[Bug]: Internal Server Error after Login with Authentik with sociallogin app

[erenirmak]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

I have setup Authentik login flow to Nextcloud using Social Login App - Custom OIDC.

In the login page of Nextcloud, I logged in using Authentik, but after the callback to the Nextcloud from Authentik, I was seeing "Internal Server Error".

Then, I refresh the page, and landed on main Nextcloud page successfully.

• Login flow works perfectly with Authentik/Social Login.
• After the login flow, Nextcloud fails.

I checked the logs and saw this error:

\Router","type":"->","args":["/apps/sociallogin/custom_oidc/authentik"]},{"file":"/var/www/html/index.php","line":25,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/Security/Crypto.php","Line":63,"message":"OC\Security\Crypto::encrypt(): Argument #1 ($plaintext) must be of type string, false given, called in /var/www/html/lib/private/Session/CryptoSessionData.php on line 204","exception":"{"class":"TypeError","message":"OC\Security\Crypto::encrypt(): Argument #1 ($plaintext) must be of type string, false given, called in /var/www/html/lib/private/Session/CryptoSessionData.php on line 204","code":0,"file":"/var/www/html/lib/private/Security/Crypto.php:63","trace":"#0 /var/www/html/lib/private/Session/CryptoSessionData.php(204): OC\Security\Crypto->encrypt(false, 'tm/LTrZtYzf253L...')\n#1 /var/www/html/lib/private/AppFramework/Middleware/SessionMiddleware.php(49): OC\Session\CryptoSessionData->close()\n#2 /var/www/html/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php(119): OC\AppFramework\Middleware\SessionMiddleware->afterController(Object(OCA\SocialLogin\Controller\LoginController), 'custom', Object(OCP\AppFramework\Http\RedirectResponse))\n#3 /var/www/html/lib/private/AppFramework/Http/Dispatcher.php(155): OC\AppFramework\Middleware\MiddlewareDispatcher->afterController(Object(OCA\SocialLogin\Controller\LoginController), 'custom', Object(OCP\AppFramework\Http\RedirectResponse))\n#4 /var/www/html/lib/private/AppFramework/App.php(153): OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\SocialLogin\Controller\LoginController), 'custom')\n#5 /var/www/html/lib/private/Route/Router.php(321): OC\AppFramework\App::main('OCA\\SocialLogin...', 'custom', Object(OC\AppFramework\DependencyInjection\DIContainer), Array)\n#6 /var/www/html/lib/base.php(1155): OC\Route\Router->match('/apps/sociallog...')\n#7 /var/www/html/index.php(25): OC::handleRequest()\n#8 {main}"}","CustomMessage":"OC\Security\Crypto::encrypt(): Argument #1 ($plaintext) must be of type string, false given, called in /var/www/html/lib/private/Session/CryptoSessionData.php on line 204"}}
{"reqId":"eh8Ah9kYv0OYnw4tTkR1","level":3,"time":"2026-04-24T11:56:47+00:00","remoteAddr":"100.64.94.125","user":"e_irmak","app":"PHP","method":"GET","url":"/apps/sociallogin/custom_oidc/authentik?code=9b761aff18c34c9f9798e4137201ba9c&state=HA-64TN7YVGR81ASO9XE5K2CMWLI0UF3JHDQPZB","scriptName":"/index.php","message":"TypeError: OC\Security\Crypto::encrypt(): Argument #1 ($plaintext) must be of type string, false given, called in /var/www/html/lib/private/Session/CryptoSessionData.php on line 204 at /var/www/html/lib/private/Security/Crypto.php#63","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150.0) Gecko/20100101 Firefox/150.0","version":"33.0.2.2","data":{"app":"PHP"}}

I have applied this patch, offered by ChatGPT:

> sudo python3 <<'PY'
from pathlib import Path

p = Path("/home/cloud/Desktop/Stack/nextcloud/nextcloud_data/lib/private/Session/CryptoSessionData.php")
s = p.read_text()

old = """\t\t\t$encryptedValue = $this->crypto->encrypt(json_encode($this->sessionValues), $this->passphrase);
"""

new = """\t\t\t$jsonSessionValues = json_encode($this->sessionValues);
\t\t\tif ($jsonSessionValues === false) {
\t\t\t\t$jsonSessionValues = '{}';
\t\t\t}
\t\t\t$encryptedValue = $this->crypto->encrypt($jsonSessionValues, $this->passphrase);
"""

if old not in s:
    raise SystemExit("Expected line not found. Check tabs/spaces around encrypt(json_encode(...)).")

p.write_text(s.replace(old, new))
print("Patched CryptoSessionData.php")
PY

After the login flow, I didn't see Internal Server Error after this patch.

