42 +0200] "GET /ocs/v2.php/apps/user_status/api/v1/statuses/Pascal3366 HTTP/1.1" 200 127 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:58:42 +0200] "GET /cron.php HTTP/1.1" 200 51 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.21"
172.28.0.2 - - [28/Mar/2023:19:58:42 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 611 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:58:53 +0200] "GET /settings/admin/logging HTTP/1.1" 200 11487 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:58:54 +0200] "GET /ocs/v2.php/search/providers?from=%2Fsettings%2Fadmin%2Flogging HTTP/1.1" 200 226 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.21"
172.28.0.2 - - [28/Mar/2023:19:58:54 +0200] "GET /apps/logreader/settings HTTP/1.1" 200 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:58:54 +0200] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 154 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.21"
172.28.0.2 - - [28/Mar/2023:19:58:54 +0200] "GET /ocs/v2.php/apps/user_status/api/v1/statuses/Pascal3366 HTTP/1.1" 200 127 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:58:54 +0200] "GET /cron.php HTTP/1.1" 200 51 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:58:54 +0200] "GET /apps/logreader/get?offset=0&count=50&levels=11111 HTTP/1.1" 500 3637 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.21"
172.28.0.2 - - [28/Mar/2023:19:58:54 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 611 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /settings/admin/logging HTTP/1.1" 200 11462 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /apps/theming/theme/default.css?plain=1&v=e8ff8c41 HTTP/1.1" 200 1023 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.164"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /apps/theming/theme/light.css?plain=0&v=e8ff8c41 HTTP/1.1" 200 1043 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.146"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /apps/theming/theme/light-highcontrast.css?plain=0&v=e8ff8c41 HTTP/1.1" 200 1108 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.250.246"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /apps/theming/theme/dark-highcontrast.css?plain=0&v=e8ff8c41 HTTP/1.1" 200 1134 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.250.241"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /apps/theming/theme/dark.css?plain=1&v=e8ff8c41 HTTP/1.1" 200 1019 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.25"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /apps/theming/theme/dark.css?plain=0&v=e8ff8c41 HTTP/1.1" 200 1039 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.113"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /apps/theming/theme/opendyslexic.css?plain=0&v=e8ff8c41 HTTP/1.1" 200 343 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.250.86"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /apps/theming/theme/dark-highcontrast.css?plain=1&v=e8ff8c41 HTTP/1.1" 200 1111 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.250.86"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /apps/theming/img/background/kamil-porembinski-clouds.jpg HTTP/1.1" 200 190294 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.75"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /apps/theming/theme/light.css?plain=1&v=e8ff8c41 HTTP/1.1" 200 1023 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.182"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /js/core/merged-template-prepend.js?v=5428278e-0 HTTP/1.1" 200 3098 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.250.131"
172.28.0.2 - - [28/Mar/2023:19:59:06 +0200] "GET /apps/theming/theme/light-highcontrast.css?plain=1&v=e8ff8c41 HTTP/1.1" 200 1086 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.109"
172.28.0.2 - - [28/Mar/2023:19:59:07 +0200] "GET /apps/logreader/settings HTTP/1.1" 200 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:59:07 +0200] "GET /ocs/v2.php/search/providers?from=%2Fsettings%2Fadmin%2Flogging HTTP/1.1" 200 226 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:59:07 +0200] "GET /ocs/v2.php/apps/user_status/api/v1/statuses/Pascal3366 HTTP/1.1" 200 127 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.21"
172.28.0.2 - - [28/Mar/2023:19:59:07 +0200] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 154 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:59:07 +0200] "GET /avatar/Pascal3366/64/dark?v=0 HTTP/1.1" 200 695 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:59:07 +0200] "GET /apps/logreader/get?offset=0&count=50&levels=11111 HTTP/1.1" 500 3637 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.21"
172.28.0.2 - - [28/Mar/2023:19:59:07 +0200] "GET /cron.php HTTP/1.1" 200 51 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:59:07 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 611 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:59:07 +0200] "GET /apps/theming/favicon/settings?v=e8ff8c41 HTTP/1.1" 200 6259 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.251.22"
