Android: grant access to apps over https?
Hi, I'm new around here.
I recently set up a nextcloud v15 behind a apache reverse proxy. one of the reasons I have a reverse proxy is so that I can force all traffic to https. however I ran into an issue when I tried to add my nextcloud account to my android app. everything went smoothly and the server even registered a successful login. However, when I clicked "Grant Access" in my app I just got a "access forbidden, invalid request" error message. I tried for a while to get around it and finally tried to allow unsecure http which indeed fixed the issue. Disabling http after the initial connection didn't lead to any issues either. so there is something in that initial connection that doesn't support https for some reason.
is this a bug, am I doing something wrong or am I unreasonable to required all my traffic to go through a secure connection?
KBlixt
All 11 comments
GitMate.io thinks possibly related issues are https://github.com/nextcloud/android/issues/2155 (App access.), https://github.com/nextcloud/android/issues/2341 (grant access error), https://github.com/nextcloud/android/issues/748 (API for other apps), https://github.com/nextcloud/android/issues/1086 (Add contacts popover to other apps), and https://github.com/nextcloud/android/issues/1481 (Integration with office apps).
nextcloud-android-bot
on 8 Jan 2019
During connection setup we first try to use https, if this fails we use http.
This should work out of the box.
Maybe the app is somehow confused by your reverse proxy.
Can you create us a test account, test if the problem occurs also there and if so send the credentials to tobias at nextcloud dot com with a reference to this issue?
tobiasKaminsky
on 8 Jan 2019
I have mailed cridentials and set up the server to direct all traffic to https.
I have a oneplus 3t if that's relavant.
KBlixt
on 9 Jan 2019
Replied on email, as it contained sensitive data.
For all: it seems that the redirect after successful login goes to http://server/login/flow instead of https://server/login/flow and this is forbidden by webView due to Mixed Content Policy".
tobiasKaminsky
on 10 Jan 2019
I'll specifically open that url for http then. But isn't this possible to be patched into the app so that it can use both http and https when accessing server/login/flow even though you are connecting through a reverse proxy? Or is this a technical limitation/difficulty somehow?
The idea of the reverse proxy is so that I don't have to deal with ssl nonsense for everything that I wish to expose to the internet. Just having all my services use http saves a lot of headache and configuring.
KBlixt
on 10 Jan 2019
I'll specifically open that url for http then.
That is not what I meant. The problem, as far as I understand it, is that http is called upon first server contact, internally this is then mapped to https, but somehow the redirect is again http, maybe as the first connection was also http?
@nextcloud/server-triage maybe you have an idea here?
tobiasKaminsky
on 10 Jan 2019
Ok, but adding the rewrite condition RewriteCond %{REQUEST_URI} !^\/login\/flow made it possible to grant access. Or how should I solve this issue ideally? I don't want to hassle with ssl connections within my own network...
Ideally I shouldn't have this but the request is very rarely used so it isn't that big of a deal. For me the workaround is good enough but maybe for robustness this should be hammered out if possible?
Thank you for you excellent help!
KBlixt
on 10 Jan 2019
rullzer
on 10 Jan 2019
perfect. thank you!
KBlixt
on 11 Jan 2019
:+1:
So this is fixed and can be closed?
tobiasKaminsky
on 11 Jan 2019
yes.
KBlixt
on 11 Jan 2019
Related issues
AndyScherzinger
路
3Comments
JSoko
路
3Comments
markbryanduncan
路
3Comments
daywalk3r666
路
3Comments
ThaDaVos
路
3Comments
Most helpful comment
https://github.com/nextcloud/server/blob/master/config/config.sample.php#L456-L463