OICD Login Problem

[details=“The received state does not match the expected value.”]

Hello team,
I have configured OICD with a Gluu server and when the user is validated in the IDP it gives me the following error:
image

I have this config in nextcloud:

No many to say without more information. Please review/share logs from both systems.

From my experience it could help to disable/reenable user_oidc app when to pickup changes if you configure the using try&error method.

Hi, wwe
Logs Nextcloud:

{"reqId":"GjKW8dL0O2TwbRa7ZIQ6","level":0,"time":"2024-05-20T15:10:42+02:00","remoteAddr":"172.16.3.32","user":"--","app":"user_oidc","method":"GET","url":"/apps/user_oidc/login/27?redirectUrl=","message":"Obtaining discovery endpoint: https://test.test.es/.well-known/openid-configuration","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"25.0.1.1","data":{"app":"user_oidc"}}
{"reqId":"bqhZW6iQJdO3tCSYPpSo","level":0,"time":"2024-05-20T15:10:42+02:00","remoteAddr":"172.16.3.32","user":"--","app":"user_oidc","method":"GET","url":"/apps/user_oidc/login/27?redirectUrl=","message":"Obtaining discovery endpoint: https://test.test.es/.well-known/openid-configuration","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"25.0.1.1","data":{"app":"user_oidc"}}
{"reqId":"GjKW8dL0O2TwbRa7ZIQ6","level":0,"time":"2024-05-20T15:10:43+02:00","remoteAddr":"172.16.3.32","user":"--","app":"user_oidc","method":"GET","url":"/apps/user_oidc/login/27?redirectUrl=","message":"Redirecting user to: https://test.test.es/jans-auth/restv1/authorize?client_id=3a12a057-b2cf-43dd-93a5-e9f0c7086b53&response_type=code&scope=openid+email+profile&redirect_uri=https%3A%2F%2Fnextcloud.test.com%2Fapps%2Fuser_oidc%2Fcode&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%7D%2C%22userinfo%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%7D%7D&state=9RQCI27HVCTX03XYHX2LG18FN2VR22YK&nonce=WGERO3TZWVZ3ZR9XLVXRRHR99V8GW7JT","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"25.0.1.1","data":{"app":"user_oidc"}}
{"reqId":"bqhZW6iQJdO3tCSYPpSo","level":0,"time":"2024-05-20T15:10:43+02:00","remoteAddr":"172.16.3.32","user":"--","app":"user_oidc","method":"GET","url":"/apps/user_oidc/login/27?redirectUrl=","message":"Redirecting user to: https://test.test.es/jans-auth/restv1/authorize?client_id=3a12a057-b2cf-43dd-93a5-e9f0c7086b53&response_type=code&scope=openid+email+profile&redirect_uri=https%3A%2F%2Fnextcloud.test.com%2Fapps%2Fuser_oidc%2Fcode&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%7D%2C%22userinfo%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%7D%7D&state=T3C6HDUE3E24KT7TXQSZJMQG1W4SS1Q8&nonce=EZMH0YKEJRWT9H3UFLWHS9RAUMHR9GSG","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"25.0.1.1","data":{"app":"user_oidc"}}
{"reqId":"hTWUniwgXZFFR17GGi21","level":0,"time":"2024-05-20T15:10:52+02:00","remoteAddr":"172.16.3.33","user":"--","app":"user_oidc","method":"PROPFIND","url":"/remote.php/dav/files/quer0016%40test.com/Enpass/vault.enpassdbsync","message":"Could not find unique token validation","userAgent":"Mozilla/5.0 Enpass","version":"25.0.1.1","data":{"app":"user_oidc"}}
