Nextcloud not logging me out when OpenID session expires

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face: is for home/non-enterprise users. If you’re running a business, paid support can be accessed via where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:


Or for longer, use three backticks above and below the code snippet:


Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): 27.1.3
Operating system and version (eg, Ubuntu 20.04): Ubuntu 22.04.3 LTS
Apache or nginx version (eg, Apache 2.4.25): nginx/1.24.0 and Apache/2.4.52
PHP version (eg, 7.4): 8.1.2-1ubuntu2.14

The issue you are facing: When the SSO Session Max in Keycloak is reached Nextcloud does not log me out. Im using OpenID Connect.

Is this the first time you’ve seen this error? (Y/N): yes

Steps to replicate it:

  1. Log in to Nextcloud using Keycloak SSO.
  2. Wait for the SSO Session Max to get reached.
  3. Watch yourself stay logged in.

The output of your Nextcloud log in Admin > Logging:

there is absolutely nothing in the logs for this.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

The output of your Apache/nginx/system log in /var/log/____:

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

I was testing Keycloak and user_oidc. It was possible to end Nextcloud session when user was actively logging out from KC. There is an option backchannel logout - I`m not sure it is required for this functionality.

Regarding session timeout there are multiple settings related to session length in NC itself - I think you need to adjust them to make the session timeout fast enough after KC session times out…

# review values
docker exec --user www-data dev-nextcloud-app php occ config:system:get auto_logout
docker exec --user www-data dev-nextcloud-app php occ config:system:get session_keepalive
docker exec --user www-data dev-nextcloud-app php occ config:system:get session_lifetime
docker exec --user www-data dev-nextcloud-app php occ config:system:get session_relaxed_expiry
docker exec --user www-data dev-nextcloud-app php occ config:system:get remember_login_cookie_lifetime

At the moment I’m not following they Keycloak path anymore as there is major issue with this product - stopping/restarting KC (which is common scenario in small/home setup) results loosing in all SSO sessions because they expect “production” systems to run as a cluster on distributed hardware and was unable to overcome this limitation. for this reason the product is unusable for me.

So when the Keycloak session expires, the nc session timer basically starts or how does it work?

NC session starts when you enter the system. but it is continuously refreshed by default and for this reason never end as long you keep using the device. I recommend to review the documentation

Ive seem to got it working so far and ive set the session lenght to 5 mins, but now theres a new problem. When i let the tab idle for a few mins and then come back it seems to reload the page and display the error “CSRF Check failed”. In the network tab it shows it accessed a /logout url and then contacted kc again which then responded with a token and then nc tries to contact this url “https://cloud.mydomain.tld/logout?requesttoken=[somelongasscode]” which then results in the error. And btw, thank you for helping so far, i really appreciate it!

I remember the csrf error as well but unfortunately no solution so far. my guess is the logout procedure starts when the session is going to expire and at the time process finishes cookie has expired already, which results in the error. Would be great if you find the motivation to track this down and report a bug.

Its probably caused by auto logout, i have disabled it again and doesnt result in an error anymore, but now im not sure if it will even log me out when it has to. Probably gonna report the bug tho after i gather some more info from the logs etc.

hi hbubli did you find a solution for the CSRF problem?

in a working OIDC setup I set my NC session to short time with the intention the system will re-authenticate the user once Nextcloud session ends. But I’m running into CSRF error after some time. Interesting enough this doesn’t happen once the session should end… I have session_lifetime=300 but issue started after 17 min according to browser log. I have to double check what happens after 15 min maybe something IdP related…

the problem starts with a request to


followed by request to


and ends with


from this point the browser bounces back and forth between cloud and IdP using the same request token and showing “CSRF check failed”. especially https://cloud.mydomain.tld/login?redirect_url=/logout sounds somehow nonsense for me…

What I’ve did was setting the session timeout to about 10 minutes and disabling auto logout. So now as long as I keep the nextcloud tab open the session stays alive and the csrf error doesn’t appear. And when I close the tab and wait the 10 mins, nextcloud will contact keycloak on the next visit and log me in as normal if it’s still valid, and if not it will send me to the login screen.

1 Like

For me the issue is reproducible with different IdPs. After NC session ends the client keeps looping between Nextcloud and IdP. I created a BR