I don't know whether this is correct approach or introduce security vulnerabilities, but I wanted to let you know about this.

Steps to reproduce

1. Deploy Authentik with docker-compose (I can share my config)
2. Deploy Nextcloud with docker-compose using latest tag (I can share my config)
3. Install Social Login App on Nextcloud
4. Create Provider/Application on Authentik
5. Configure Social Login App for OIDC flow
6. Try to login with your user:
   • It should redirect to Authentik, log in
   • Authentik should redirect back to Nextcloud
   • Nextcloud crash: Internal Server Error

Expected behavior

It shouldn't crash after the successful login flow and instead, should land on the main page of Nextcloud.

Nextcloud Server version

33

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.4

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

cloud@cloudpi:~/Desktop/Stack/nextcloud $ nocc config:list system
{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpsecure": "tls",
        "mail_smtpauth": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "upgrade.disable-web": true,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "cloud.homelab.com",
            "nextcloud",
            "172.18.0.10"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "33.0.2.2",
        "overwrite.cli.url": "https:\/\/cloud.homelab.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "maintenance": false,
        "app_install_overwrite": [],
        "allow_local_remote_servers": true,
        "loglevel": 0,
        "overwriteprotocol": "https",
        "overwritehost": "cloud.homelab.com",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        }
    }
}

List of activated Apps

cloud@cloudpi:~/Desktop/Stack/nextcloud $ nocc app:list
Enabled:
  - activity: 6.0.0
  - admin_audit: 1.23.0
  - app_api: 33.0.0
  - assistant: 3.3.0
  - bruteforcesettings: 6.0.0
  - calendar: 6.2.2
  - circles: 33.0.0
  - cloud_federation_api: 1.17.0
  - comments: 1.23.0
  - contacts: 8.4.4
  - contactsinteraction: 1.14.1
  - context_chat: 5.3.1
  - dashboard: 7.13.0
  - dav: 1.36.0
  - deck: 1.17.1
  - doom_nextcloud: 1.0.8
  - drawio: 4.2.3
  - encryption: 2.21.0
  - epubviewer: 1.9.2
  - external: 8.0.0
  - federatedfilesharing: 1.23.0
  - federation: 1.23.0
  - files: 2.5.0
  - files_downloadlimit: 5.1.0
  - files_external: 1.25.1
  - files_pdfviewer: 6.0.0
  - files_reminders: 1.6.0
  - files_sharing: 1.25.2
  - files_trashbin: 1.23.0
  - files_versions: 1.26.0
  - firstrunwizard: 6.0.0
  - groupfolders: 21.0.7
  - integration_deepl: 2.2.0
  - integration_openai: 4.3.1
  - integration_openproject: 3.0.0
  - logreader: 6.0.0
  - lookup_server_connector: 1.21.0
  - mail: 5.7.12
  - news: 28.2.0
  - nextcloud_announcements: 5.0.0
  - notes: 4.13.1
  - notifications: 6.0.0
  - notify_push: 1.3.1
  - oauth2: 1.21.0
  - onlyoffice: 10.0.0
  - password_policy: 5.0.0
  - photos: 6.0.0
  - privacy: 5.0.0
  - profile: 1.2.0
  - provisioning_api: 1.23.0
  - recommendations: 6.0.0
  - related_resources: 4.0.0
  - serverinfo: 5.0.0
  - settings: 1.16.0
  - sharebymail: 1.23.0
  - sociallogin: 6.4.2
  - spreed: 23.0.3
  - support: 5.0.0
  - survey_client: 5.0.0
  - systemtags: 1.23.0
  - tasks: 0.17.1
  - text: 7.0.0
  - theming: 2.8.0
  - twofactor_backupcodes: 1.22.0
  - twofactor_nextcloud_notification: 7.0.0
  - twofactor_totp: 15.0.0
  - updatenotification: 1.23.0
  - user_ldap: 1.24.0
  - user_status: 1.13.0
  - viewer: 6.0.0
  - weather_status: 1.13.0
  - webhook_listeners: 1.5.0
  - whiteboard: 1.5.7
  - workflowengine: 2.15.0
Disabled:
  - suspicious_login: 11.0.0
  - testing: 1.23.0