{"reqId":"LJIPRK3ERU78pEi2iYUv","level":0,"time":"2024-05-20T15:10:53+02:00","remoteAddr":"172.16.3.32","user":"--","app":"no app in context","method":"GET","url":"/apps/user_oidc/code?code=d304f4c9-fb93-4a24-a70b-e05d14501f03&scope=openid+profile+email&state=9RQCI27HVCTX03XYHX2LG18FN2VR22YK&session_state=0006287ebad0103c1678626d16693af327abaebf642546c986689dc9dfa2ad5b.ea8f6dca-38b0-405a-bcf3-35863267e69d","message":"OC_App::registerLogIn() is deprecated, please register your alternative login option using the registerAlternativeLogin() on the RegistrationContext in your Application class implementing the OCP\\Authentication\\IAlternativeLogin interface","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"25.0.1.1","data":[]}
{"reqId":"LJIPRK3ERU78pEi2iYUv","level":0,"time":"2024-05-20T15:10:53+02:00","remoteAddr":"172.16.3.32","user":"--","app":"user_saml","method":"GET","url":"/apps/user_oidc/code?code=d304f4c9-fb93-4a24-a70b-e05d14501f03&scope=openid+profile+email&state=9RQCI27HVCTX03XYHX2LG18FN2VR22YK&session_state=0006287ebad0103c1678626d16693af327abaebf642546c986689dc9dfa2ad5b.ea8f6dca-38b0-405a-bcf3-35863267e69d","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"25.0.1.1","data":{"app":"user_saml"}}
{"reqId":"LJIPRK3ERU78pEi2iYUv","level":0,"time":"2024-05-20T15:10:53+02:00","remoteAddr":"172.16.3.32","user":"--","app":"user_oidc","method":"GET","url":"/apps/user_oidc/code?code=d304f4c9-fb93-4a24-a70b-e05d14501f03&scope=openid+profile+email&state=9RQCI27HVCTX03XYHX2LG18FN2VR22YK&session_state=0006287ebad0103c1678626d16693af327abaebf642546c986689dc9dfa2ad5b.ea8f6dca-38b0-405a-bcf3-35863267e69d","message":"No Bearer token","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"25.0.1.1","data":{"app":"user_oidc"}}
{"reqId":"LJIPRK3ERU78pEi2iYUv","level":0,"time":"2024-05-20T15:10:53+02:00","remoteAddr":"172.16.3.32","user":"--","app":"user_oidc","method":"GET","url":"/apps/user_oidc/code?code=d304f4c9-fb93-4a24-a70b-e05d14501f03&scope=openid+profile+email&state=9RQCI27HVCTX03XYHX2LG18FN2VR22YK&session_state=0006287ebad0103c1678626d16693af327abaebf642546c986689dc9dfa2ad5b.ea8f6dca-38b0-405a-bcf3-35863267e69d","message":"Code login with core: d304f4c9-fb93-4a24-a70b-e05d14501f03 and state: 9RQCI27HVCTX03XYHX2LG18FN2VR22YK","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"25.0.1.1","data":{"app":"user_oidc"}}
{"reqId":"LJIPRK3ERU78pEi2iYUv","level":0,"time":"2024-05-20T15:10:53+02:00","remoteAddr":"172.16.3.32","user":"--","app":"user_oidc","method":"GET","url":"/apps/user_oidc/code?code=d304f4c9-fb93-4a24-a70b-e05d14501f03&scope=openid+profile+email&state=9RQCI27HVCTX03XYHX2LG18FN2VR22YK&session_state=0006287ebad0103c1678626d16693af327abaebf642546c986689dc9dfa2ad5b.ea8f6dca-38b0-405a-bcf3-35863267e69d","message":"state does not match","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"25.0.1.1","data":{"app":"user_oidc"}}
{"reqId":"mEWftPYf04nTSXim67G6","level":0,"time":"2024-05-20T15:10:57+02:00","remoteAddr":"172.16.3.33","user":"quer0016@test.com","app":"user_oidc","method":"PROPFIND","url":"/remote.php/dav/files/quer0016@test.com/","message":"Could not find unique token validation","userAgent":"Mozilla/5.0 (Linux) mirall/3.13.0 (build 22492) (Nextcloud, neon-6.5.0-35-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"25.0.1.1","data":{"app":"user_oidc"}}

Config in IDP:

Please provide

  • the logs of the IdP
  • and the browser as well
  • with all the remaining data of your installation (required support template).
  • Please explain what “Grants” mean in context of the specific IdP

is there any working example you are following?

