Android app cannot reauthorize with external OIDC provider #55
Description
Problem
I'm running OpenCloud with Authelia as my OIDC provider. I can log in properly, but when after a few hours, when I open the app again, it tells me to sign in to reauthorize.
If I click the "Sign in" button, I get the message: "Authorization expired. Please, authorize again". Then, if I try to reauthorize, then instead of redirecting me to Authelia, it instead shows a popup asking for my username and password, while the URL is still my OpenCloud server's URL.
The workaround is to go back to the first screen, then click on the circle in the top left, log out, then log in again. This works well.
Screenshots
Asking me to sign in again:
When I try to sign in:
What I'm expecting (this works well during the first login):
Logs
From the Android app:
opencloud.2025-11-06_16.18.57.log
From the OpenCloud server's systemd service logs:
Nov 06 16:19:02 opencloud opencloud[420]: {"level":"error","service":"proxy","error":"not found","service":"eu.opencloud.web.idp","time":"2025-11-06T16:19:02+01:00","message":"could not select service from the registry"}
Nov 06 16:19:02 opencloud opencloud[420]: {"level":"error","service":"proxy","remoteAddr":"212.203.51.45","request-id":"06cff93e-d03b-45ab-a1ef-f7b175cfa5dc","proto":"HTTP/1.1","method":"GET","path":"/.well-known/openid-configuration","query":"","fragment":"","error":"unsupported protocol scheme \"\"","time":"2025-11-06T16:19:02+01:00","message":"error happened in MultiHostReverseProxy"}
From Authelia's systemd service logs:
Nov 06 16:11:12 authelia authelia[475]: {"level":"debug","method":"GET","msg":"User Info Request with id 'c470ec1e-9e1e-4752-b567-40ddaf6f2507' is being processed","path":"/api/oidc/userinfo","remote_ip":"10.1.0.1","time":"2025-11-06T16:11:12+01:00"}
Nov 06 16:11:12 authelia authelia[475]: {"level":"error","method":"GET","msg":"User Info Request with id 'c470ec1e-9e1e-4752-b567-40ddaf6f2507' failed with error: Token expired. Access Token expired at '2025-11-06 14:18:16 +0000 UTC'.","path":"/api/oidc/userinfo","remote_ip":"10.1.0.1","stack":[{"File":"github.com/authelia/authelia/v4/internal/handlers/handler_oauth2_oidc_userinfo.go","Line":40,"Name":"OpenIDConnectUserinfo"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go","Line":58,"Name":"RegisterOpenIDConnectRoutes.NewHTTPToAutheliaHandlerAdaptor.func19"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/bridge.go","Line":66,"Name":"RegisterOpenIDConnectRoutes.(*BridgeBuilder).Build.func2.1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":105,"Name":"SecurityHeadersNoStore.func1"},{"File":"github.com/valyala/fasthttp@@v1.67.0/server.go","Line":2465,"Name":"(*Server).serveConn"},{"File":"github.com/valyala/fasthttp@v1.67.0/workerpool.go","Line":225,"Name":"(*workerPool).workerFunc"},{"File":"github.com/valyala/fasthttp@v1.67.0/workerpool.go","Line":197,"Name":"(*workerPool).getCh.func1"},{"File":"runtime/asm_amd64.s","Line":1700,"Name":"goexit"}],"time":"2025-11-06T16:11:12+01:00"}
Configuration
OpenCloud env vars:
OC_INSECURE=true
PROXY_TLS=false
OC_OIDC_ISSUER=https://auth.rharish.dev
WEB_OIDC_CLIENT_ID=9j4m5zcr5c51gJB6Qs50bChpQFWj3Htzc4wj3F2SMGVtIw-LhF3k8XpdXsWLP7YN
WEB_OIDC_SCOPE="openid profile email groups"
OC_EXCLUDE_RUN_SERVICES=idp
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
PROXY_CSP_CONFIG_FILE_LOCATION=/etc/opencloud/csp.yamlOpenCloud csp.yaml:
directives:
child-src:
- '''self'''
connect-src:
- '''self'''
- 'blob:'
- 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
- 'https://auth.rharish.dev/'
default-src:
- '''none'''
font-src:
- '''self'''
frame-ancestors:
- '''self'''
frame-src:
- '''self'''
- 'blob:'
- 'https://embed.diagrams.net'
img-src:
- '''self'''
- 'data:'
- 'blob:'
- 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
manifest-src:
- '''self'''
media-src:
- '''self'''
object-src:
- '''self'''
- 'blob:'
script-src:
- '''self'''
- '''unsafe-inline'''
- '''unsafe-eval'''
style-src:
- '''self'''
- '''unsafe-inline'''Authelia OIDC client config for OpenCloud clients:
identity_providers:
oidc:
clients:
- client_id: 9j4m5zcr5c51gJB6Qs50bChpQFWj3Htzc4wj3F2SMGVtIw-LhF3k8XpdXsWLP7YN
client_name: OpenCloud (Web)
client_secret: ''
public: true
redirect_uris:
- 'https://cloud.rharish.dev/'
- 'https://cloud.rharish.dev/oidc-callback.html'
- 'https://cloud.rharish.dev/oidc-silent-redirect.html'
scopes:
- openid
- profile
- email
- groups
pre_configured_consent_duration: '1 month'
- client_id: OpenCloudAndroid
client_name: OpenCloud (Android)
client_secret: ''
public: true
redirect_uris:
- 'oc://android.opencloud.eu'
scopes:
- openid
- profile
- email
- groups
- offline_access
grant_types:
- refresh_token
- authorization_code
pre_configured_consent_duration: '1 month'Versions
OpenCloud server: 3.7.0
OpenCloud Android: 1.0.0 from F-Droid
Authelia version: 4.39.12
OS: NixOS unstable
Installation type: NixOS native containers (systemd-nspawn) using NixOS opencloud package