Desktop: Access forbidden State token does not match

Same problem here. It appeared after installing NC on local domain and trying to transfer it to public domain.
config.phps' overwrite.url and trusted domains edited. Web login via public domain works, but the link for mobile app and WebDav in users' settings didn't change

I have the same problem as well.

The web app works just fine, but the Windows and Android apps have problems. Interestingly enough, when I logon using the old method on the Android app, it works fine.

I have this problem too.

Nextcloud is running on a back-end server using Nginx. HPPTS requests are forwarded from the client to the back end server using proxy_pass. I have copied all my Letsencrypt certs over to the backend server with paths to them in my server block and the web login works fine.

But with the Nextcloud Desktop Client on installed on Windows 10 when I try and log in I get a message saying the certificate does not match to which I apply connect anyway, this then takes me to the login screen and upon entering my username and password I get “Access denied State token does not match”. Web app works fine.

Same here, deployed nextcloud on docker following the guides, reversed proxy by nginx with SSL certs and setup a public domain.

I noticed that I get the forbidden message when I use the public domain address but not when I use the machine IP.

EDIT:
It was a configuration problem, I did not forward client info to nextcloud on the reverse proxy configuration, more informations here https://help.nextcloud.com/t/error-connecting-desktop-app-to-self-deployed-nextcloud-state-token-does-not-match/60422/2

Hi Guys,
same here trying to use talk app (android).
The regular nextcloud app is just doing fine, but trying to access via Talk (and the same credentials) I run into the message above.
Any suggestions what to do (or how to collect additional information)?
Add.: Picking the User information automatically given by talk does work.
Obviously there is an issue with "grant access" while trying to log in manually.

Same issue here !:(

Hi have same problem!
is there a solution?

Same problem here. I have a workaround, though.

Use the facility to copy the link to your clipboard. Login to something that has a cellphone as an endpoint (I used Telegram). Send the link to yourself (in the case of Telegram, you can send the link to a system bot). Open the link on your phone, and login.

This seems to be fairly convincing evidence that the problem is not on the server at all, but in the desktop web browser. WHY it is the problem is another matter.

Same here, deployed nextcloud on docker following the guides, reversed proxy by nginx with SSL certs and setup a public domain.

I noticed that I get the forbidden message when I use the public domain address but not when I use the machine IP.

EDIT:
It was a configuration problem, I did not forward client info to nextcloud on the reverse proxy configuration, more informations here https://help.nextcloud.com/t/error-connecting-desktop-app-to-self-deployed-nextcloud-state-token-does-not-match/60422/2

Thanks! This solved it for me! Putting these headers at the

        location / {
                proxy_pass http://<upstream>;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

What i must to put exactly? And witch file? Thanks

@sferia82 In your nginx config file. In my case I used a nginx-proxy docker container. The file is /config/nginx/site-confs/default

Then in there where you declare you forward location you put the headers. For example, yours could currently look like this:

location / {
                proxy_pass http://nextcloud.example.com;
}

Then copy/paste these exact headers exactly like this and put it under the proxy_pass statement exactly like this:

location / {
                proxy_pass http://nextcloud.example.com;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
}

Hope this helps.

how about Apache 2.4 (httpd.conf) then?

Looks more like a server setup issue, nothing we can really do on our end. Sorry.

I am still facing the issue. How do we fix it in httpd.conf?

Only need to add this line in the configuration file config.php

'overwriteprotocol' => 'https'

It's still not working for me either. I have edited my Nginx conf and have made sure that 'overwriteprotocol' => 'https'. Any other suggestions?

It works! Just follow instruction from @xnardo
Thanks

It's still not working for me either. I have edited my Nginx conf and have made sure that 'overwriteprotocol' => 'https'. Any other suggestions?

Maybe you need add this in the correct position, i added this in the last line, before ";"

Thank you for all the suggestions. We are having this issue with our adfs configuration using saml. web app works but all mobile apps nextcloud and nextcloud talk and desktop are not working. we get the same error access forbidden state token doest not match. currently, in nextcloud 19.0.1 funny enough it seems that it was working in nextcloud 18. Have tried the overwriteprotocol' => 'https' and it's not working either. Will keep troubleshooting and let you know if I find something.

We hat previously set up SAML2 authentication against Microsofts AAD. I've tried different setups with NGINX as a proxy but in the end not one of the proposed solutions helped. Desktop and Web Logins both work without issues.

As a workaround: me and a coworker were still able to log in with a manually generated app-token. (via https://your.nextcloud-instance.tld/settings/user/security)

We hat previously set up SAML2 authentication against Microsofts AAD. I've tried different setups with NGINX as a proxy but in the end not one of the proposed solutions helped. Desktop and Web Logins both work without issues.

As a workaround: me and a coworker were still able to log in with a manually generated app-token. (via https://your.nextcloud-instance.tld/settings/user/security)

We‘re facing exactly the same problem with SAML2 against Microsofts AAD since we upgraded Nextcloud to version 19.

The thing is, I don't think that the authentication failed, I've tried this once and just clicked the 'back' button on the android app until the point where I was expecting the login-flow to start and ended up just being logged in.