Fixed it by disabling the forwarding from http to https in my nginx ingress. The client should be able to work with just https.

Hi,

I have the same issue with latest NextCloud server and client 2.5.1 on Debian.
The server is on an public IP and I'm using Apache.

There is any solution for this? Is keeps saying that I have to grand access and the next page is showing me the login page saying that I was logged out.

I have the same problem :(

I have the same issue with my docker deployment of nextcloud 15.0.5.3.

I think the solution of @michaelstingl could point to a generic solution, because from what I observed in the context of logging out an user in the webinterface I face another, probably related issue there:

The logout url from the top right navigation in the webinterface is a http url like

http://my-nextcloud.example.net/index.php/logout?requesttoken=YV/19DV9c8NYzEuu1ICayeDwFrGlLNa238GNdifUKww%3D%3AJwqQw3cSNYdv9H7%2B5/jgv5epXsb8QoP/rfLdD2WSGTo%3D

and not a https url, even all the other links in the navigation are https links and ssl is forced on this deployment by the webserver config. When clicking on the logout link, the http url forwards to a https url, which appends to the end of URL [1] another duplicate of the ?requesttoken=.... To comparison of the url above, here the complete url after the http to https forward with the duplicated ?requesttoken=... part of the url:

http://my-nextcloud.example.net/index.php/logout?requesttoken=peQjb%2BJuKXSimS%2BCW7qzspCwYsaFUoADRq1d2aRU5eQ%3D%3Ax4VBLLAkeQDz827jNOqGhsGADo7WJ%2Bo6J%2BwIno8e0qY%3D?requesttoken=peQjb%2BJuKXSimS%2BCW7qzspCwYsaFUoADRq1d2aRU5eQ%3D%3Ax4VBLLAkeQDz827jNOqGhsGADo7WJ%2Bo6J%2BwIno8e0qY%3D

This results in this error being displayed by the webinterface:

Access forbidden CSRF check failed

Furthermore the session is not being logged out and navigating back to the nextcloud instance url in the browser displays the logged in state of the site.

tl;dr

:question: @idlefella and @AdrianBan can you check if this behavior with trying to log out on the web interface shows the same error to you? If yes, I'd think these two issues are related.

It looks like the client sends a HTTP POST request to /login/flow using HTTP instead of HTTPS, even when the Nextcloud server URL is HTTPS.

Not sure what to think of this. This is a serious vulnerability, easy to MITM.

It could be also related to an incorrect form from NextCloud, I'm seeing it in debug logs when using apptoken auth:

[unknown    Mixed Content: The page at 'https://example.com/index.php/login/flow' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://example.com/index.php/login/flow/apptoken'. This endpoint should be made available over a secure connection.

Edit: https://github.com/nextcloud/desktop/issues/1038#issuecomment-460804408 fixed my issue

Having had a bit closer look, it seems that Nextcloud actually replies to a login flow POST request with a 303 See other that redirects to a HTTP URL.

The cause of redirect for me was because overwrite.cli.url in config/config.php was set to a non-HTTPS URL for some reason -- not sure why. Changing this variable fixed the issue for me.

In any case it seems a bit weird that overwrite.cli.url (which should be related only to CLI commands) is used somewhere in the login flow causing the 303 See other to redirect to an URL composed from overwrite.cli.url.

@rschaerer I had the same issue. The logout url was a http url and not https. But as @Kdecherf wrote, setting 'overwriteprotocol' => 'https' in config.php solved the problem.

It looks like the client sends a HTTP POST request to /login/flow using HTTP instead of HTTPS, even when the Nextcloud server URL is HTTPS.
Not sure what to think of this. This is a serious vulnerability, easy to MITM.

So it is. Had the same problem with 2.5.3 and tracked it with wireshark today. I also worked around it with allowing http requests access to the server behind the proxy. While this works it's really not a solution since the form data is send unencrypted to the backend.

This request did not receive an update in the last 4 weeks. Please take a look again and update the issue with new details, otherwise the issue will be automatically closed in 2 weeks. Thank you!

Did you try our recent 2.6 client release too?

https://nextcloud.com/install/#install-clients

Sounds like a proxy issue and I'd recommend to upgrade to a more recent server version as soon as possible.

2.6.1stable (build 20191105) (dockerized app )

issue still persist

woraround:
add/edit in config.php
'overwriteprotocol' => 'https',
'overwrite.cli.url' => 'http://contoso.com', ==>> 'overwrite.cli.url' => 'https://contoso.com',

thanks @KlimDos only can add 'overwriteprotocol' => 'https', and woks on firefox for windows systems and firefox for OSX systems.

Thanks pal

I'm also still having this issue. I just setup SAML 2.0 with Nextcloud and I am able to login to the server without issue through the browser normally.

If I attempt to login to the Desktop Client for sync of folders, I am stuck at "Grant Access". I am able to login through the browser that opens, but when I click the second stup (Grant Access) it just spins forever and the NextCloud client keeps saying "pooling for auth".

I am using a NGINX HTTPS proxy in front of NextCloud and NextCloud is running via HTTP, because the NGINX is handling the SSL.

I am using Version 2.6.2stable-Win64 (build 20191224)

Built from Git revision 1d7455 on Dec 24 2019, 13:21:28 using Qt 5.12.5, OpenSSL 1.1.1d 10 Sep 2019

I also get this issue, which forces me to use HTTP for my SAML 2.0 SSO:
The response was received at http://cloud..com/apps/user_saml/saml/acs instead of https://cloud..com/apps/user_saml/saml/acs

Is there a solution for this issue? I'm using the android app and also using a docker/proxy version of nextcloud. Thanks!