172.28.0.2 - - [28/Mar/2023:19:59:38 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 611 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.242.140"
172.28.0.2 - Pascal3366 [28/Mar/2023:20:00:03 +0200] "PROPFIND /remote.php/dav/principals/users/Pascal3366/ HTTP/1.1" 401 427 "-" "vdirsyncer/0.18.0" "172.70.242.4"
172.28.0.2 - Pascal3366 [28/Mar/2023:20:00:04 +0200] "PROPFIND /remote.php/dav/principals/users/Pascal3366/ HTTP/1.1" 401 427 "-" "vdirsyncer/0.18.0" "172.70.242.4"
172.28.0.2 - Pascal3366 [28/Mar/2023:20:00:04 +0200] "PROPFIND /.well-known/caldav HTTP/1.1" 301 162 "-" "vdirsyncer/0.18.0" "172.70.242.4"
172.28.0.2 - - [28/Mar/2023:20:00:04 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1" 401 569 "-" "vdirsyncer/0.18.0" "172.70.242.4"
172.28.0.2 - Pascal3366 [28/Mar/2023:20:00:05 +0200] "PROPFIND /remote.php/dav/principals/users/Pascal3366/ HTTP/1.1" 401 427 "-" "vdirsyncer/0.18.0" "172.70.250.121"
172.28.0.2 - Pascal3366 [28/Mar/2023:20:00:07 +0200] "PROPFIND /remote.php/dav/principals/users/Pascal3366/ HTTP/1.1" 401 427 "-" "vdirsyncer/0.18.0" "172.70.250.121"
172.28.0.2 - Pascal3366 [28/Mar/2023:20:00:07 +0200] "PROPFIND /.well-known/caldav HTTP/1.1" 301 162 "-" "vdirsyncer/0.18.0" "172.70.250.121"
172.28.0.2 - - [28/Mar/2023:20:00:07 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1" 401 569 "-" "vdirsyncer/0.18.0" "172.70.250.121"
172.28.0.2 - - [28/Mar/2023:20:00:08 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 611 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.125"
172.28.0.2 - - [28/Mar/2023:20:00:38 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 611 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:00:57 +0200] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:00:57 +0200] "GET /apps/dashboard/ HTTP/1.1" 200 11502 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:00:58 +0200] "GET /ocs/v2.php/search/providers?from=%2Fapps%2Fdashboard%2F HTTP/1.1" 200 231 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:00 +0200] "GET /apps/recommendations/api/recommendations/always HTTP/1.1" 200 342 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:00 +0200] "GET /ocs/v2.php/apps/user_status/api/v1/statuses/Pascal3366 HTTP/1.1" 200 127 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:00 +0200] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 154 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:01:00 +0200] "GET /ocs/v2.php/apps/weather_status/api/v1/location HTTP/1.1" 200 102 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:00 +0200] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 154 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:01:00 +0200] "GET /cron.php HTTP/1.1" 200 51 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:01:00 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 611 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:01 +0200] "GET /ocs/v2.php/apps/weather_status/api/v1/favorites HTTP/1.1" 200 81 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:01:01 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1" 207 247 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:01 +0200] "PROPFIND /remote.php/dav/principals/users/Pascal3366/ HTTP/1.1" 207 728 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:01 +0200] "PROPFIND /remote.php/dav/calendars/Pascal3366/ HTTP/1.1" 207 1233 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:01:01 +0200] "REPORT /remote.php/dav/calendars/Pascal3366/personal/ HTTP/1.1" 207 250 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:01:01 +0200] "REPORT /remote.php/dav/calendars/Pascal3366/personal/ HTTP/1.1" 207 250 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:03 +0200] "GET /logout?requesttoken=00L6Ck7ihgU3S4M2EZoNdjTGr6A3JkWVhggPQLMgMdQ%3D%3AkSC7MybV1TZ9BLEFZcxpQ3aQ9ZNtfy3G4nFhF8BSdpc%3D HTTP/1.1" 303 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:01:03 +0200] "GET /login?clear=1 HTTP/1.1" 303 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:03 +0200] "GET /login?clear=1 HTTP/1.1" 200 6750 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:04 +0200] "GET /cron.php HTTP/1.1" 200 51 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:01:04 +0200] "GET /apps/theming/favicon?v=e8ff8c41 HTTP/1.1" 200 6259 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:01:04 +0200] "GET /apps/theming/manifest?v=e8ff8c41 HTTP/1.1" 200 246 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.110.185"
172.28.0.2 - - [28/Mar/2023:20:01:05 +0200] "GET /apps/oidc_login/oidc HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.84"
172.28.0.2 - - [28/Mar/2023:20:01:27 +0200] "GET /apps/oidc_login/oidc?code=authelia_ac_lGUV591LeoiUttWAa68vqAKO_UN3gotKwqdFpUmZnRE.k0pDNT0y6fONmhaGSgAKa-srW1f-PMxqMtrHL8edp0Q&scope=openid+profile+email+groups&state=0965e478b9001538d8b9503574847e17 HTTP/1.1" 500 3637 "https://auth.<mydomain.com>/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "172.70.243.83"
172.28.0.2 - - [28/Mar/2023:20:03:20 +0200] "GET /apps/oidc_login/index.php/csrftoken HTTP/1.1" 404 1696 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "162.158.94.138"

