I have OAuth2 integration set up, and it works fine for web.
But an attempt to login on desktop/android clients with Single Sigh On button shows Internal Server Error .
During investigation, I’ve found that the problem is in the URL that is supposed to initiate OAuth2 login:
the URL that SeaFile client reaches for is https://example.com/shib-login?shib_device_id=...
the proper URL should be https://example.com/shib-login/?shib_device_id=...
The problem is missing / before ?. And because of that, Seahub responds with Moved permanently and breaks SSO login on mobile/desktop clients
Deployment method: Docker
SeaFile version: seafileltd/seafile-pro-mc:13.0.15. But it is kind of an old deployment, I’ve started it from version 11, gradually upgrading during the years
Thank you for the detailed investigation. While you’ve identified that the missing trailing slash (/shib-login vs /shib-login/) triggers a 301 Moved Permanently redirect, the fact that you are seeing an Internal Server Error (HTTP 500) suggests that the failure is happening on the server side during or after that redirect.
Since this issue isn’t widely reported by other users, it is likely specific to your environment’s configuration or how the web server (Nginx/Docker) interacts with the upgraded Seahub version (v13).
To resolve this, please try the following steps:
1. Check Server-Side Logs
The “Internal Server Error” usually generates a Python stack trace. Please check the following logs inside your Docker container to find the specific error message:
shared/seafile/logs/seahub.log: Look for any “Error” or “Traceback” entries around the time you attempt the login.
shared/seafile/logs/django_request.log: This may show 500 error details.
Nginx Error Logs: To see if the proxy is failing to pass the request.
2. Adjust Nginx Configuration
To prevent the 301 redirect from breaking the SSO handshake (and potentially losing headers like shib_device_id), you can add a rewrite rule to your Nginx config to ensure the slash is handled internally:
location /shib-login {
# Rewrite internally to add the slash if missing, preserving query params
rewrite ^/shib-login$ /shib-login/ break;
proxy_pass http://127.0.0.1:8000;
# Ensure all proxy headers are passed
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
3. Verify SSO Redirect URLs
In your seahub_settings.py, check your OAuth2/Casdoor configuration. Ensure that your OAUTH_REDIRECT_URL (or equivalent) explicitly includes the trailing slash to match what the server expects. A mismatch between the registered redirect URI in Casdoor and the one generated after the 301 redirect often causes a 500 error.