[Bug]: Tried to log in "username" but could not verify token

[AndyXheli]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

Not sure what's causing this the user is LDAP backend

Steps to reproduce

1.Open brower 2.go to server.domain.com 3.takes to me dashboard

Expected behavior

Should not see this error in logs

Installation method

Community Manual installation with Archive

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.0

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• [X] Default user-backend (database)
• [x] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

No response

List of activated Apps

Enabled:
  - activity: 2.17.0
  - admin_audit: 1.15.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.0
  - files_external: 1.17.0
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - files_videoplayer: 1.14.0
  - firstrunwizard: 2.14.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - officeonline: 1.1.3
  - password_policy: 1.15.0
  - photos: 1.7.0
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - spreed: 15.0.0-beta.2
  - survey_client: 1.13.0
  - suspicious_login: 4.2.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.0
  - twofactor_backupcodes: 1.14.0
  - twofactor_email: 2.6.0
  - twofactor_totp: 6.4.0
  - updatenotification: 1.15.0
  - user_ldap: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - bruteforcesettings: 2.4.0
  - circles: 23.1.1
  - encryption
  - files_downloadactivity: 1.13.0
  - groupfolders: 12.0.1
  - impersonate: 1.11.0
  - notify_push: 0.4.0
  - socialsharing_email: 2.5.0
  - support: 1.8.0
  - twofactor_admin: 3.2.0

Nextcloud Signing status

No response

Nextcloud Logs

{"reqId":"RSUtKkS7Br5VdD2bT5QY","level":3,"time":"2022-09-06T13:53:34+00:00","remoteAddr":"10.0.10.90","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/search/providers?from=%2Fapps%2Fdashboard%2F","message":"Tried to log in "username" but could not verify token","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36","version":"25.0.0.8","data":{"app":"core"},"id":"63175db7214f1"}

Additional info

[aigarslv]

I am facing same issue - LDAP users cannot work in nextcloud (local users work just fine), they are logged out after 3-5 minutes and log is full with entries: Tried to log in [UID] but could not verify token. (I use LDAP) Some users are fine, others cannot work no matter what, they get sent back to login page after ~3 minutes. Issue persists even when user opens nextcloud in a different browser. For me on my Windows 11 PC with Firefox - everything works, on another PC with Windows 7 and Firefox - I get these disconnects. Will try to get to the root of the issue and post more information.

Users before being logged out and redirected to login screen get error message: Problem loading page, reloading in 5 seconds Nextcloud 25.0.1 LDAP Apache

[markusTraber]

Same for me: Tried to log in [UID] but could not verify token.

• Nextcloud 25.0.1
• Docker
• LDAP
• NGINX

In my case it helps to clear cookies and reload. Otherwise I am stuck in a Login-Loop.

[phonon112358]

Same issue here: Nextcloud 25.0.1, nginx, php 8.1

clearing cookies/browser cache and rebooting the server didn't help for me .

EDIT: Also, applying https://github.com/nextcloud/server/pull/35007 doesn't help.... I can't login anymore.

[ChristophWurst]

EDIT: Also, applying #35007 doesn't help

That PR only changes the log level and not any logic.

[AndyXheli]

Hey @ChristophWurst quick question for you. Just curious will there be a logic change in the near future ?

[ChristophWurst]

I hope so but I also don't know. As you can read from my earlier comments this error only happens sporadically. We have not been able to trigger it reliably. I was lucky two times where it also happened on my dev environment. However, the issue went away before I could step through the code paths with my debugger. In that way, I was never able to reproduce the infinite login loop, only a temporary loop.

Once we know what the problem is we can try to improve and fix the situation.

[aigarslv]

@ChristophWurst I have attached a logfile of a possible problem. As I stated above - LDAP user can login, work for 5 minutes and then gets auto redirected to login screen. Stating that he is not logged in.

https://www.dropbox.com/s/61x624ddteju02i/logged_out.txt?dl=0

Please note that we use LDAP with OTP. It seems that Nextcloud checks if users password is still valid, but because of OTP, gets rejected.