Hi WWE:
logs IDP:

2024-05-21 08:35:53,294 TRACE [qtp1260134048-23] 7bf12abb-5b20-4709-a340-def4b2fde672 [io.jans.service.BaseCacheService] (BaseCacheService.java:85) - Put data, key 'profile': 'Scope{dn='inum=43F1,ou=scopes,o=jans', inum='43F1', displayName='view_profile', id='profile', iconUrl='null', description='View your basic profile info.', scopeType=openid, claims=[inum=2B29,ou=attributes,o=jans, inum=0C85,ou=attributes,o=jans, inum=B4B0,ou=attributes,o=jans, inum=A0E8,ou=attributes,o=jans, inum=5EC6,ou=attributes,o=jans, inum=B52A,ou=attributes,o=jans, inum=64A0,ou=attributes,o=jans, inum=EC3A,ou=attributes,o=jans, inum=3B47,ou=attributes,o=jans, inum=3692,ou=attributes,o=jans, inum=98FC,ou=attributes,o=jans, inum=A901,ou=attributes,o=jans, inum=36D9,ou=attributes,o=jans, inum=BE64,ou=attributes,o=jans, inum=6493,ou=attributes,o=jans, inum=4CF1,ou=attributes,o=jans, inum=29DA,ou=attributes,o=jans], defaultScope=false, groupClaims=null, dynamicScopeScripts=[], umaAuthorizationPolicies=null, creatorId=null, creatorType=null, creationDate=Tue May 21 08:35:45 UTC 2024, creatorAttributes=null, deletable=null, expirationDate=null, attributes=ScopeAttributes{spontaneousClientScopes=[], showInConfigurationEndpoint=true}}'
2024-05-21 08:35:53,294 DEBUG [qtp1260134048-23] 7bf12abb-5b20-4709-a340-def4b2fde672 [jans.as.server.model.authorize.ScopeChecker] (ScopeChecker.java:91) - Granted scopes: [openid, profile, email]
2024-05-21 08:35:53,294 TRACE [qtp1260134048-23] 7bf12abb-5b20-4709-a340-def4b2fde672 [io.jans.service.BaseCacheService] (BaseCacheService.java:85) - Put data, key '508637d3-2101-4e4c-8589-2e588dd8cbd1': 'MemcachedGrant{authorizationCode=508637d3-2101-4e4c-8589-2e588dd8cbd1, user=BaseEntry [dn=inum=f9d7a531-d2a1-4d18-9634-34e1f5a80df9,ou=people,o=jans], client=DeletableEntity{expirationDate=null, deletable=false} BaseEntry [dn=inum=3a12a057-b2cf-43dd-93a5-e9f0c7086b53,ou=clients,o=jans], authenticationTime=Tue May 21 08:35:51 UTC 2024}'
2024-05-21 08:35:53,306 TRACE [qtp1260134048-23] 7bf12abb-5b20-4709-a340-def4b2fde672 [io.jans.service.BaseCacheService] (BaseCacheService.java:85) - Put data, key 'jansId=2cc26a20-7391-4dd9-adc0-b4a36bc2d1e9,ou=sessions,o=jans': 'SessionId {dn='jansId=2cc26a20-7391-4dd9-adc0-b4a36bc2d1e9,ou=sessions,o=jans', id='2cc26a20-7391-4dd9-adc0-b4a36bc2d1e9', outsideSid='65be0dce-7ef5-4865-9986-9cf74e8fa481', lastUsedAt=Tue May 21 08:35:53 UTC 2024, userDn='inum=f9d7a531-d2a1-4d18-9634-34e1f5a80df9,ou=people,o=jans', authenticationTime=Tue May 21 08:35:51 UTC 2024, state=authenticated, expirationDate=Wed May 22 08:35:45 UTC 2024, sessionState='5bdfc1af57e408e3279896218462143046bac1774857a3152a25fac4c6834b09.f7b9acae-7938-4fee-9c81-ca8691daee8c', permissionGranted=null, permissionGrantedMap=SessionIdAccessMap{permissionGranted={3a12a057-b2cf-43dd-93a5-e9f0c7086b53=true}}, sessionAttributes={acr=simple_password_auth, opbs=afa6b9a2-df02-4634-b08d-ae181af46c21, nonce=TE3JDXNLV2C3TTWESEZ2LUP0LO1PAJFK, scope=openid