Cross reference to support question opened in https://help.nextcloud.com

[michaelof]

First of all:

THANK YOU VERY MUCH for this app/plugin!!!

I've opened a support question for Nextcloud: https://help.nextcloud.com/t/encryption-mixup-after-installing-configuring-and-activating-eid-login-app/166426

Crosslinking here, as issue appears after installing eid-login, so maybe relevant also for you.

Regards,
Michael

[ecmrauh]

Hi Michael, thanks for reporting the issue! Before diving deeper, do have the checkbox Disable password based login. This will be unset if you use the password recovery enabled in the Nextcloud settings under Personal - Security - eID-Login? If so, please uncheck it temporarily and test again. As this setting interacts with the handling of the user password, it could be the reason.

[michaelof]

Did as advised. Unfortunately Ausweisapp2 says ~ "succesful, eid can be removed", but eid-login says "Anmelden mit eID fehlgeschlagen! Bitte stellen Sie sicher, dass die genutzte eID-Karte gültig ist".

MAYBE because after the encryption errors I've disabled and removed eid-login. Installed again after your answer here, existing skidentity.de config re-used.

As I can't login now, I'll try to unset the "disable password based login" flag via an sql command, last option I'm aware of.

[michaelof]

Disabling of "disable pw based login" SUCCESSFUL.

Had to
update OC_PREFERENCES set configvalue = 'false' where userid = <userid> and appid = 'eidLogin' and configkey = 'no_pw_login'

[michaelof]

Tried to enable eid-login again. Does not work.
After several attempts, I've decided to deactivate inside Nextcloud eid-login completely at Administration/Security/eID-Login-Settings.
Also clicked RESET at that place.
Also deleted skidentity service and account.

Tried to recreate everything:
Started from within Nextcloud Administration/Security/eID-Login-Settings wizard. Selected and opened skidentity. Created an account, activated by confirmation email.
Created skidentity service as shown by wizard in Nextcloud, set respective Entity ID and Assertion Customer URL as shown in wizard.
Tested service in skidentity, says all fine.
Finished wizard inside Nextcloud, and tried to "create connection to eID".
Can proceed from skidentity to local AusweisApp2, enter PIN etc., last skidentity url shows "...continue=true" within URL.
Returns to Nextcloud.
After some seconds a popup shows up for a short time, saying "Creation of eID connection failed! Please ensure the used eID-Card is valid.✖".
No idea why

[ecmrauh]

Regarding your encryption error: there is an open issue nextcloud/server#8546 with the exact error message.

To find out, if there is an additional problem with the eID-login plugin, it would be helpful if you could increase the log level to find out where exactly the problem is. You can have a look at the docs or (if you use Docker), this might help.

Make sure your settings and your metadata are OK. You can have a look at your Service Provider metadata under https://<YOUR_DOMAIN>/apps/eidlogin/saml/meta. This should be valid XML with your certificates.

In general, the resetting and re-configuring of the plugin should not be a problem.

[michaelof]

My encryption issue is sorted out, recovered everything and now encryption is switched off, thanks for your hint!

Regarding eidlogin:

Loglevel has been 0 (DEBUG) since I don't know, some earlier issue :)

These are the latest (anonymized) logs for trying to connect a user to eidlogin:

{"reqId":"WbqCxOsducbft3wz4o4D","level":0,"time":"2023-07-27T09:59:39+00:00","remoteAddr":"<myIPv6>","user":"<user>","app":"encryption","method":"GET","url":"/index.php/apps/eidlogin/eid/createeid?requesttoken=<requesttoken>","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0","version":"26.0.4.2","data":{"app":"encryption"}}
{"reqId":"WbqCxOsducbft3wz4o4D","level":0,"time":"2023-07-27T09:59:39+00:00","remoteAddr":"<myIPv6>","user":"<user>","app":"eidlogin","method":"GET","url":"/index.php/apps/eidlogin/eid/createeid?requesttoken=<requesttoken>","message":"<samlp:AuthnRequest\n    xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"\n    xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"\n\n    ID=\"eidlogin_<ID_replaced>\"\n    Version=\"2.0\"\n\n    IssueInstant=\"2023-07-27T09:59:39Z\"\n    Destination=\"https://service.skidentity.de/fs/saml/remoteauth/\"\n    ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\n    AssertionConsumerServiceURL=\"https://<MYDOMAIN>/index.php/apps/eidlogin/saml/acs\">\n    <saml:Issuer>https://<MYDOMAIN></saml:Issuer>\n    <samlp:NameIDPolicy\n        Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\"\n        AllowCreate=\"true\" />\n</samlp:AuthnRequest>","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0","version":"26.0.4.2","data":{"app":"eidlogin"}}
{"reqId":"f5EyDbo8DYQ0m5MUbkXp","level":1,"time":"2023-07-27T10:00:03+00:00","remoteAddr":"","user":"--","app":"eidlogin","method":"","url":"--","message":"eidlogin CleanupDbJob will delete all eidcontinuedata older than 1690451703","userAgent":"--","version":"26.0.4.2","data":{"app":"eidlogin"}}
{"reqId":"f5EyDbo8DYQ0m5MUbkXp","level":1,"time":"2023-07-27T10:00:03+00:00","remoteAddr":"","user":"--","app":"eidlogin","method":"","url":"--","message":"eidlogin CleanupDbJob will delete all eidresponsedata older than 1690451703","userAgent":"--","version":"26.0.4.2","data":{"app":"eidlogin"}}
{"reqId":"f5EyDbo8DYQ0m5MUbkXp","level":1,"time":"2023-07-27T10:00:03+00:00","remoteAddr":"","user":"--","app":"eidlogin","method":"","url":"--","message":"eidlogin CleanupDbJob done.","userAgent":"--","version":"26.0.4.2","data":{"app":"eidlogin"}}
{"reqId":"uCnjtH1EMmjbbHRl8dJD","level":0,"time":"2023-07-27T10:00:03+00:00","remoteAddr":"<myIPv6>","user":"--","app":"encryption","method":"POST","url":"/index.php/apps/eidlogin/saml/acs","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0","version":"26.0.4.2","data":{"app":"encryption"}}
{"reqId":"uCnjtH1EMmjbbHRl8dJD","level":3,"time":"2023-07-27T10:00:03+00:00","remoteAddr":"<myIPv6>","user":"--","app":"PHP","method":"POST","url":"/index.php/apps/eidlogin/saml/acs","message":"DOMDocument::schemaValidate(): Invalid Schema at /srv/www/htdocs/nextcloud/apps/eidlogin/dep/OneLogin/Saml2/Utils.php#153","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0","version":"26.0.4.2","data":{"app":"PHP"}}
{"reqId":"l8pGhW2O125OqOw00ZNG","level":0,"time":"2023-07-27T10:00:03+00:00","remoteAddr":"<myIPv6>","user":"--","app":"encryption","method":"GET","url":"/index.php/apps/eidlogin/eid/resume/<resume_part1>?id=<resume_id>","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0","version":"26.0.4.2","data":{"app":"encryption"}}
{"reqId":"l8pGhW2O125OqOw00ZNG","level":1,"time":"2023-07-27T10:00:05+00:00","remoteAddr":"<myIPv6>","user":"<user>","app":"eidlogin","method":"GET","url":"/index.php/apps/eidlogin/eid/resume/<resume_part1>?id=<resume_id>","message":"processResponseData found errors or user not authenticated - errors:Array\n(\n    [0] => invalid_response\n)\n, saml status msg: ","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0","version":"26.0.4.2","data":{"app":"eidlogin"}}
{"reqId":"l8pGhW2O125OqOw00ZNG","level":1,"time":"2023-07-27T10:00:05+00:00","remoteAddr":"<myIPv6>","user":"<user>","app":"eidlogin","method":"GET","url":"/index.php/apps/eidlogin/eid/resume/<resume_part1>?id=<resume_id>","message":"processResponseData last error reason: Invalid SAML Response. Not match the eidlogin.xsd","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0","version":"26.0.4.2","data":{"app":"eidlogin"}}

As you mentioned https://<YOUR_DOMAIN>/apps/eidlogin/saml/meta, https://<YOUR_DOMAIN>/index.php/apps/eidlogin/saml/meta in my case, this URL leads to a nextcloud-thrown "Page not found / The page could not be found on the server. (Back to Nextcloud)" error.

[ecmrauh]

The fact that the SP metadata site throws a "Page not found" indicates that something is wrong with your Nextcloud instance or the eidlogin configuration. The errors during the authentication process are probably just consequences of this misconfiguration.

Are there any settings in your Apache config / .htaccess that could prevent Nextcloud from returning the metadata, e.g. like redirects?

I am a bit confused about your logs. It seems that the encryption app uses / calls code from the eidlogin plugin, as in line 1:

..."app":"encryption","method":"GET","url":"/index.php/apps/eidlogin/eid/createeid...