[ChristophWurst]

I have an idea but I'm honestly not sure if it helps eliminate all login loops or has any other side effects. But you can find a patch at https://github.com/nextcloud/server/pull/35419. I was able to test this shortly yesterday. But as mentioned before I'm not able to reliably send myself into the login loop so I can't test a second time until the problem randomly returns.

https://docs.nextcloud.com/server/latest/admin_manual/issues/applying_patch.html for those who live a risky life and want to test the patch in production.

[phonon112358]

I tested the PR https://github.com/nextcloud/server/pull/35419 and can confirm that it solved the issue on my NC instance.

[phonon112358]

However, PR https://github.com/nextcloud/server/pull/35419 doesn't resolve the root issue in my opinion ... Why does one suddenly (and randomly) get logged out, but NC doesn't recognize that one got logged out??

https://github.com/nextcloud/server/pull/35419 is a good workaround but I guess not the real solution ....

[ChristophWurst]

I agree that it's not fixing the root of the issue but the symptoms.

[Ra72xx]

Please release a fixed version asap, even if it's only a workaround. It's extremely annoying to get randomly logged out, and the only chance to re-login is to clear the cookies. If you don't know the workaround (and how to do it in your browser), the user experience is like a DoS ...

[LokeYourC3PH]

Please release a fixed version asap, even if it's only a workaround. It's extremely annoying to get randomly logged out, and the only chance to re-login is to clear the cookies. If you don't know the workaround (and how to do it in your browser), the user experience is like a DoS ...

I personally haven't experienced the issue for a while, I don't know why however, but I'd agree. The issue is that, even when used for a team project or stuff like that (or any larger projects or even commercial projects, you name it), anyone who isn't tech-savvy or even partially intelligent when it comes to Computers, will just stop using it, complain that it isn't "lIkE gOoGlE" and then fuck off while throwing a hissy-fit. Some issues are kind of easier to deal with and can be (partially) ignored, but getting randomly logged out and being unable to login is such a core issue that the entire "feel" and experience of said product is basically entirely ruined. I mean, I have people bitch and complain to me (even though I didn't make it, I am only hosting our instance and am the Web-Admin), that the "Audio Player", despite only needing to be used for the most simple shit, isn't "feature-packed enough", lacking stuff like it actually being bigger so scrobbling along the bar is easier with higher precision, and a simple repeat button. So yeah, for many people this is actually a "quitting factor", and even though it might not be such a big deal to us Web/Network Admins, it will definitely make many users re-evaluate their usage of said product twice in the future.

[ChristophWurst]

@lark @LokeYourLord help us test https://github.com/nextcloud/server/pull/35419 on your production environments. If we have some more certainty that it fixes the symptoms but doesn't cause any other issues that we can ship the workaround.

[LokeYourC3PH]

@lark @LokeYourLord help us test #35419 on your production environments. If we have some more certainty that it fixes the symptoms but doesn't cause any other issues that we can ship the workaround.

Uhh ok, I mean it would be risky for me kind of, but I'd be willing to test it. However as I've said, I haven't experienced it for quite a while ever since I upgraded to NC25 and fixed my "MySQL" issues I had (2006 error), and a bunch of other problems. IF it does return, I'll try out your patch though :) (because right now it would be kind of pointless as I am not facing said issue at all).

[ChristophWurst]

You can apply the patch nevertheless just to see if it has any other negative impact.

[phonon112358]

Please release a fixed version asap, even if it's only a workaround. It's extremely annoying to get randomly logged out, and the only chance to re-login is to clear the cookies. If you don't know the workaround (and how to do it in your browser), the user experience is like a DoS ...

I totally agree!!! Please release it asap... I don't experience any negative side effects .

[nonplusnl]

Having the same issue, login fails after overnight browser reopening. Only happens when app extension Snappymail was active (see issue mentioned above), because Snappymail may be "too fast". Never had this issue before, and never have it when browser closes while other Nextcloud app is open. Still, an app being efficiently fast should not create the need to manually clear cookies before being able to login?

[brotkastn]

@lark @LokeYourLord help us test #35419 on your production environments. If we have some more certainty that it fixes the symptoms but doesn't cause any other issues that we can ship the workaround.

I just had to apply #35419 because some who could not login also did not want to clear his complete browsing history on his iPhone. I could still login after applying, and it seems to work for those who got stuck in the login loop.