email profile, state=1LDZ1HT303I4SSF6VUHZJIHUW8XF9CNT, claims={"id_token":{"email":null,"name":null,"quota":null,"groups":null},"userinfo":{"email":null,"name":null,"quota":null,"groups":null}}, client_id=3a12a057-b2cf-43dd-93a5-e9f0c7086b53, remote_ip=85.62.184.58, redirect_uri=https://nextcloud.test.com/apps/user_oidc/code, response_type=code, auth_user=quer0016, old_session_id=27a66da2-d056-4bf4-8120-279e46c3871b, session_id=2cc26a20-7391-4dd9-adc0-b4a36bc2d1e9, sid=65be0dce-7ef5-4865-9986-9cf74e8fa481, 3a12a057-b2cf-43dd-93a5-e9f0c7086b53_authz_scopes=openid profile email, successful_rp_redirect_count=1}, persisted=true, deviceSecrets=[]}'
2024-05-21 08:35:53,307 TRACE [qtp1260134048-23] 7bf12abb-5b20-4709-a340-def4b2fde672 [io.jans.server.filters.AbstractCorsFilter] (AbstractCorsFilter.java:805) - after doFilter: request method GET to URI /jans-auth/restv1/authorize, corsType NOT_CORS, attributes [cors.isCorsRequest = false,org.jboss.weld.context.http.HttpRequestContext#WELD%ManagedBean%STATIC_INSTANCE|/jans-auth_/WEB-INF/classes|io.jans.as.server.service.AuthenticationService|null|0 = Bean: ForwardingBean null for Managed Bean [class io.jans.as.server.service.AuthenticationService] with qualifiers [@Any @Default]; Instance: io.jans.as.server.service.AuthenticationService@5ac5ffe3; CreationalContext: org.jboss.weld.contexts.CreationalContextImpl@53933728,org.jboss.weld.context.http.HttpRequestContext#WELD%ManagedBean%STATIC_INSTANCE|/jans-auth_/WEB-INF/classes|io.jans.as.server.security.Identity|null|0 = Bean: ForwardingBean identity for Managed Bean [class io.jans.as.server.security.Identity] with qualifiers [@Default @Any @Named]; Instance: io.jans.as.server.security.Identity@4b90a7d1; CreationalContext: org.jboss.weld.contexts.CreationalContextImpl@1968c737,RESTEASY_CHOSEN_ACCEPT = text/plain,org.jboss.weld.module.web.servlet.ConversationContextActivator.contextActivatedInRequest = true,org.jboss.weld.context.http.HttpRequestContext#WELD%ManagedBean%STATIC_INSTANCE|/jans-auth_/WEB-INF/classes|io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl|null|1 = Bean: ForwardingBean null for Managed Bean [class io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl] with qualifiers [@Any @Default]; Instance: io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl@6ca7191e; CreationalContext: org.jboss.weld.contexts.CreationalContextImpl@264759d5,org.jboss.weld.context.http.HttpRequestContext#WELD%ManagedBean%STATIC_INSTANCE|/jans-auth_/WEB-INF/classes|io.jans.as.server.auth.Authenticator|null|0 = Bean: ForwardingBean authenticator for Managed Bean [class io.jans.as.server.auth.Authenticator] with