Environment:
-
CMS Version: Xibo CMS (Docker) - Latest Image
-
Installation Type: Docker (Linux Ubuntu)
-
Database: MySQL 5.7
-
Reverse Proxy: Nginx Proxy Manager (NPM) handling SSL (LetsEncrypt).
-
Browser: Chrome Incognito (Cookies allowed).
The Issue: We are trying to link the Canva Application to our Xibo CMS. We have followed the guide, created the API keys in Canva Developers, and configured the Application in the CMS.
When we attempt to connect:
-
We are redirected to Canva.
-
We approve the access (All scopes are checked in the CMS).
-
We are redirected back to the CMS (
/api/authorize/access_token). -
The Result: The browser eventually shows an error or fails to complete the handshake visually in Canva.
Logs & Observations: However, the CMS logs indicate that the backend process seems to be working, but with a strange anomaly regarding scopes.
-
Success Log: We see
Audit Trail message recorded for Auth with id 0. Message: Access Token issued from IP.... -
Session Log: We see
Application access approved... session [ID]. -
The Anomaly: In the debug logs, we noticed that sometimes
finalizeScopesreportsprovided scopes count = 10(correct), but in the final failed attempt, it reportedprovided scopes count = 0, even though “Full account access” is checked in the Application settings.
Troubleshooting steps taken so far:
-
Session Cookies: We verified via
docker compose exec cms-web php -ithat the PHP session settings are correctly applying:-
session.cookie_samesite => None -
session.cookie_secure => On(We mounted a customsession.inito enforce this).
-
-
Trusted Proxies & Networking: We configured
CMS_TRUSTED_PROXIESto include the Docker Gateway IP (172.18.0.1) to ensure the CMS resolves the request correctly behind Nginx Proxy Manager. We also verified that the container can ping the public domain viaextra_hosts. -
Time Synchronization: We verified that the container time matches the host and real-time (NTP synced) to avoid token expiration issues.
-
Nginx Proxy Manager Headers: We have added the following to our Nginx Advanced configuration to ensure headers and auth tokens are passed:
Nginx
proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Ssl on; proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None"; proxy_pass_header Authorization; proxy_set_header Authorization $http_authorization;
Our Docker Compose Configuration (Snippet):
YAML
cms-web:
image: ghcr.io/xibosignage/xibo-cms:latest
environment:
- CMS_SERVER_NAME=our.domain.net
- CMS_FORCE_HTTPS=true
- CMS_TRUSTED_PROXIES=172.18.0.1,192.168.1.0/24
- SESSION_COOKIE_SAMESITE=None
- SESSION_COOKIE_SECURE=True
- CMS_SESSIONS_CHECK_IP=false
- CMS_SESSIONS_CHECK_UA=false
volumes:
- "./session.ini:/etc/php/8.3/apache2/conf.d/session.ini"
- "./session.ini:/etc/php/8.3/cli/conf.d/session.ini"
extra_hosts:
- "our.domain.net:172.18.0.1"
Despite the “Access Token issued” log, the integration does not appear as “Connected” in the UI, and Canva acts as if the connection failed. We suspect the issue might be related to how the Token is being handed back to the browser or the scopes count = 0 anomaly.
83 08ce421 2026-02-13 18:37 AUTH POST DEBUG /api/authorize/access_token SET @session_data=‘…’; SET @session_expiration=‘…’; … SET @session_id=‘XXXXXXXXXXXXXXXXX’; UPDATE session …
82 08ce421 2026-02-13 18:37 AUTH POST DEBUG /api/authorize/access_token SET @lastUsedTime=‘…’; SET @userId=‘0’; SET @sessionId=‘105’; UPDATE session_history …
81 08ce421 2026-02-13 18:37 AUTH POST INFO /api/authorize/access_token Request stats: { … }.
80 08ce421 2026-02-13 18:37 AUTH POST DEBUG /api/authorize/access_token Audit Trail message recorded for Auth with id 0. Message: Access Token issued from IP , session 0
79 08ce421 2026-02-13 18:37 AUTH POST DEBUG /api/authorize/access_token Getting new Access Token
78 08ce421 2026-02-13 18:37 AUTH POST DEBUG /api/authorize/access_token finalizeScopes: provided scopes count = 0
Any guidance would be appreciated.