iCloud binding, authentication problem

scuba · October 19, 2024, 4:39am

Hello,

I have an authentication problem with an iCloud account.

After installing the binding everything worked perfectly. Then after restarting OH 4.2.2 there was a warning:
[WARN ] [l.handler.ICloudAccountBridgeHandler] - iCloud authentication failed. Invalid credentials.

Unfortunately, re-entering the user ID and password did not improve the situation. If I log in directly via the browser at https://www.icloud.com/, the login details work perfectly, so they are definitely correct.

Reinstalling the binding did not improve the situation, what else can I do?

Regards
Hans-Jürgen

Flip · October 19, 2024, 4:58am

Same here

emiel · October 19, 2024, 6:28am

perhaps the 2fa code? could be that it needs to be re-entered after a reboot.

scuba · October 19, 2024, 6:46am

The problem is that the iPhone doesn’t even display a 2FA code that you could enter.

tally · October 19, 2024, 10:29am

I have this exact problem after reboot. Created an issue on GitHub.

pleedell · October 19, 2024, 10:55am

Same problem here (originally posted on the 4.3.0M2 thread). This is on openhabian/pi4. I updated to the new milestone and immediately found icloud no longer connects. It will trigger a 2fa prompt that I’ll see on my apple devices and I do get the automated ‘we’ve received a password login from this address, if this was you do nothing’ email note from apple. ie. Apple seems to think there was a valid login. But the icloud account thing never gets updated to ‘Online’ and will end up in status ‘ERROR: CONFIG.’ Log shows invalid 2fa token.

Not sure how to fix, but I’m happy to help test a solution.
Cheers

2024-10-15 06:09:42.255 [WARN ] [l.handler.ICloudAccountBridgeHandler] - iCloud authentication requires 2-FA code. Please provide code configuration for thing ‘icloud:account:872293b897’.

2024-10-15 06:09:42.256 [INFO ] [ab.event.ThingStatusInfoChangedEvent] - Thing ‘icloud:account:872293b897’ changed from UNKNOWN to OFFLINE (CONFIGURATION_ERROR): Please provide 2-FA code in thing configuration.

2024-10-15 06:10:26.757 [INFO ] [ab.event.ThingStatusInfoChangedEvent] - Thing ‘icloud:account:872293b897’ changed from OFFLINE (CONFIGURATION_ERROR): Please provide 2-FA code in thing configuration. to UNKNOWN

2024-10-15 06:14:40.235 [WARN ] [l.handler.ICloudAccountBridgeHandler] - ICloud token invalid.

2024-10-15 06:14:40.238 [INFO ] [ab.event.ThingStatusInfoChangedEvent] - Thing ‘icloud:account:872293b897’ changed from UNKNOWN to OFFLINE (CONFIGURATION_ERROR): Invalid 2-FA-code.

tally · October 19, 2024, 10:58am

Also my trace logs if that’s of any help:

2024-10-19 13:51:23.766 [DEBUG] [l.handler.ICloudAccountBridgeHandler] - iCloud bridge handler initializing ...
2024-10-19 13:51:23.775 [DEBUG] [l.handler.ICloudAccountBridgeHandler] - iCloud bridge handler initialized.
2024-10-19 13:51:23.793 [DEBUG] [l.handler.ICloudAccountBridgeHandler] - Starting iCloud authentication (AuthState=INITIAL, Thing=icloud:account:63f7cfe3c6)...
2024-10-19 13:51:23.797 [DEBUG] [inding.icloud.internal.ICloudService] - Checking session token validity
2024-10-19 13:51:23.802 [DEBUG] [inding.icloud.internal.ICloudSession] - iCloud request POST https://setup.icloud.com/setup/ws/1/validate.
2024-10-19 13:51:23.810 [TRACE] [inding.icloud.internal.ICloudSession] - Calling https://setup.icloud.com/setup/ws/1/validate
Headers -----
java.net.http.HttpHeaders@db4184c6 { {Origin=[https://www.icloud.com], Referer=[https://www.icloud.com/]} }
Body -----
null
------
2024-10-19 13:51:24.551 [TRACE] [inding.icloud.internal.ICloudSession] - Result https://setup.icloud.com/setup/ws/1/validate 421
Headers -----
java.net.http.HttpHeaders@f86910c7 { {access-control-allow-credentials=[true], access-control-allow-origin=[https://www.icloud.com], access-control-expose-headers=[X-Apple-Request-UUID,Via], cache-control=[no-cache, no-store, private], connection=[keep-alive], content-length=[1403], content-type=[application/json; charset=UTF-8], date=[Sat, 19 Oct 2024 10:51:24 GMT], server=[AppleHttpServer/b866cf47a603], strict-transport-security=[max-age=31536000; includeSubDomains;], via=[xrail:mr42p00ic-qujn09141701.me.com:8301:24R504:grp20,631194250daa17e24277dea86cf30319:8f0ada2b7d17e60a1728f24fa3127b29:deber3], x-apple-edge-response-time=[147], x-apple-request-uuid=[b9781658-24b1-4161-9e9d-f7cb9df5f690], x-apple-user-partition=[60], x-responding-instance=[setupservice:36001001:mr51p60ic-qukt04081502:8001:2426B654:a2ab3064ebcf]} }
Body -----
{"success":false,"requestInfo":[{"country":"NL","timeZone":"GMT+1"}],"configBag":{"urls":{"accountCreateUI":"https://appleid.apple.com/widget/account/?widgetKey=d39ba9916b7251055b22c7f910e2ea796ee65e98b2ddecea8f5dde8d9d1a815d#!create","accountVerifyUI":"https://id.apple.com/identity?widgetKey=d39ba9916b7251055b22c7f910e2ea796ee65e98b2ddecea8f5dde8d9d1a815d","accountLoginUI":"https://idmsa.apple.com/appleauth/auth/signin?widgetKey=d39ba9916b7251055b22c7f910e2ea796ee65e98b2ddecea8f5dde8d9d1a815d","accountLogin":"https://setup.icloud.com/setup/ws/1/accountLogin","accountRepairUI":"https://appleid.apple.com/widget/account/?widgetKey=d39ba9916b7251055b22c7f910e2ea796ee65e98b2ddecea8f5dde8d9d1a815d#!repair","downloadICloudTerms":"https://setup.icloud.com/setup/ws/1/downloadLiteTerms","repairDone":"https://setup.icloud.com/setup/ws/1/repairDone","accountAuthorizeUI":"https://idmsa.apple.com/appleauth/auth/authorize/signin?client_id=d39ba9916b7251055b22c7f910e2ea796ee65e98b2ddecea8f5dde8d9d1a815d","vettingUrlForEmail":"https://id.apple.com/IDMSEmailVetting/vetShareEmail","accountCreate":"https://setup.icloud.com/setup/ws/1/createLiteAccount","getICloudTerms":"https://setup.icloud.com/setup/ws/1/getTerms","vettingUrlForPhone":"https://id.apple.com/IDMSEmailVetting/vetSharePhone"},"accountCreateEnabled":true,"isEnhancedProtectionRegion":false},"error":"Missing X-APPLE-WEBAUTH-TOKEN cookie"}
------
2024-10-19 13:51:24.557 [DEBUG] [inding.icloud.internal.ICloudService] - Token is not valid. Attemping new login.
org.openhab.binding.icloud.internal.ICloudApiResponseException: Request https://setup.icloud.com/setup/ws/1/validate failed with 421.
	at org.openhab.binding.icloud.internal.ICloudSession.request(ICloudSession.java:148) ~[?:?]
	at org.openhab.binding.icloud.internal.ICloudSession.post(ICloudSession.java:98) ~[?:?]
	at org.openhab.binding.icloud.internal.ICloudService.validateToken(ICloudService.java:190) ~[?:?]
	at org.openhab.binding.icloud.internal.ICloudService.authenticate(ICloudService.java:94) ~[?:?]
	at org.openhab.binding.icloud.internal.handler.ICloudAccountBridgeHandler.checkLogin(ICloudAccountBridgeHandler.java:338) ~[?:?]
	at org.openhab.binding.icloud.internal.handler.ICloudAccountBridgeHandler.callApiWithRetryAndExceptionHandling(ICloudAccountBridgeHandler.java:164) ~[?:?]
	at org.openhab.binding.icloud.internal.handler.ICloudAccountBridgeHandler.lambda$2(ICloudAccountBridgeHandler.java:127) ~[?:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) [?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
	at java.lang.Thread.run(Thread.java:840) [?:?]
2024-10-19 13:51:24.575 [DEBUG] [inding.icloud.internal.ICloudService] - Authenticating as censored@gmail.com...
2024-10-19 13:51:24.581 [DEBUG] [inding.icloud.internal.ICloudSession] - iCloud request POST https://idmsa.apple.com/appleauth/auth/signin?isRememberMeEnabled=true.
2024-10-19 13:51:24.587 [TRACE] [inding.icloud.internal.ICloudSession] - Calling https://idmsa.apple.com/appleauth/auth/signin?isRememberMeEnabled=true
Headers -----
java.net.http.HttpHeaders@bf3ef8e0 { {Accept=[*/*], Content-Type=[application/json], Origin=[https://www.icloud.com], Referer=[https://www.icloud.com/], X-Apple-OAuth-Client-Id=[d39ba9916b7251055b22c7f910e2ea796ee65e98b2ddecea8f5dde8d9d1a815d], X-Apple-OAuth-Client-Type=[firstPartyAuth], X-Apple-OAuth-Redirect-URI=[https://www.icloud.com], X-Apple-OAuth-Require-Grant-Code=[true], X-Apple-OAuth-Response-Mode=[web_message], X-Apple-OAuth-Response-Type=[code], X-Apple-OAuth-State=[auth-b80ca0e1-6cad-4dcf-9f77-f7e1405b96bf], X-Apple-Widget-Key=[d39ba9916b7251055b22c7f910e2ea796ee65e98b2ddecea8f5dde8d9d1a815d]} }
Body -----
{"password":"censored","accountName":"censored@gmail.com","trustTokens":["HSARMTKNSRVXWFlalyxsgDULFpQsKJ6EMb0EZMimYMVwGthfCbBqFtPVMNSZf1o7loXhq/PobYU1kZ1c11XrjRPeERbJ2zAlsW0MgwmsxpxgaWCQJBZGddsFPKrla/ntlNu+bnw9yRf8Q5ZUzEYtCBaV4GN04+kFJMuM4+zEYMDXwPXvQascqsftN/Tq75BqKU/6twbzWWTo8HF+rdmLEFS21i4xidaHrWujl6OV01X/ARE\u003dSRVT"],"rememberMe":true}
------
2024-10-19 13:51:25.423 [TRACE] [inding.icloud.internal.ICloudSession] - Result https://idmsa.apple.com/appleauth/auth/signin?isRememberMeEnabled=true 503
Headers -----
java.net.http.HttpHeaders@260031ae { {connection=[keep-alive], content-length=[190], content-type=[text/html], date=[Sat, 19 Oct 2024 10:51:25 GMT], server=[Apple]} }
Body -----
<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>Apple</center>
</body>
</html>
------
2024-10-19 13:51:25.429 [WARN ] [l.handler.ICloudAccountBridgeHandler] - iCloud authentication failed. Invalid credentials.