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

{"reqId":"4WqM5dEmrKG8jtTV7Ac3","level":3,"time":"2023-03-28T07:28:02+00:00","remoteAddr":"172.28.0.2","user":"--","app":"index","method":"GET","url":"/apps/oidc_login/oidc?code=authelia_ac_vt2BOdachnJlLx4dU9mlhT-zbQlAsQgv2SqrWkA07F0.mpXZHpDJRMwyGhTcGm5iHysKErvPeCbnBRTOL18zGBI&scope=openid+profile+email+groups&state=fb54614e2fb03335a6429c95709a39d2","message":"array_intersect(): Argument #1 ($array) must be of type array, string given in file '/var/www/html/custom_apps/oidc_login/lib/Service/LoginService.php' line 126","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36","version":"26.0.0.11","exception":{"Exception":"Exception","Message":"array_intersect(): Argument #1 ($array) must be of type array, string given in file '/var/www/html/custom_apps/oidc_login/lib/Service/LoginService.php' line 126","Code":0,"Trace":[{"file":"/var/www/html/lib/private/AppFramework/App.php","line":183,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\OIDCLogin\\Controller\\LoginController"],"oidc"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\OIDCLogin\\Controller\\LoginController","oidc",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["oidc_login.login.oidc"]]},{"file":"/var/www/html/lib/base.php","line":1055,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/oidc_login/oidc"]},{"file":"/var/www/html/index.php","line":36,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","Line":169,"Previous":{"Exception":"TypeError","Message":"array_intersect(): Argument #1 ($array) must be of type array, string given","Code":0,"Trace":[{"file":"/var/www/html/custom_apps/oidc_login/lib/Service/LoginService.php","line":126,"function":"array_intersect","args":["oidc",["oidc"]]},{"file":"/var/www/html/custom_apps/oidc_login/lib/Controller/LoginController.php","line":147,"function":"login","class":"OCA\\OIDCLogin\\Service\\LoginService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/custom_apps/oidc_login/lib/Controller/LoginController.php","line":123,"function":"login","class":"OCA\\OIDCLogin\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/custom_apps/oidc_login/lib/Controller/LoginController.php","line":102,"function":"authSuccess","class":"OCA\\OIDCLogin\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"oidc","class":"OCA\\OIDCLogin\\Controller\\LoginController","type":"->","args":[]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\OIDCLogin\\Controller\\LoginController"],"oidc"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":183,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\OIDCLogin\\Controller\\LoginController"],"oidc"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\OIDCLogin\\Controller\\LoginController","oidc",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["oidc_login.login.oidc"]]},{"file":"/var/www/html/lib/base.php","line":1055,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/oidc_login/oidc"]},{"file":"/var/www/html/index.php","line":36,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/custom_apps/oidc_login/lib/Service/LoginService.php","Line":126},"CustomMessage":"--"}}

Here is the nginx.conf:

worker_processes auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    # Prevent nginx HTTP Server Detection
    server_tokens   off;

    keepalive_timeout  65;

    #gzip  on;

    upstream php-handler {
        server app:9000;
    }

    server {
        listen 80;

        # HSTS settings
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

        # set max upload size
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;

        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        # Pagespeed is not supported by Nextcloud, so if your server is built
        # with the `ngx_pagespeed` module, uncomment this line to disable it.
        #pagespeed off;

        # HTTP response headers borrowed from Nextcloud `.htaccess`
        add_header Referrer-Policy                      "no-referrer"   always;
        add_header X-Content-Type-Options               "nosniff"       always;
        add_header X-Download-Options                   "noopen"        always;
        add_header X-Frame-Options                      "SAMEORIGIN"    always;
        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
        add_header X-Robots-Tag                         "none"          always;
        add_header X-XSS-Protection                     "1; mode=block" always;

        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;

        # Path to the root of your installation
        root /var/www/html;

        # Specify how to handle directories -- specifying `/index.php$request_uri`
        # here as the fallback means that Nginx always exhibits the desired behaviour
        # when a client requests a path that corresponds to a directory that exists
        # on the server. In particular, if that directory contains an index.php file,
        # that file is correctly served; if it doesn't, then the request is passed to
        # the front-end controller. This consistent behaviour means that we don't need
        # to specify custom rules for certain paths (e.g. images and other assets,
        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
        # `try_files $uri $uri/ /index.php$request_uri`
        # always provides the desired behaviour.
        index index.php index.html /index.php$request_uri;

        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
        location = / {
            if ( $http_user_agent ~ ^DavClnt ) {
                return 302 /remote.php/webdav/$is_args$args;
            }
        }

        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        # Make a regex exception for `/.well-known` so that clients can still
        # access it despite the existence of the regex rule
        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
        # for `/.well-known`.
        location ^~ /.well-known {
            # The rules in this block are an adaptation of the rules
            # in `.htaccess` that concern `/.well-known`.

            location = /.well-known/carddav { return 301 /remote.php/dav/; }
            location = /.well-known/caldav  { return 301 /remote.php/dav/; }