[detrout]

I ran into this bug on Debian 11 using php7.4-fpm 7.4.33 and nextcloud 25.0.2 connecting with Firefox 108.0. I manually applied the patch in #35419 and was able to log in.

[LokeYourC3PH]

You can apply the patch nevertheless just to see if it has any other negative impact.

Sorry, I've been really busy. But wanted to chime in that I had also applied the patch soon after, and it seems that so far there's been no case of login issues. To me, the bug seems fixed (or at least mitigated).

[ChristophWurst]

Interesting enough the login loops happened a lot for me on two instances around November 2022. For the past few weeks the issue has not shown once.

[TheCrimsonLady]

I updated to Nextcloud 25.0.3.2 two days ago and I am facing this issue once again on iOS in Safari. Unfortunately, deleting the website data does not fix the issue for me (Settings --> Safari --> Advanced --> Website Data --> deleted data from my NC domain and restarted safari).

Which logs should I provide?

(Screenshot taken from graylog)

[sherpadawan]

Same error on 25.0.1 ... really annoying, no bruteforce data in database, varnish cache refreshed on my gandi hosting ... I am facin this issue for one year, quite regulary, but I used to fix it by resetting user password, and cleaning brute force via occ, nowadays ot does not work anymore, stuck on the login screen !! Nothing special in occ user:setting ... Noting weird in logs but the message which gave birth of this bug report. Any clue ?

[LokeYourC3PH]

Same error on 25.0.1 ... really annoying, no bruteforce data in database, varnish cache refreshed on my gandi hosting ... I am facin this issue for one year, quite regulary, but I used to fix it by resetting user password, and cleaning brute force via occ, nowadays ot does not work anymore, stuck on the login screen !! Nothing special in occ user:setting ... Noting weird in logs but the message which gave birth of this bug report. Any clue ?

Install the suggested fix, it works. It's not implemented into any public release yet as far as I'm concerned, so gotta wait until that happens.

[TheCrimsonLady]

Another temporary fix that worked for me at least was to run a occ maintenance:repair

After this, I could log in without any problems

[sherpadawan]

OK the fiwx works https://github.com/nextcloud/server/pull/35419/commits/f22101d4213768066d3dcbde81898dd64ce46445#diff-af67c083dc101bd3457884ce98ffe78e12f24150e1962d78bdbbe452173df3b9 wget https://raw.githubusercontent.com/nextcloud/server/f22101d4213768066d3dcbde81898dd64ce46445/core/Controller/LoginController.php && cp LoginController.php core/Controller/ Thanks a lot

[lemmy04]

I'm having this all of a sudden on an up-to-date 25.0.3 after upgrading php from pph7 to php8. please release a fixed version ASAP, thanks! edit: the workaround from the post above this one works for me too.

[LokeYourC3PH]

I'm having this all of a sudden on an up-to-date 25.0.3 after upgrading php from pph7 to php8. please release a fixed version ASAP, thanks! edit: the workaround from the post above this one works for me too.

The fix has been mentioned a quadrillion times here now. Apply that one and see if it works for you :)

[lemmy04]

I'm having this all of a sudden on an up-to-date 25.0.3 after upgrading php from pph7 to php8. please release a fixed version ASAP, thanks! edit: the workaround from the post above this one works for me too.

The fix has been mentioned a quadrillion times here now. Apply that one and see if it works for you :)

Did that already, it works, it should be RELEASED is what I'm saying.

[LokeYourC3PH]

I'm having this all of a sudden on an up-to-date 25.0.3 after upgrading php from pph7 to php8. please release a fixed version ASAP, thanks! edit: the workaround from the post above this one works for me too.

The fix has been mentioned a quadrillion times here now. Apply that one and see if it works for you :)

Did that already, it works, it should be RELEASED is what I'm saying.

Well I mean in that case it ain't a huge problem for us, but I agree, I don't understand why it hasn't made it into the main release somehow yet when it seems to be working fine with no side effects to speak of. Makes you wonder 🤔

[ChristophWurst]

I'm sorry to break your negativity spiral but the fix went into stable25 and is the QA pipeline for 25.0.4. RC1 has the fix, if you want to upgrade early. Cheers.

