The Basics
Nextcloud Server version (e.g., 29.x.x):
replace me
Operating system and version (e.g., Ubuntu 24.04):
replace me
Web server and version (e.g, Apache 2.4.25):
replace me
Reverse proxy and version (e.g. nginx 1.27.2):
replace me
PHP version (e.g, 8.3):
replace me
Is this the first time you’ve seen this error? (Yes / No):
Yes
When did this problem seem to first start?
After integrating centralized SSO authentication using Keycloak and Apache reverse proxy routing for the scalenowAI platform.
Installation method (e.g. AIO, NCP, Bare Metal/Archive, etc.)
replace me
Are you using Cloudflare, mod_security, or similar? (Yes / No)
No
Summary of the issue you are facing
Hello,
We believe the issue is related to how centralized authentication and URL routing are currently configured between the common SSO entry point and Nextcloud.
Current Flow
-
Users authenticate through the centralized scalenowAI login interface using Keycloak SSO.
-
After successful authentication, navigation into OpenProject works correctly.
-
However, when transitioning into Nextcloud, the URL and authentication handling differs from what the Nextcloud Desktop Client expects.
Observation
When accessing Nextcloud through the browser using the common SSO interface, the session is established successfully because the browser correctly follows the Apache reverse proxy and SSO redirect flow.
However, the Nextcloud Desktop Client appears unable to complete authentication because:
-
it expects a more direct/native Nextcloud login flow,
-
the redirect chain may point to the centralized login page instead of standard Nextcloud authentication endpoints,
-
and the desktop client may not correctly handle the custom SSO and reverse proxy routing configuration.
Potential Cause Areas
-
Reverse proxy URL rewriting
-
OIDC redirect URI mismatch
-
WebDAV endpoint redirection
-
Nextcloud
overwrite.cli.url/overwriteprotocolsettings -
Desktop client not receiving expected OAuth callback
-
Forced centralized authentication intercepting WebDAV authentication
Questions
-
How should the Nextcloud Desktop Client authenticate in a centralized SSO architecture?
-
Should app passwords be used instead of browser SSO sessions?
-
If app passwords are the recommended approach, there does not appear to be a clear provision within the desktop client flow to explicitly enter an app-specific username/password separately from the SSO browser authentication process.
-
Are separate WebDAV endpoints or bypass rules required for desktop/mobile clients?
-
Does Apache need exclusions for:
-
/remote.php/ -
/dav/ -
/ocs/ -
desktop client authentication callbacks?
-
Additional Observation
The desktop application behaves differently from browser-based navigation because it relies heavily on direct DAV/API authentication rather than browser session continuity.
Regards,
Abhi
Steps to replicate it (hint: details matter!)
-
Open centralized scalenowAI login page.
-
Authenticate successfully using Keycloak SSO credentials.
-
Access Nextcloud successfully through the browser.
-
Install and configure the Nextcloud Desktop Client.
-
Enter the Nextcloud URL used behind the reverse proxy/SSO setup.
-
Authentication redirects to centralized SSO login flow.
-
Browser authentication appears successful.
-
Desktop client either:
-
loops during authentication,
-
fails to complete setup,
-
cannot establish sync,
-
or fails DAV/API authentication after login.
-
Log entries
Nextcloud
Please provide the log entries from your Nextcloud log that are generated during the time of problem.
PASTE HERE
Web Browser
Relevant browser Console/Network errors while reproducing the issue:
PASTE HERE
Web server / Reverse Proxy
The output of your Apache/nginx/system log in /var/log/...:
PASTE HERE
Configuration
Nextcloud
The output of occ config:list system or sanitized config.php:
PASTE HERE