Nextcloud Signing status

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
	- INVALID_HASH
		- core/js/mimetypelist.js
		- lib/private/Config/UserConfig.php
		- lib/private/Session/CryptoSessionData.php
	- EXTRA_FILE
		- lib/private/Config/UserConfig.php.bak
		- lib/private/Session/CryptoSessionData.php.bak

Raw output
==========
Array
(
    [core] => Array
        (
            [INVALID_HASH] => Array
                (
                    [core/js/mimetypelist.js] => Array
                        (
                            [expected] => cb945c6402e12d9e7d42d0359acf95a6e9a9b0c1f3bd8528f598a7fb1694e5ae34c80cf44ef6c8901eac1bfdd152de3315fc7eac007efee0f33f09ed3e518b6a
                            [current] => 6b290ba45e633706e1fe761ca21422053c113f17b2bb35f2351f2cf1c3b893aa543af6c594077ca213c755cfa0d002e22109bb1797bbadd8fb410ca839143e0e
                        )

                    [lib/private/Config/UserConfig.php] => Array
                        (
                            [expected] => 2b1f5766b9ac1b3da32a09fe47187f3deeabaf4a62f39f540c5e9800d8b5104f1d852fc29c5e6f6930aa258838df7a3d080592591931fc0c1fd97f53a2bf09cf
                            [current] => 70e3c35cbcca838fda42f1f3c3e722689642affc239b0d0da05665d438135f8ecd53d396e98ff3207fdf808209476d80cdda369d502db48f01145a944e4a17a9
                        )

                    [lib/private/Session/CryptoSessionData.php] => Array
                        (
                            [expected] => baf17e7c132a6cd3615f42bd36a698a6bf391a5e35bdc20ab8e4a096797dfcfffc4804f21982ccba159179bb90ada337b294cbc1d99b0f87dfc237dd0fa5a0dd
                            [current] => 51c1ec99bc68e01c2d78e38c55458a5e67b39bd592e8203ce41c702f73e6cef7a698a519aded81e10ae9ba827e4f27d6a8fbe39054dd00cfb7a59378df199485
                        )

                )

            [EXTRA_FILE] => Array
                (
                    [lib/private/Config/UserConfig.php.bak] => Array
                        (
                            [expected] => 
                            [current] => 1b95cae4153c5bd3886c51fba8c7ac6c9bef117a1a20becd52e8c6fabb39c8feea9c49467987d83e586ae6d0d9a6416ac9a065b5ad4c6774ebe2133acbdbed29
                        )

                    [lib/private/Session/CryptoSessionData.php.bak] => Array
                        (
                            [expected] => 
                            [current] => baf17e7c132a6cd3615f42bd36a698a6bf391a5e35bdc20ab8e4a096797dfcfffc4804f21982ccba159179bb90ada337b294cbc1d99b0f87dfc237dd0fa5a0dd
                        )

                )

        )

)

