"Wrong number of segments" error

[Gecko-with-a-hat]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Steps to reproduce

1. fresh nextcloud install
2. download app
3. follow authentik guide for nextcloud integration setup (https://docs.goauthentik.io/integrations/services/nextcloud/)
4. try to log in with authentik

Expected behaviour

logging in

Actual behaviour

Raw log entry

{
  "reqId": "***",
  "level": 3,
  "time": "2025-01-24T22:30:09+00:00",
  "remoteAddr": "***",
  "user": "--",
  "app": "index",
  "method": "GET",
  "url": "/apps/user_oidc/code?code=c6a39b77dfb640fa8fb79f893dda88a4&state=AZBHJM2FGIRNUGUXZLGWK6MGNS1BPU2K",
  "message": "Wrong number of segments",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36",
  "version": "30.0.5.1",
  "exception": {
    "Exception": "UnexpectedValueException",
    "Message": "Wrong number of segments",
    "Code": 0,
    "Trace": [
      {
        "file": "/config/www/nextcloud/apps/user_oidc/lib/Controller/LoginController.php",
        "line": 401,
        "function": "decode",
        "class": "OCA\\UserOIDC\\Vendor\\Firebase\\JWT\\JWT",
        "type": "::"
      },
      {
        "file": "/app/www/public/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 208,
        "function": "code",
        "class": "OCA\\UserOIDC\\Controller\\LoginController",
        "type": "->"
      },
      {
        "file": "/app/www/public/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 114,
        "function": "executeController",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/app/www/public/lib/private/AppFramework/App.php",
        "line": 161,
        "function": "dispatch",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/app/www/public/lib/private/Route/Router.php",
        "line": 302,
        "function": "main",
        "class": "OC\\AppFramework\\App",
        "type": "::"
      },
      {
        "file": "/app/www/public/lib/base.php",
        "line": 1003,
        "function": "match",
        "class": "OC\\Route\\Router",
        "type": "->"
      },
      {
        "file": "/app/www/public/index.php",
        "line": 24,
        "function": "handleRequest",
        "class": "OC",
        "type": "::"
      }
    ],
    "File": "/config/www/nextcloud/apps/user_oidc/lib/Vendor/Firebase/JWT/JWT.php",
    "Line": 109,
    "message": "Wrong number of segments",
    "exception": [],
    "CustomMessage": "Wrong number of segments"
  },
  "id": "6794148f98e6a"
}

The weird part is that I had this exact setup working for months without a single issue. I recently upgraded my server and decided to reinstall NC. I redid my setup following the guide (so basically the exact same it has always been) and now I get this weird error. I even remade the application & provider for it in Authentik. Running the setup behind Traefik now instead of nginx proxy manager, but I don't expect that to be the issue. My Traefik labels are:

      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.mydomain.com`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls=true"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=443"
      - "traefik.http.services.nextcloud.loadbalancer.server.scheme=https"
      - "traefik.http.routers.nextcloud.middlewares=homenetwork-whitelist@file, rewriteLocationHeaders@file"

the middlewares in my dynamic conf file are as follows:

    rewriteLocationHeaders:
      plugin:
        traefik-plugin-rewrite-headers:
          rewrites:
            - header: Location
              regex: ^http://(.+)$
              replacement: https://$1

    homenetwork-whitelist:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/8"
        - "172.20.0.0/16"

And I have this middleware on all my routers:

security-headers:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"
        customResponseHeaders:
          server: ""
          x-powered-by: ""

Also if I log out with my Nextcloud account it does also actually log me out of Authentik.

