Core: iCloud authentication issue since 0.94.x

Just wanted to add that I am having the exact same issue; so it isn't a singularity.

Same issue here

I have the same issue

Confirmed here as well. 0.94.1

Same here. Also complains that it failed to validate the credentials from the cookie.

+1

However I just rolled back to 0.93.2 and I see the same errors in the log, think it just coincidence with the release of the newer version

I have rolled back to 0.93.2, 0.93.0 & 0.92.0 and am experiencing the same issue with icloud3. I have deleted the config/icloud file which contains the cookies (I believe) and they are not recreated when requesting authorization. The code that does the authorization and maintains the coookies is in pyicloud.py.

In 0.94.0, the DeviceScanner code was moved from homeassistant.components.device_tracker to homeassistant.components.device_tracker.legacy.

My complete error message in the log file for device_tracker.icloud (not icloud3)is:

2019-06-11 14:53:57 INFO (SyncWorker_9) [pyicloud.base] Authenticating as [email protected]
2019-06-11 14:53:57 ERROR (SyncWorker_9) [pyicloud.base.http] Failed to validate the credentials from cookie
2019-06-11 14:53:57 ERROR (SyncWorker_9) [homeassistant.components.icloud.device_tracker] Error logging into iCloud Service: ('Invalid email/password combination.', PyiCloudAPIResponseError('Failed to validate the credentials from cookie'))
2019-06-11 14:53:57 ERROR (SyncWorker_9) [homeassistant.components.icloud.device_tracker] No ICLOUDTRACKERS added
2019-06-11 14:53:57 ERROR (MainThread) [homeassistant.components.device_tracker] Error setting up platform legacy

I don't have home-assistant running. But I'm using PyIcloud. That is causing the problem. And I guess due to a change on Apple side #noconfirmation

Same issue here

Confirming the issue is also present with 0.93.2.

2019-06-12 10:30:35 INFO (SyncWorker_1) [pyicloud.base] Authenticating as [email protected]
2019-06-12 10:30:35 ERROR (SyncWorker_1) [pyicloud.base.http] Failed to validate the credentials from cookie
2019-06-12 10:30:35 ERROR (SyncWorker_1) [homeassistant.components.icloud.device_tracker] Error logging into iCloud Service: ('Invalid email/password combination.', PyiCloudAPIResponseError('Failed to validate the credentials from cookie'))

+1

Reported here: https://github.com/picklepete/pyicloud/issues/206

FYI - looks like somebody has solved this by grafting on another Python module and replacing pyicloud's auth procedure: https://github.com/PeterHedley94/pyicloud/commit/6bf11c87c784fa9b0f94318ea845e441b0937cf5

I've tested the modifications made above (there is a difference in variable names which I solved with my own fork: https://github.com/joelmoses/pyicloud

It works, partially. It initiates an authentication process which is picked up properly by HA, and it stores the cookies; however, it pops constant re-authentication 2FA prompts whenever it goes on a device discovery; it appears that the hack doesn't try to reuse prior tokens.

But the important part is that Apple didn't completely shut down 2FA integration, and the underlying discovery still works, albeit prompting constantly. :)

HI All,

i am using build by @viable-harman
https://github.com/viable-hartman/InflatableDonkey/tree/TwoFAHacky for ios 9 icloud backup but i am getting below error could you please help me out why this is coming

" Exception in thread "main" org.apache.http.client.HttpResponseException: Misdirected Request: {"success":false,"error":"Failed to validate the credentials from cookie"}"

HTTP/1.1 421 Misdirected Request [Server: AppleHttpServer/70a91026, Date: Wed, 12 Jun 2019 02:26:45 GMT,

I'm having the same issue

the same issue! :/

Same here, same logs.

But shortly after 0.94.x Update the service was working! - So it's maybe an Apple / API releated Problem?

add me to the list. also having the same issue

In case more validation is needed, I’m seeing the exact thing things.

Like. However, this solution still works and I'm in the process of switching over to it:

https://community.home-assistant.io/t/get-ha-to-ask-your-iphone-where-it-is-and-put-info-in-mqtt-owntrack-device-tracker/15507

I followed the above recommendation from CWGSM3V0 except I used the second setup. The first didn't work for me. Then I used mqtt_json device tracker. I setup a script and it works just like the icloud setup did; except it doesn't get associated devices. You have to request each device per account separately. If you need help on this let me know.

I found an iCloud interface called findi that is a python port of a php script that someone said was still working. I just forked it and finally got it to import into my iCloud3 custom component. I ran into a library issue where it is using both urllib and urllib2 for some error handling. Urllib2 is a python 2 library that was superceded by urllib (according to google). I’ll spend more time with it tomorrow but welcome any assistance/comments since I’m not sure what I am doing and just flapping around hoping something will work.

confirmed.. Brand new build and still seeing this issue...

