iCloud Binding Communication Error

phui · November 11, 2022, 10:51pm

Seems like there is some problem if you have more than 1 icloud account.
My 2nd and 3rd icloud account keep sending 2FA info to respective device with 6 digit codes every 2-3 hours, everything still work even u just ignore the msg, but really annoying as it keep pop up even in midnight.
But the same never happen to the 1st icloud account.

Flole · November 12, 2022, 1:27am

I tried to use this, however it doesn’t work. It complains about wrong credentials. The trace log shows this:

2022-11-12 02:00:53.548 [DEBUG] [inding.icloud.internal.ICloudSession] - iCloud request POST https://setup.icloud.com/setup/ws/1/accountLogin.
2022-11-12 02:00:53.550 [TRACE] [inding.icloud.internal.ICloudSession] - Calling https://setup.icloud.com/setup/ws/1/accountLogin
Headers -----
java.net.http.HttpHeaders@db4184c6 { {Origin=[https://www.icloud.com], Referer=[https://www.icloud.com/]} }
Body -----
{"extended_login":true,"accountCountryCode":"DEU","trustToken":""}
------

2022-11-12 02:00:53.856 [TRACE] [inding.icloud.internal.ICloudSession] - Result https://setup.icloud.com/setup/ws/1/accountLogin 400
Headers -----
java.net.http.HttpHeaders@eed1f18e { {access-control-allow-credentials=[true], access-control-allow-origin=[https://www.icloud.com], access-control-expose-headers=[X-Apple-Request-UUID,Via], apple-originating-system=[UnknownOriginatingSystem], apple-seq=[0], apple-tk=[false], cache-control=[no-cache, no-store, private], connection=[keep-alive], content-length=[50], content-type=[application/json; charset=UTF-8], date=[Sat, 12 Nov 2022 01:00:53 GMT], server=[AppleHttpServer/3faf4ee9434b], strict-transport-security=[max-age=31536000; includeSubDomains], XXXXXXXXXXXX }
Body -----
{"success":false,"error":"Missing apple_id field"}
------

I have verified the credentials multiple times. However, each time I login manually it is complaining about me not having 2 FA enabled and I need to confirm that I don’t want to enable it. Maybe that’s the issue here? You probably want to abort the login before calling https://setup.icloud.com/setup/ws/1/accountLogin if the necessary data/token is not there.

A quick investigation seems to confirm that the missing 2 FA is indeed an issue:

Result https://idmsa.apple.com/appleauth/auth/signin?isRememberMeEnabled=true 200
Headers ----- 
...
location=[https://appleid.apple.com/widget/account/repair?widgetKey=.....
...

When I play through the entire stuff in the web login and look at the requests it looks like all the auth-token is returned when https://idmsa.apple.com/appleauth/auth/repair/complete is called. I don’t know if it’s necessary to call any of the other things first, but it doesn’t seem like that so maybe we’re already lucky if you include that POST-request if the location header is present.

Also in this case it still seems to try to refresh the data, even though it knows that it won’t work:

2022-11-12 02:05:53.899 [DEBUG] [l.handler.ICloudAccountBridgeHandler] - iCloud bridge refreshing data ...
2022-11-12 02:05:53.899 [WARN ] [l.handler.ICloudAccountBridgeHandler] - Need to authenticate first.
java.lang.IllegalStateException: Webservice URLs not set. Need to authenticate first.
        at org.openhab.binding.icloud.internal.ICloudService.getDevices(ICloudService.java:293) ~[?:?]
        at org.openhab.binding.icloud.internal.handler.ICloudAccountBridgeHandler.lambda$2(ICloudAccountBridgeHandler.java:128) ~[?:?]
        at org.openhab.core.cache.ExpiringCache.refreshValue(ExpiringCache.java:101) ~[?:?]
        at org.openhab.core.cache.ExpiringCache.getValue(ExpiringCache.java:72) ~[?:?]
        at org.openhab.binding.icloud.internal.handler.ICloudAccountBridgeHandler.refreshData(ICloudAccountBridgeHandler.java:280) ~[?:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) [?:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
        at java.lang.Thread.run(Thread.java:829) [?:?]
2022-11-12 02:05:53.904 [TRACE] [l.handler.ICloudAccountBridgeHandler] - json: null

So in case the authentication failed the periodic refreshing should be stopped.

maihacke · November 12, 2022, 7:31am

Mulitple messages like that do not happen on my side. It could be related to multiple accounts (which I do not have, and so could not test) or your account setup is different (2sa vs 2fa, see above). It also could be that something went wrong with the token authentication and the binding is now stuck. You could try to remove the token from the config, stop the binding for about 10-15min and then start over.
If you like to help here you could post logs here or even better try to analyze what runs different in phyicloud and the icloud binding. In theory they both should send the same request.

maihacke · November 12, 2022, 7:35am

I’m not sure if multiple accounts do work currently. Could you try to reset your binding including the json db and start over?

maihacke · November 12, 2022, 7:41am

Currently only 2-FA is supported and tested. If I look at non-2FA account marked as needing Repair, causing pyicloud login failure · Issue #405 · picklepete/pyicloud · GitHub, pyicloud seems to have the same problem. My best suggested is to enable 2-FA, sorry.