qualifiers [@Default @Any @Named]; Instance: io.jans.as.server.auth.Authenticator@68a7dce3; CreationalContext: org.jboss.weld.contexts.CreationalContextImpl@37a9ffbf,org.jboss.weld.context.ignore.guard.marker = java.lang.Object@55f490df,org.jboss.weld.context.http.HttpRequestContext#WELD%ManagedBean%STATIC_INSTANCE|/jans-auth_/WEB-INF/classes|io.jans.as.server.service.SessionIdService|null|0 = Bean: ForwardingBean sessionIdService for Managed Bean [class io.jans.as.server.service.SessionIdService] with qualifiers [@Default @Any @Named]; Instance: io.jans.as.server.service.SessionIdService@63127fbd; CreationalContext: org.jboss.weld.contexts.CreationalContextImpl@7f871bfb,org.jboss.resteasy.core.ResourceMethodInvoker = org.jboss.resteasy.core.ResourceMethodInvoker@6c2a2a88,org.jboss.weld.context.http.HttpRequestContext#WELD%ManagedBean%STATIC_INSTANCE|/jans-auth_/WEB-INF/classes|io.jans.as.server.service.CookieService|null|0 = Bean: ForwardingBean null for Managed Bean [class io.jans.as.server.service.CookieService] with qualifiers [@Any @Default]; Instance: io.jans.as.server.service.CookieService@2991802c; CreationalContext: org.jboss.weld.contexts.CreationalContextImpl@51bdc6a6], headers [Cookie = X-Correlation-Id=77c02997-260d-48f7-a314-5663e5c91743; X-Correlation-Id=86a6453d-ef02-4eef-82d1-e6a74276ab82; rp_origin_id=https://nextcloud.test.com/apps/user_oidc/code; org.gluu.i18n.Locale=es; session_state=5bdfc1af57e408e3279896218462143046bac1774857a3152a25fac4c6834b09.f7b9acae-7938-4fee-9c81-ca8691daee8c; opbs=afa6b9a2-df02-4634-b08d-ae181af46c21; current_sessions=%5B%222cc26a20-7391-4dd9-adc0-b4a36bc2d1e9%22%5D; session_id=2cc26a20-7391-4dd9-adc0-b4a36bc2d1e9,Accept = text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,User-Agent = Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36,Referer = https://test.test.org/jans-auth/authorize.htm?scope=openid+email+profile&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%7D%2C%22userinfo%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%7D%7D&response_type=code&state=1LDZ1HT303I4SSF6VUHZJIHUW8XF9CNT&redirect_uri=https%3A%2F%2Fnextcloud.test.com%2Fapps%2Fuser_oidc%2Fcode&nonce=TE3JDXNLV2C3TTWESEZ2LUP0LO1PAJFK&client_id=3a12a057-b2cf-43dd-93a5-e9f0c7086b53&sid=65be0dce-7ef5-4865-9986-9cf74e8fa481,X-Forwarded-Proto = https,X-Forwarded-Host = test.test.org,Connection = keep-alive,Sec-Fetch-Site = same-origin,Sec-Fetch-Dest = document,Host = test.test.org,Accept-Encoding = gzip, deflate, br, zstd,Sec-Fetch-Mode = navigate,sec-ch-ua = "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24",sec-ch-ua-mobile = ?0,Cache-Control = max-age=0,Upgrade-Insecure-Requests = 1,sec-ch-ua-platform = "Linux",X-Forwarded-For = 85.62.184.58,Sec-Fetch-User = ?1,Accept-Language = es-ES,es;q=0.9,X-Forwarded-Server = test.test.org]