Nextcloud Logs

{"reqId":"eh8Ah9kYv0OYnw4tTkR1","level":3,"time":"2026-04-24T11:56:47+00:00","remoteAddr":"100.64.94.125","user":"e_irmak","app":"index","method":"GET","url":"/apps/sociallogin/custom_oidc/authentik?code=9b761aff18c34c9f9798e4137201ba9c&state=HA-64TN7YVGR81ASO9XE5K2CMWLI0UF3JHDQPZB","scriptName":"/index.php","message":"OC\\Security\\Crypto::encrypt(): Argument #1 ($plaintext) must be of type string, false given, called in /var/www/html/lib/private/Session/CryptoSessionData.php on line 204","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150.0) Gecko/20100101 Firefox/150.0","version":"33.0.2.2","exception":{"Exception":"TypeError","Message":"OC\\Security\\Crypto::encrypt(): Argument #1 ($plaintext) must be of type string, false given, called in /var/www/html/lib/private/Session/CryptoSessionData.php on line 204","Code":0,"Trace":[{"file":"/var/www/html/lib/private/Session/CryptoSessionData.php","line":204,"function":"encrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/AppFramework/Middleware/SessionMiddleware.php","line":49,"function":"close","class":"OC\\Session\\CryptoSessionData","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":119,"function":"afterController","class":"OC\\AppFramework\\Middleware\\SessionMiddleware","type":"->","args":[{"__class__":"OCA\\SocialLogin\\Controller\\LoginController"},"custom",{"__class__":"OCP\\AppFramework\\Http\\RedirectResponse"}]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":155,"function":"afterController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->","args":[{"__class__":"OCA\\SocialLogin\\Controller\\LoginController"},"custom",{"__class__":"OCP\\AppFramework\\Http\\RedirectResponse"}]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":153,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OCA\\SocialLogin\\Controller\\LoginController"},"custom"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":321,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\SocialLogin\\Controller\\LoginController","custom",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"sociallogin.login.custom","type":"custom_oidc","provider":"authentik"}]},{"file":"/var/www/html/lib/base.php","line":1155,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/sociallogin/custom_oidc/authentik"]},{"file":"/var/www/html/index.php","line":25,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/Security/Crypto.php","Line":63,"message":"OC\\Security\\Crypto::encrypt(): Argument #1 ($plaintext) must be of type string, false given, called in /var/www/html/lib/private/Session/CryptoSessionData.php on line 204","exception":"{\"class\":\"TypeError\",\"message\":\"OC\\Security\\Crypto::encrypt(): Argument #1 ($plaintext) must be of type string, false given, called in /var/www/html/lib/private/Session/CryptoSessionData.php on line 204\",\"code\":0,\"file\":\"/var/www/html/lib/private/Security/Crypto.php:63\",\"trace\":\"#0 /var/www/html/lib/private/Session/CryptoSessionData.php(204): OC\\Security\\Crypto->encrypt(false, 'tm/LTrZtYzf253L...')\\n#1 /var/www/html/lib/private/AppFramework/Middleware/SessionMiddleware.php(49): OC\\Session\\CryptoSessionData->close()\\n#2 /var/www/html/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php(119): OC\\AppFramework\\Middleware\\SessionMiddleware->afterController(Object(OCA\\SocialLogin\\Controller\\LoginController), 'custom', Object(OCP\\AppFramework\\Http\\RedirectResponse))\\n#3 /var/www/html/lib/private/AppFramework/Http/Dispatcher.php(155): OC\\AppFramework\\Middleware\\MiddlewareDispatcher->afterController(Object(OCA\\SocialLogin\\Controller\\LoginController), 'custom', Object(OCP\\AppFramework\\Http\\RedirectResponse))\\n#4 /var/www/html/lib/private/AppFramework/App.php(153): OC\\AppFramework\\Http\\Dispatcher->dispatch(Object(OCA\\SocialLogin\\Controller\\LoginController), 'custom')\\n#5 /var/www/html/lib/private/Route/Router.php(321): OC\\AppFramework\\App::main('OCA\\\\SocialLogin...', 'custom', Object(OC\\AppFramework\\DependencyInjection\\DIContainer), Array)\\n#6 /var/www/html/lib/base.php(1155): OC\\Route\\Router->match('/apps/sociallog...')\\n#7 /var/www/html/index.php(25): OC::handleRequest()\\n#8 {main}\"}","CustomMessage":"OC\\Security\\Crypto::encrypt(): Argument #1 ($plaintext) must be of type string, false given, called in /var/www/html/lib/private/Session/CryptoSessionData.php on line 204"},"id":"69eb64057a8e8"}

Additional info

No response

[joshtrichards]

At first glance, this suggests that an app is storing a session value that is not JSON-encodable.

Can you report this issue to to that app's maintainer: https://github.com/zorn-v/nextcloud-social-login

[erenirmak]

Thank you @joshtrichards , opened an issue to them:
zorn-v/nextcloud-social-login#538