Chri46 · October 19, 2024, 1:16pm

same here - today´s restart of OH broke authentication - running on 4.2.2 release build.
Had a restart of Openhab yesterday around lunch time CET (short power outage) no issue seen.

Bucofski · October 19, 2024, 1:40pm

Same here after reboot.

Phuong · October 19, 2024, 2:24pm

same here

kkinget · October 19, 2024, 3:31pm

same here

oakguy · October 19, 2024, 6:05pm

Same here

WeRo · October 20, 2024, 8:31am

@maihacke
Could you help at this issue?

CrazyElectron · October 20, 2024, 2:45pm

This issue is likely due to a change on Apple’s side. Home Assistant and others are having the same issue. It looks like Apple switched to SRP-6a (Secure Remote Password) protocol.

rlkoshak · October 20, 2024, 8:57pm

Assuming that’s the cause, presumably something needs to change in the cloud server to work with that protocol, right? If so can someone please file an issue with the cloud server repo with all the details.

mvo · October 22, 2024, 1:45pm

Hello Colleagues, did someone have find a workaround about it?

Metall4You · October 23, 2024, 8:15pm

Hello
I updated to openhab 4.2.2 and now the 2fa code is no longer displayed on the cell phone. Is there already a solution or should I reinstall the binding?

thanks for your tips

JensH · October 23, 2024, 8:36pm

I had same issue on 20th of october, yesterday I was able to disable thing and enabled again: Bridge came directly up online without asking for a new 2FA… Today I needed to restart openhab, now bridges are again offline with invalid credentials.

Not sure if it just was an old server or it’s a caching issue in the background? Not sure if this information helps anyone.

JensH · October 24, 2024, 12:25am

Thanks. In that issue someone posted a link to a solution based on pycloud.

So the fix needs to be done in binding too.

My yesterday disable / enable was only a moment of luck.

mvo · October 24, 2024, 1:57pm

Have you ever used pycloud?