2024-05-21 08:33:26,215 ERROR [qtp1260134048-19] c8304e28-eb91-41d6-b91f-917da00f023b [jans.as.server.model.common.AuthorizationGrant] (AuthorizationGrant.java:426) - Failed to persist entry: 'tknCde=b389542590cbef418f30a465e8ffb6bd
0bdf5ef8f826a681064564d4bc3e928d,ou=tokens,o=jans'
io.jans.orm.exception.EntryPersistenceException: Failed to persist entry: 'tknCde=b389542590cbef418f30a465e8ffb6bd0bdf5ef8f826a681064564d4bc3e928d,ou=tokens,o=jans'
        at io.jans.orm.sql.impl.SqlEntryManager.persist(SqlEntryManager.java:220) ~[jans-orm-sql-1.1.1.jar:?]
        at io.jans.orm.impl.BaseEntryManager.persist(BaseEntryManager.java:115) ~[jans-orm-core-1.1.1.jar:?]
        at jdk.internal.reflect.GeneratedMethodAccessor263.invoke(Unknown Source) ~[?:?]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
        at org.jboss.weld.bean.proxy.AbstractBeanInstance.invoke(AbstractBeanInstance.java:38) ~[weld-core-impl-4.0.3.Final.jar:4.0.3.Final]
        at org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:106) ~[weld-core-impl-4.0.3.Final.jar:4.0.3.Final]
        at io.jans.orm.PersistenceEntryManager$EntityManager$629524672$Proxy$_$$_WeldClientProxy.persist(Unknown Source) ~[jans-orm-core-1.1.1.jar:?]
        at io.jans.as.server.service.GrantService.persist(GrantService.java:107) ~[classes/:?]
        at io.jans.as.server.model.common.AuthorizationGrant.persist(AuthorizationGrant.java:432) ~[classes/:?]
        at io.jans.as.server.model.common.AuthorizationGrant.createIdToken(AuthorizationGrant.java:413) ~[classes/:?]
        at io.jans.as.server.token.ws.rs.TokenRestWebServiceImpl.processAuthorizationCode(TokenRestWebServiceImpl.java:448) ~[classes/:?]
        at io.jans.as.server.token.ws.rs.TokenRestWebServiceImpl.requestAccessToken(TokenRestWebServiceImpl.java:214) ~[classes/:?]
        at io.jans.as.server.token.ws.rs.TokenRestWebServiceImpl$Proxy$_$$_WeldClientProxy.requestAccessToken(Unknown Source) ~[classes/:?]
        at jdk.internal.reflect.GeneratedMethodAccessor354.invoke(Unknown Source) ~[?:?]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:408) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:69) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:249) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:60) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
        at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587) ~[jetty-jakarta-servlet-api-5.0.2.jar:?]
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764) ~[?:?]
        at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665) ~[?:?]
        at io.jans.as.server.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:92) ~[classes/:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:210) ~[jetty-servlet-11.0.15.jar:11.0.15]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-11.0.15.jar:11.0.15]
        at io.jans.as.server.auth.AuthenticationFilter.processPostAuth(AuthenticationFilter.java:522) ~[classes/:?]
        at io.jans.as.server.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:219) ~[classes/:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[jetty-servlet-11.0.15.jar:11.0.15]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-11.0.15.jar:11.0.15]
        at io.jans.server.filters.AbstractCorsFilter.handleNonCORS(AbstractCorsFilter.java:357) ~[jans-core-server-1.1.1.jar:?]
        at io.jans.server.filters.AbstractCorsFilter.doFilter(AbstractCorsFilter.java:123) ~[jans-core-server-1.1.1.jar:?]