I am having the exact same issue. Tried removing the icloud component and adding it back, only this time it did not ask me for the 2 factor authentication code to be entered.

Same here

Please only post if you have new information to provide. Don't post messages like "+1", "Same here", etc. If you want to show that you're affected the proper way to do that is to react to the top post with :+1: . Then click the subscribe button in the top right bar to be notified of updates.

@joelmoses I’ve forked pyicloud after reviewing some other code (findi.py and others). All of the code Ive looked at is old and most do not address 2fa at all. Have you made any more progress trying to figure out what needs to be done to get pyicloud working again that I can have? I’ve read your comments and approach and want to see if we can all get it working again. My email address is [email protected] if you prefer direct contact.

@gcobb321 Just wanted to chime in and say I've now been made aware of the iCloud breakage, sorry to hear about that. You _may_ want to do as little work to get it working again as possible because I would expect that Apple will make some major changes to the APIs around the time that iOS 13 launches if all the rumors of Apple making their own Tile competitor come true. Furthermore, the new "Find My" stuff isn't even working reliably yet in the latest iOS 13 beta, and they've noted as such in the release notes, so I'd also expect some short term API breakage. You may want to wait to do any work really until that warning is gone from the iOS 13 beta release notes.

As always, let me know if I can provide any more assistance.

@robbiet480 It really did mess everything up. Kinda shut down a years worth of work

One thought comes to mind and that is to not have to access the iCloud account at all. If there was a way that a special type of notification message could be sent to the phones/devices that would then trigger a background fetch transaction.. it’s like querying the device for location/status information. The HA components could then pick up the device data. It could be coded in such a way that I, or any component would send it, and you would send the info to HA and then throw the transaction away. It could probably be done using the existing framework without making major changes anywhere.

Your thoughts?

The problem is that those kind of background fetch notifications are not reliable. They can fail for any number of reasons, almost all of them outside of my control. We do already have the request_location_update notification for this purpose though.

Any news about a fix for this problem?

ICloud3 now supports device tracking using find my friends where you set up a non-2fa iCloud account and tie the devices you want to track (2fa accounts) to it as contacts (first name & email address) in the non-2fa account. It’s in the final beta stage and would have been released but I’m out of town until mid-August.

Go here for iCloud3 info.
Go here for iCloud3 v1.1.0 beta 7.

What about non iCloud3 for a built in iCloud integration ? Sorry guys, but some people just want something easy to use, configure and install :sweat_smile:

But sure @gcobb321, this is a good idea, sound like the Google Maps component actually.

Actually, that would be perfect to use an app specific password to use iCloud instead of 2FA (how to : https://support.apple.com/en-us/HT204397), so it can be revoke at any time in the AppleID account page (https://appleid.apple.com/#!&page=signin).

I've see your work @joelmoses, do you think it's possible to make sometging like that ?

@Quentame No, it's not possible to do it using the ASP. The bulk of the "Find" infrastructure isn't compatible with App-Specific Password. I've tried. It'll work for things like contact lists, reminders, mail, and calendars, but not for the service the iCloud helper depends on. I suppose that's for security's sake - after all, you can wipe a device with the service in question.

I think in the interim, what @gcobb321 has put together is probably the best solution. I think it _is_ possible to add the HSV+2FA functionality directly to the original iCloud helper but I'm hesitant to do it right now. Here's the reason:

Apple is about to release iOS v13.0, and, with it, there are major changes coming for the "Find" infrastructure. The "Find My Friends" stuff and the "Find My iPhone" stuff are merging together, and alongside that there will likely be big changes within the API - and possibly in the structure of the signon. I think it's best to wait to see how the changes are going to pan out first.

This has suddenly started working again for me on 0.97.1. Not sure when it started working as I've had it commented out for a while.

I've noticed yesterday that it was working too, I was very suprised !

But for how long ? iOS 13 isn't released yet (planned around end september)

Actually working from Friday 16th of August at 8:30AM (Europe/Paris time), I'm on HA 0.96.4

So, should we close the issue or wait until iOS 13 release ? That is the question :smiley:

Hmm. Browsing the source suggests that nothing has really changed in the 0.97.1 release that would have affected the service positively or negatively. Is it continuing to work for you? That is, it hasn't suddenly started prompting for reauthentication?

Yes it did prompt for re-authentication and is still working for the moment. It took 2 attempts to authenticate.

Location services works for me, and I dont see

Error logging into iCloud Service: (‘Invalid email/password combination.’, PyiCloudAPIResponseError(‘Failed to validate the credentials from cookie’))

in the log. Some 0.97'ish version seems to have fixed it

I also can confirm it is working again for me to in 0.97.2, not sure it was the HA update that fixed it, could also be Apple changed something?

It must be a change on the Apple side. There was nothing changed in the component code that would have fixed this, nor in the linked project "pyicloud".

Confirmed that it appears to be working again.

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.
Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍
This issue now has been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.