            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

            # Let Nextcloud's API for `/.well-known` URIs handle all other
            # requests by passing them to the front-end controller.
            return 301 /index.php$request_uri;
        }

        # Rules borrowed from `.htaccess` to hide certain paths from clients
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
        # which handle static assets (as seen below). If this block is not declared first,
        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;

            try_files $fastcgi_script_name =404;

            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $path_info;
            #fastcgi_param HTTPS on;

            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
            fastcgi_param front_controller_active true;     # Enable pretty urls
            fastcgi_pass php-handler;

            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }

        location ~ \.(?:css|js|svg|gif)$ {
            try_files $uri /index.php$request_uri;
            expires 6M;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }

        location ~ \.woff2?$ {
            try_files $uri /index.php$request_uri;
            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }

        # Rule borrowed from `.htaccess`
        location /remote {
            return 301 /remote.php$request_uri;
        }

        location / {
            try_files $uri $uri/ /index.php$request_uri;
        }
    }
}

Everyday2234 · March 28, 2023, 6:30pm

And here is the relevant config for Authelia:

clients:
      - id: nextcloud.<my_domain.com>
        description: NextCloud
        secret: '$plaintext$<my_secret>'
        public: false
        authorization_policy: two_factor
        redirect_uris:
           - https://nextcloud.<my_domain.com>/apps/oidc_login/oidc
        scopes:
          - openid
          - profile
          - email
          - groups
        userinfo_signing_algorithm: none

wwe · March 29, 2023, 8:16am

hi @Everyday2234 welcome to the forum

sorry no good help from me, only some hints.

Are you aware oidc_login is not actively maintained anymore? https://github.com/pulsejet/nextcloud-oidc-login/issues/182 in the meanwhile official user_oidc became good alternative.

with http response code 500 makes me think something is wrong with oidc_login. the error from nextcloud.log "message": "array_intersect(): Argument #1 ($array) must be of type array, string given in file '/var/www/html/custom_apps/oidc_login/lib/Service/LoginService.php' line 126", says more or less the same but doesn’t reveal the reason.

in my setup with user_oidc and Keycloak the request looks similar enough so it isn’t completely wrong - review both configs very carefully maybe the URL is bad, maybe oidc_login doesn’t understand the token. I remember the app was pretty easy to setup with KC…

the line 126 in LoginService.php handles allowed groups… maybe this helps to isolate the problem…

nextcloud-oidc-login/lib/Service/LoginService.php at 049a4cbfe9157deee84cb8c4b678b2b96c9f1c32 · pulsejet/nextcloud-oidc-login · GitHub

Everyday2234 · March 29, 2023, 2:22pm

Hi @wwe

No I was not aware that oidc_login is not being maintained anymore since I still found recent articles and videos where it was being used.

Thanks, I will checkout user_oidc.

the line 126 in LoginService.php handles allowed groups… maybe this helps to isolate the problem…

I could not figure out what this piece of code did even after looking at that specific line. Thx for pointing that out!

Edit: so I just setup the new oidc_login plugin and now I get this error:

{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls."}

Once I remove the redirect_uri parameter from the GET request, I successfully get redirected to Authelia and after logging in I get redirected to nextcloud but the page just says: “Page not found”

This is the page I got redirected to: https://nextcloud.mydomain.tld/apps/oidc_login/oidc?code=authelia_ac_q-VZTvmmpBdjbSsBw7d_vlTuOIpl0lX1dP3KmjrTx5c.E-_OGMNHVGy0Ry6GJEZTMkh6RPrp9DCdrZpaoFKgRCc&scope=openid+profile+email+groups&state=V36BRWSB2ETBPM2CFG4TIPTBK6GQ6W96

I just wondered: What is the correct group mapping for Nextcloud? I cannot find anything online regarding the correct group mappings.

Also I was not able to find the correct redirect_uri. It looks like in an older version of the plugin the redirect uri was shown but the new version does not display any redirect uri.

just · March 31, 2023, 10:29am

Hmm, wondering if there is info on the Authelia side. Tried ddg’ing this:

Everyday2234 · March 31, 2023, 3:59pm

I already searched for this

But I could not find a solution

That’s why I created a thread here on the forums.

Everyday2234 · April 15, 2023, 4:30am

So I think that I solved the issue.

The problem was that I had ‘’ and $plaintext$ in my secret on the authelia side.

The new openid connect plugin does still not seem to work, however the social login plugin works now.

Mr_Tim · May 6, 2023, 4:32am

Hi @Everyday2234 I have been getting this Error - The provider authorization_endpoint could not be fetched. Make sure your provider has a well known configuration available.

Did you encounter this, i followed those exact methods as well.

just · May 6, 2023, 5:21am

Cool, try an internet search as keyword

https://help.nextcloud.com/search?context=topic&context_id=158890&q=provider%20well%20known%20configuration&skip_context=true