The browser Chrome

Nextcloud version (eg, 26.0.1): 25.0.1
Operating system and version (eg, Ubuntu 22.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): apache 2.4.41
PHP version (eg, 8.1): 8.1.18
Database (sqlite or MariaDB or Postgres) mysql
Docker (compose)
Snap
Is this the first time you’ve seen this error? yes

The issue you are facing:

  • Steps to replicate it:
  1. Install OpenID plugin
  2. Config
  3. Test
  • The output of your Nextcloud log in Admin > Logging:
:0,"time":"2024-05-21T10:57:30+02:00","remoteAddr":"172.16.3.33","user":"quer0016@test.com","app":"user_oidc","method":"PROPFIND","url":"/remote.php/dav/files/quer0016@test.com/","message":"Could not find unique token validation","userAgent":"Mozilla/5.0 (Linux) mirall/3.13.0 (build 22492) (Nextcloud, neon-6.5.0-35-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"25.0.1.1","data":{"app":"user_oidc"}}
  • The output of your config.php file in /path/to/nextcloud**
    (use https://.../settings/admin/support which auto-removes identifying information!):
<?php
$CONFIG = array (
  'instanceid' => 'ocvml8ggth7s',
  'passwordsalt' => 'gYCiIBIsrfryyVu3VYayqHGiM8VaTp',
  'secret' => 'oo50lFdIg0AFtso1vSddoIS+JQ1pRc//jLYJt797sR+GN4/9',
  'trusted_domains' => 
  array (
    0 => 'nextcloud.test.com',
,
  ),
  'datadirectory' => '/opt/data',
  'dbtype' => 'mysql',
  'version' => '25.0.1.1',
  'overwrite.cli.url' => 'https://nextcloud.test.com',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/var/run/mysqld/mysqld.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'test',
  'dbpassword' => 'passpass',
  'installed' => true,
  'activity_expire_days' => 14,
  'auth.bruteforce.protection.enabled' => false,
  'blacklisted_files' => 
  array (
    0 => '.htaccess',
    1 => 'Thumbs.db',
    2 => 'thumbs.db',
  ),
  'dbdriveroptions' => 
  array (
    1002 => 'SET wait_timeout = 28800',
  ),
  'cron_log' => true,
  'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\XBitmap',
    5 => 'OC\\Preview\\Movie',
    6 => 'OC\\Preview\\PDF',
    7 => 'OC\\Preview\\MP3',
    8 => 'OC\\Preview\\TXT',
    9 => 'OC\\Preview\\MarkDown',
  ),
  'filesystem_check_changes' => 0,
  'filelocking.enabled' => 'true',
  'htaccess.RewriteBase' => '/',
  'integrity.check.disabled' => false,
  'knowledgebaseenabled' => false,
  'log_type' => 'owncloud',
  'logfile' => '/opt/data/nextcloud.log',
  'loglevel' => 0,
  'logtimezone' => 'Europe/Berlin',
  'log_rotate_size' => 104857600,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'overwriteprotocol' => 'https',
  'preview_max_x' => 1024,
  'preview_max_y' => 768,
  'preview_max_scale_factor' => 1,
  'redis' => 
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
    'dbindex' => 0,
  ),
  'onlyoffice' => 
  array (
    'verify_peer_off' => true,
    'jwt_secret' => 'kalixt0',
    'jwt_header' => 'Authorization',
  ),
  'quota_include_external_storage' => false,
  'share_folder' => '/Shares',
  'skeletondirectory' => '',
  'theme' => '',
  'trashbin_retention_obligation' => 'auto, 7',
  'updater.release.channel' => 'stable',
  'mysql.utf8mb4' => true,
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpport' => '25',
  'trusted_proxies' => 
  array (
    0 => 'IP',

  ),
  'forwarded_for_headers' => 
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
  ),
  'app_install_overwrite' => 
  array (
    0 => 'files_accesscontrol',
    1 => 'onlyoffice',
    2 => 'socialsharing_email',
    3 => 'gluusso',
  ),
  'default_phone_region' => 'NN',
  'updater.secret' => '$sfsfsfse354gag2543rghhj535tsrg2225gdfsg443hfds',
  'mail_smtphost' => 'mtarelay.qsemail.net',
  'mail_from_address' => 'no_reply',
  'mail_domain' => 'test.com',
  'mail_smtpauthtype' => 'LOGIN',
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
);

Grant defines how a client interacts with the token endpoint to get the tokens. Janssen Server supports grant types defined by OAuth 2.0, OAuth 2.1, and extension grants defined by other RFCs. A complete list of supported grant types can be found in the response of the Janssen Server’s well-known configuration endpoint given below.

I would focus on this problem first - sounds like IdP is unable to save token data to persistent storage…

If it’s any use, I got this error (which is how I found this page) and then later it simply started working.