Desktop Client 403 Forbidden - Web and mobile are working

Steps to reproduce

  1. Start desktop client
  2. Add new account
  3. Insert selfhosted address
  4. Click on open browser to login

Expected behaviour

Login with the provided desktop client link and connect desktop client with my selfhosted instance

Actual behaviour

When I open the link provided by the desktop client I get 403 - Forbidden error

Server configuration

Operating system:

ownCloud infinity scale version:

Updated from an older ownCloud or fresh install:
Fresh install

Where did you install ownCloud from:
From the official docker image ( owncloud/ocis)

Are you using external storage, if yes which one: local/smb/sftp/…

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…

Client configuration


Operating system:

Server configuration

As mentioned above I use the official docker image. In addition I also use Nginx Proxy Manager as a reverse proxy. Here are my env variables for the docker image:

  • OCIS_INSECURE = false
  • OCIS_URL = https://“mydomain”.com
  • OCIS_LOG_FILE = /etc/ocis/ocis.log
  • PROXY_TLS = false

The issue as mentioned above is, that I can’t login from the link provided by the desktop client. It doesn’t work with the linux client nor the windows client. The strange thing is, that this is working perfectly with the mobile app. And I also can access my instance over the web.

Do I miss a setting or an env variable? And is this a server issue or more a issue of the desktop client, because mobile app and web are working perfectly?

I hope you guys can help me


i’m not sure but maybe it could help others if you are also providing the desktop client versions which are showing these problems?

1 Like

@tom42 you are right.

I’m using the latest ( desktop clients for windows and linux.

1 Like

How do you generate the link in the 5.0.0 desktop client? File? Folder? Space?

Hi @michaelstingl,

I’m not generating a link, I try to login and connect my account to the desktop client. On the client, I click on “add account”, type in my selfhosted server address and after that there is a button “open browser”. And if I click the button or copy the link to login, I get a 403 - Forbidden on that link address.

Desktop clients query /.well-known/webfinger. There they learn about the IdP.

curl -s "" | jq
  "subject": "",
  "links": [
      "rel": "",
      "href": ""

On the IdP, desktop clients respect the information from /.well-known/openid-configuration.

curl -s "" | jq
  "issuer": "",
  "authorization_endpoint": "",
  "token_endpoint": "",
  "userinfo_endpoint": "",
  "end_session_endpoint": "",
  "check_session_iframe": "",
  "jwks_uri": "",
  "scopes_supported": […

Here you can find more information:

@michaelstingl thank you for your answer but could you pleas elaborate more on that?
Do I need to add a openid config? And if yes where do I store it and what do I need to configure in it?

I have a very similar problem. I’m using the binary setup with systemd and the internal idp service because it is a small system. Everything used to work well with direct access to the IP address. But this problem happens after I switch to the domain name. The existing clients work if I do not log out, but authorizing new clients gives me 403 forbidden message.

Here is my .well-known/openid-configuration :

  "issuer": "https://<mydomain>",
  "authorization_endpoint": "https://<mydomain>/signin/v1/identifier/_/authorize",
  "token_endpoint": "https://<mydomain>/konnect/v1/token",
  "userinfo_endpoint": "https://<mydomain>/konnect/v1/userinfo",
  "end_session_endpoint": "https://<mydomain>/signin/v1/identifier/_/endsession",
  "check_session_iframe": "https://<mydomain>/konnect/v1/session/check-session.html",
  "jwks_uri": "https://<mydomain>/konnect/v1/jwks.json",
  "scopes_supported": [
  "response_types_supported": [
    "id_token token",
    "code id_token",
    "code id_token token"
  "subject_types_supported": [
  "id_token_signing_alg_values_supported": [
  "userinfo_signing_alg_values_supported": [
  "request_object_signing_alg_values_supported": [
  "token_endpoint_auth_methods_supported": [
  "token_endpoint_auth_signing_alg_values_supported": [
  "claims_parameter_supported": true,
  "claims_supported": [
  "request_parameter_supported": true,
  "request_uri_parameter_supported": false

With ocis.env:






I’m also not sure if an external openid provider is needed…

Same error, everything was working well but now I’ve been logged out and can’t log in again with the desktop client.
It was working before by changing the beginning of the authentication link with the local address, but now it’s broken.
How can I fix it ?

(Running on Unraid also)

Had to add proxy_set_header Host $host; in nginx manager. Working now.

1 Like

Hi @raphaelben55,
that’s nice to hear. Where do you exactly put proxy_set_header Host $host; into the nginx proxy manager?
In Advanced -> Custom Nginx Configuration or somewhere else?

Yes, that’s exactly that.

1 Like

It worked, thank you!

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.