My recommendation would be to completely remove the eidlogin plugin and reconfigure it again (the SkIDentity service account can be left untouched and reused):

• Click the reset button in the eidlogin settings.
• Uninstall the plugin.
• Make sure all database settings are removed (in table oc_appconfig there should be no entries for appid "eidlogin").
• Make sure the folder /srv/www/htdocs/nextcloud/apps/eidlogin is removed/empty.
• Reinstall the eidlogin plugin.
• Go through the setup wizard again and use the same settings as before (for Service Provider EntityID and the Assertion Consumer URL).
• Connect your account with SkIDentity again.

[michaelof]

I need an "intermediate" help step ;)
Followed ALL your last recommendations, but additionally wiped to much:
Dropped all oc_eid* tables, 4 of them AFAI remember. Did this after checking for to be deleted entries in oc_appconfig, oc_properties etc.
Installed plugin eidlogin again, wizard went fine (as before).
Navigating to user security properties within Nextcloud leads to a broken page.
Reason is, that the dropped oc_eid* tables are NOT recreated although missing when re-installing eidlogin.
Please advice how to proceed.

[michaelof]

Dropped all oc_eid* tables

"Fixed" this intermediate issue. As I've had a mysqldump available incl. SQL structure, with the oc_eid* tables (still) existing, I was able to recreate them.
Navigating to user security properties within Nextcloud now works again.

But main issue, "Create connection to eID" not possible anymore, unchanged.

Just to repeat: The connection to eID worked once, but with the mentioned strange Invalid private key for encryption app... error after first eID-based login.

Broken since I've disabled and removed eidlogin for the first time.

Not sure but IMHO there might be some general (re)install issues with eidlogin, as the oc_eid* tables are also handled somewhat suprisingly for me. Shouldn't they be dropped when app eidlogin is removed? Or at least being created when not existing at next eidlogin installation? Tried to dig into source, found the "create tables" here Version1000Date20200911113548.php but this seems to be not called while within the "install" repair step. Nothing in logs.

[ecmrauh]

I agree, that in most cases the database tables should be removed on uninstall. But if I remember correctly, we had a long discussion whether to do so or not and we decided to leave the tables untouched to prevent the loss of important data. For example, if the admin of a large Nextcloud instance mistakenly uninstalls the plugin, all users would loose their eID connections.

Regarding your main issue, I have to say, I really don't know want else you could do as no other user seems to have that problem until now.

[michaelof]

Do you know how eidlogin checks/knows on the very first install that the tables must be created? Or, precisely, what triggers eidlogin on SECOND install to NOT create the tables, not even to check for their existence, although they have been removed in my case by me? For me this looks like that there must be some peace of information somewhere that tells eidlogin to behave different than on first install, when tables are definitively created.
If I find out this, I hopefully can erase this peace of information and trigger a real (brand)new installation of eidlogin. Maybe this will work, as before the very first Installation.

[michaelof]

And, FYI, I've seen in the log files that there are different entries for two returns:

a) the "invalid xml Schema" error reg. eidlogin.xsd when AusweisApp2 and skidentity are returning "all fine"
b) "no user given" or similar, no access to VPS currently, when terminating eID verification within AusweisApp2. Which I did once today, mistyped eID PW once and pressed red (C) instead of yellow (CLR) on ReinerSCT cyberjack, leading to cancel whole login instead of (wanted by me) just retyping PW

[michaelof]

HEUREK! It works (again)!

Added as mentioned in eidlogin's readme

'eidlogin_skipxmlvalidation' => true

to Nextcloud's config file, and now the eID connection was succesful established and can be used. Means IMHO that log entry

{"reqId":"l8pGhW2O125OqOw00ZNG","level":1,"time":"2023-07-27T10:00:05+00:00","remoteAddr":"<myIPv6>","user":"<user>","app":"eidlogin","method":"GET","url":"/index.php/apps/eidlogin/eid/resume/<resume_part1>?id=<resume_id>","message":"processResponseData last error reason: Invalid SAML Response. Not match the eidlogin.xsd","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0","version":"26.0.4.2","data":{"app":"eidlogin"}}

seems to be the root cause. Whyever :)

No Invalid private key for encryption app.. etc. msgs anymore, as parallel detected encryption issue has been (also) solved.
And works without the necessity to disable pw-based login, as this led me to the mentioned before hen&egg issue...

THANK YIU VERY MUCH for helping @ecmrauh !!!

[ecmrauh]

You're welcome, I'm glad you could fix the problem!