[lemmy04]

that's great, all I wanted to know !

[LokeYourC3PH]

I'm sorry to break your negativity spiral but the fix went into stable25 and is the QA pipeline for 25.0.4. RC1 has the fix, if you want to upgrade early. Cheers.

Not a negativity spiral, merely an observation. But good to know that it'll be out in the next one then ^^

[nderambure]

This is a really good news, thx for the fix and all the work ;)

[smart7324]

Hello, I'm using NC 26 and still the same problem in safari only. Does anyone have an idea? Same error in logs: [Tried to log in "username" but could not verify token].

Have to re-login every time, also on mobile (iOS Safari).

It was working fine with NC25...

[Yetangitu]

This problem does not seem to have been solved in v26.0.0.11 - even though https://github.com/nextcloud/server/pull/35419 was merged - seeing how as I'm currently unable to login using Firefox/Android on a device which had a single tab open yesterday. Deleting site data does not change this, nor does running occ maintenance:repair.

I can login using a different browser but not with Firefox, all I get is an empty page showing the site logo and the footer - there is no error message but no login/password request either.

This does not work:

• deleting all site data and cookies for the domain
• force-stopping and restarting Firefox/Android
• rebooting the device
• trying different network connections - wifi, 4G, VPN
• deleting browsing history for the affected domain
• using another open session to delete all sessions for the affected device (in Settings->Security->Devices & Sessions)
• updating Firefox/Android (to 111.0)
• running occ maintenance:repair
• burning black candles in a fairy ring in the forest while chanting obscure incantations (well, did not try but I don't think it would work)

This does work:

• using a different browser
• using private mode in Firefox

The error message in the log is the one which has been shown countless times already: Tried to log in "username" but could not verify token:

{"reqId":"aupvuif3Msicz86FxhbY","level":1,"time":"April 06, 2023 06:06:04","remoteAddr":"192.168.9.2","user":"--","app":"core","method":"GET","url":"/login","message":"Tried to log in frank but could not verify token","userAgent":"Mozilla/5.0 (Android 9; Mobile; rv:109.0) Gecko/112.0 Firefox/112.0","version":"26.0.0.11","data":{"app":"core"}}
{"reqId":"q8JEudtB0oT3gfNqLYye","level":1,"time":"April 06, 2023 06:06:04","remoteAddr":"192.168.9.2","user":"--","app":"core","method":"GET","url":"/apps/theming/image/background?v=27","message":"Tried to log in frank but could not verify token","userAgent":"Mozilla/5.0 (Android 9; Mobile; rv:109.0) Gecko/112.0 Firefox/112.0","version":"26.0.0.11","data":{"app":"core"}}

The really annoying thing is that I do not get a chance to login at all since the login/password request does not show up - only the site logo and the footer on an otherwise empty page.

Move: #37492

[ChristophWurst]

@Yetangitu check if your observations match with https://github.com/nextcloud/server/issues/37492 or file a new ticket please.

[Yetangitu]

Apart from the list of enabled/disabled apps that description seems to match, as does this one.

[fuomag9]

This has started happening again for me

[dafi87]

Still happening with NC27 as described here: https://github.com/nextcloud/server/issues/37492

[terba]

I have something like this also in 27.1.3. It started some months ago. I don't leave any tabs open ever, but when I fire up the browser (with only one empty tab) and request https://mynextcloud/apps/news, about twice a day messages start to appear on the upper right corner (I don't remember the text, but something like I'm not logged in) and I have to login again. But if I'm fast enough to close this tab, I can reopen the same url and I'm in. If I let it go, i will be logged out. Then I have to login twice to get to the TOTP dialog. I have the same in the logs when this occures (see below). Please solve this, as it is very annoying, as I have to find my phone for the TOTP on daily basis just to read the news.

"method":"GET","url":"/index.php/apps/files/preview-service-worker.js","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/dark.css?plain=0&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/default.css?plain=1&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/light.css?plain=0&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/light.css?plain=1&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/dark-highcontrast.css?plain=0&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/opendyslexic.css?plain=0&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/index.php/apps/files/preview-service-worker.js","message":"Tried to log in but could not verify token"

By the way is it ok to require login for css data? Thanks in advance.