Server configuration

Web server: Nginx

Database: PostgreSQL

PHP version: 8.3.15

Nextcloud version: Nextcloud Hub 9 (30.0.5) (linuxserver.io on latest tag)

List of activated apps

Enabled:
  - activity: 3.0.0
  - app_api: 4.0.5
  - bruteforcesettings: 3.0.0
  - circles: 30.0.0
  - cloud_federation_api: 1.13.0
  - comments: 1.20.1
  - contactsinteraction: 1.11.0
  - dashboard: 7.10.0
  - dav: 1.31.1
  - federatedfilesharing: 1.20.0
  - federation: 1.20.0
  - files: 2.2.0
  - files_downloadlimit: 3.0.0
  - files_pdfviewer: 3.0.0
  - files_reminders: 1.3.0
  - files_sharing: 1.22.0
  - files_trashbin: 1.20.1
  - files_versions: 1.23.0
  - firstrunwizard: 3.0.0
  - logreader: 3.0.0
  - lookup_server_connector: 1.18.0
  - nextcloud_announcements: 2.0.0
  - notes: 4.11.0
  - notifications: 3.0.0
  - oauth2: 1.18.1
  - password_policy: 2.0.0
  - photos: 3.0.2
  - privacy: 2.0.0
  - provisioning_api: 1.20.0
  - recommendations: 3.0.0
  - related_resources: 1.5.0
  - serverinfo: 2.0.0
  - settings: 1.13.0
  - sharebymail: 1.20.0
  - support: 2.0.0
  - survey_client: 2.0.0
  - systemtags: 1.20.0
  - text: 4.1.0
  - theming: 2.5.0
  - twofactor_backupcodes: 1.19.0
  - updatenotification: 1.20.0
  - user_oidc: 6.2.1
  - user_status: 1.10.0
  - viewer: 3.0.0
  - weather_status: 1.10.0
  - webhook_listeners: 1.1.0-dev
  - workflowengine: 2.12.0
Disabled:
  - admin_audit: 1.20.0
  - encryption: 2.18.0
  - files_external: 1.22.0
  - suspicious_login: 8.0.0
  - twofactor_nextcloud_notification: 4.0.0
  - twofactor_totp: 12.0.0-dev
  - user_ldap: 1.21.0

Nextcloud configuration

{
    "system": {
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.mydomain.com"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "allow_local_remote_servers": true,
        "dbtype": "pgsql",
        "version": "30.0.5.1",
        "overwrite.cli.url": "https:\/\/nextcloud.mydomain.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\APCu",
        "maintenance_window_start": 1,
        "maintenance": false,
        "loglevel": 2,
        "trashbin_retention_obligation": "7, 21",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "NL",
        "enable_previews": true,
        "preview_libreoffice_path": "\/usr\/bin\/libreoffice",
        "preview_ffmpeg_path": "\/usr\/bin\/ffmpeg",
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\OpenDocument",
            "OC\\Preview\\Krita",
            "OC\\Preview\\Illustrator",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\Movie",
            "OC\\Preview\\AVI",
            "OC\\Preview\\MKV",
            "OC\\Preview\\MP4",
            "OC\\Preview\\MSOffice2003",
            "OC\\Preview\\MSOffice2007",
            "OC\\Preview\\MSOfficeDoc",
            "OC\\Preview\\PDF",
            "OC\\Preview\\Photoshop",
            "OC\\Preview\\Postscript",
            "OC\\Preview\\StarOffice",
            "OC\\Preview\\SVG",
            "OC\\Preview\\TIFF",
            "OC\\Preview\\Font"
        ],
        "upgrade.disable-web": true,
        "twofactor_enforced": "false",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": []
    }
}

Browser

Browser name: Chrome

Browser version: 13

Operating system: Windows

Browser log

no clue how to do this

EDIT: added more info and formatting

[Gecko-with-a-hat]

Possibly related to #721

[Gecko-with-a-hat]

At first glance seems to be related to #1024 but the error looks slightly different. Also #1025 did not fix it, so I guess it's not the same either way.

EDIT: typo

[vishal1mittal]

Hey, I am getting the exact same issue. Can any contributor please look into this.

Thanks

[Gecko-with-a-hat]

@vishal1mittal It started working for me. I have no clue what I did to change it, but I installed and uninstalled apps. I disabled encryption on the authentik provider side. Not really sure what else I did, but it started working for me.