Flole · November 12, 2022, 2:41pm

Alright, no problem. I don’t really use the binding anyways, I have it setup and my devices included but that’s about it, no items linked Still it shouldn’t attempt to refresh the data if the login failed for whatever reason, and it shouldn’t continue the login if the required header is missing. Maybe you could even show a warning if the location header is detected to warn that the account needs repair and a manual login is necessary.

phui · November 14, 2022, 4:58am

Tried and same behaviour.
The 2nd and 3rd account will go OFFLINE after a while and ask for 2FA

2022-11-13 20:53:26.342 [INFO ] [ab.event.ThingStatusInfoChangedEvent] - Thing 'icloud:account:1949cd2a15' changed from ONLINE to OFFLINE (CONFIGURATION_ERROR): Please provide 2-FA code in thing configuration.

2022-11-13 20:53:33.959 [INFO ] [ab.event.ThingStatusInfoChangedEvent] - Thing 'icloud:account:1949cd2a15' changed from OFFLINE (CONFIGURATION_ERROR): Please provide 2-FA code in thing configuration. to ONLINE

The 2nd account still work, but the Apple device will receive message about 2FA which is pretty annoying, especially in midnight.

MikTheMonster · November 14, 2022, 9:25am

I have tested the new test-release of the binding, and it is working

Thanks a lot!!

e_bouwman · November 15, 2022, 9:30am

Working perfectly! Thanks for all the effort.

Maybe for people who are struggling with the installation below the steps I did to get it working.
Remove old binding from UI.
Put new binding in addons folder
Reboot openhab
Go in the UI to Things and add iCloud account.
Fill in email and password and click creat thing.
Now you receive (on iPhone) a request to allow a new device.
Allow this and you will get the code.
Fill out the code in the iCloud account thing and save.
Now it should come online.

stefaanbolle · November 15, 2022, 1:24pm

Works perfect, thanks!

Dieter_Rudolph · November 15, 2022, 4:41pm

work perfect also for me, thanks a lot. I have 4 iPads 3 iPhone in place and user the Binding for automatically start and stop for charging

Dieter_Rudolph · November 15, 2022, 10:14pm

I have trouble with my iPhone 7; not all data are updated, “Wo ist” still works but the battery level don’t work on side map

haybolat · November 16, 2022, 11:22am

Hello, How will I do? Can you explain in detail?

Dieter_Rudolph · November 16, 2022, 3:28pm

Hi,
as I told, I followed the instruction to implement the new ICLOUD-Binding. I could see all my iPones and iPads as a Think with all channels also the channel “Batterieladung”. On all iPhones the value of Battery Level ist present. During the programming off a sitemap from my iPhone 12 and 14Plus I can see the right value also there but for the iPhone7 there ist no value of Battery Level visible.
The next issue is that I use this value with a rule to switch on a power outlet to start the charging; also that woks for iPhone 12 and 14 but not for iPhone7. Interesting ist that the charge status ist present on all iPhones.

Dieter_Rudolph · November 16, 2022, 4:03pm

Hi,
sorry for confuse you all; I found the mistake. It was the item of iPhone7 Batterieladung, there was an undefined Channel where ever it coms from. After deleting that every thing works

JensH · November 16, 2022, 6:52pm

After some days (works really great) this night at 4:24 iCloud stops again, wants a new 2FA.

Independent from time, a channel could be linked to an item , so the code could be send eg via telegram to confirm, would be much appreciated.

soundmanuk · November 24, 2022, 6:21pm

I’ve got a weird problem, one icloud account works ok, if i add another cloud account the thing discovery re-finds all my icloud account 1 devices? it doesnt show the icloud device (there is only one) on the 2nd icloud account.

any ideas?

phui · November 25, 2022, 11:46pm

I can only get the 1st account to work properly.
Adding 2nd or 3rd will not behave the same and will keep asking 2FA and keep sending 2FA massage to related devices every few hours…

JensH · November 26, 2022, 12:00am

I have two accounts, and they work fine. But I do configurations via thing-file.

Maybe you could test if that solves it for you?

Putting first code in, save let openHAB read it and then change the second bridges code was the way I did it

JensH · November 27, 2022, 9:41am

I try to do some rules to set new codes via telegram. Would it be possible to write in the log for which bridge a new 2FA is needed with a small change in the finding?