Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

➤ Solution-Cannot log into Apple Acct, 503 Error, 0 of 0 Devices Tracked #401

Open
gcobb321 opened this issue Nov 26, 2024 · 15 comments
Open

Comments

@gcobb321
Copy link
Owner

Apple broke iCloud3 Again

At the end of October, Apple changed the method of validating passwords to use the Secure Remote Password method where a hash token is calculated using the password on the iCloud3 and the Apple side. Icy sends this hash token to Apple instead of the password and if they are the same value, the password is valid and the login process. This broke iCloud3 and a lot of other programs. iCloud3 v3.1 fixed this and could log into the Apple account again.

Apple has reverted to the old method of verifying passwords and broke iCloud3 again so it could no longer log into the account. Messages like the following are in the Event Log:

USERNAME, Authentication Failed, Connection Error, Secure Password Validation Data was not returned from Apple. ErrorCode-503

Apple Acct > USERNAME, Login Successful
Apple Acct > USERNAME, All Devices Located
Apple Acct > USERNAME, 0 of 0 tracked

Revert iCloud3 Back to v3.0.5.9

Downgrading to v3.0.5.9 goes back to the old way of verifying the password and getters iCloud3 working again.

Do this:
1. Go to HACS.
2. Find iCloud3 or the iCloud3 Developer Edition if you are using that version
3. Choose redownload from menu
4. Choose the v3.0.5.9
5. Install like you normally do.
6. Restart HA

Then do this:
1. Reenable using the Family Sharing data source and Mobile App data source if you are using the Mobile App on the Configure > Data Sources-Apple Accts & MobApp screen

Then restart HA again

@gcobb321 gcobb321 changed the title Cc ➤ Cannot log into Apple Acct, 503 Error, 0 of 0 Devices Tracked Nov 26, 2024
@gcobb321 gcobb321 pinned this issue Nov 26, 2024
@gcobb321 gcobb321 changed the title ➤ Cannot log into Apple Acct, 503 Error, 0 of 0 Devices Tracked ➤ Fixed-Cannot log into Apple Acct, 503 Error, 0 of 0 Devices Tracked Nov 26, 2024
@gcobb321 gcobb321 changed the title ➤ Fixed-Cannot log into Apple Acct, 503 Error, 0 of 0 Devices Tracked ➤ Solution-Cannot log into Apple Acct, 503 Error, 0 of 0 Devices Tracked Nov 26, 2024
@codebar33
Copy link

Hi @gcobb321, at least for photos, we haven’t observed any issues with the authentication using SRP.

@gcobb321
Copy link
Owner Author

Hi @codebar33. That is interesting. I have had many users who kept getting 503 errors in response to the signin/init request in the srp password authentication function. Going back to the iCloud3 version before the change let them login again and get a valid refresh_client response.

And, naturally, I am away right now, on a cruise off the west coast of Africa without cell service unless we dock. I cannot be located by gps (surrounded by a lot of metal) and have starlink for WiFi service. I’m getting 503s both ways logging into my Home Assistant RPi in the USA.

What’s the link to your code base. Maybe I screwed something up in the code I released.

Also, I’m checking the following to see when a 6-digit verification code needs to be entered:
‘‘‘

def is_challenge_required(self):
    # Returns True if the challenge code is needed
    return self.data.get("hsaChallengeRequired", False)

def is_trusted_browser(self):
    # Returns True if the session is trusted
    return self.data.get("hsaTrustedBrowser", False)

‘‘’
When the challenge os needed or the browser is not trusted, I delete the session file and do a refresh_client request which causes Apple to display the 6-digit code. Do you have a better way of telling Apple to generate the code and display it on the trusted devices?

thanks

@townsmcp
Copy link

Thanks for the update with this @gcobb321. I have had a problem for a couple of days and finally got round to doing something about it after seeing icloud3 no longer tracking any of the 8 devices. I went through troubleshooting (trying to request new verification 6 digit code) but got nowhere (code authentication would just not come through) so nuked everything. Then I stumbled on this ticket and followed the instructions to revert back to the suggested version - everything is now working fine.
Have a great cruise and thanks for all your efforts.

@MichaelSchaaf999
Copy link

Thanks for the advice to return to 3.0.5.9: Everything is working now with this old release.

@codebar33
Copy link

Hi @codebar33. That is interesting. I have had many users who kept getting 503 errors in response to the signin/init request in the srp password authentication function. Going back to the iCloud3 version before the change let them login again and get a valid refresh_client response.

And, naturally, I am away right now, on a cruise off the west coast of Africa without cell service unless we dock. I cannot be located by gps (surrounded by a lot of metal) and have starlink for WiFi service. I’m getting 503s both ways logging into my Home Assistant RPi in the USA.

What’s the link to your code base. Maybe I screwed something up in the code I released.

Also, I’m checking the following to see when a 6-digit verification code needs to be entered: ‘‘‘

def is_challenge_required(self):
    # Returns True if the challenge code is needed
    return self.data.get("hsaChallengeRequired", False)

def is_trusted_browser(self):
    # Returns True if the session is trusted
    return self.data.get("hsaTrustedBrowser", False)

‘‘’ When the challenge os needed or the browser is not trusted, I delete the session file and do a refresh_client request which causes Apple to display the 6-digit code. Do you have a better way of telling Apple to generate the code and display it on the trusted devices?

thanks

Hi @gcobb321, which Apple API endpoint returns the 503 error for your user?

To know if 2FA is required, we check for a 409 response during authentication with /signin/complete.

@gcobb321
Copy link
Owner Author

@codebar33
Since iCloud3 is logged in all the time, i had to check when one is needed based on the return data field values I noted when it is getting a new location using the refreshClient call.

There are times when the verification code is old, they forgot it or it came up on a device they don’t have with them and want to get a new code. If so, I have an option on the code entry form to request a new one. If they do that, I delete the session file and do an account login. Apple then displays the code.

I was wondering if you had a url you can call to tell Apple to display a code instead of going through that process.

@codebar33
Copy link

Thank you for your clarifications @gcobb321, that makes more sense. In our experience, Apple servers return a 503 (Service Temporarily Unavailable) during authentication after too many failed login attempts with incorrect credentials. This occurs at the /signin/complete API endpoint (or possibly /signin/init, I'm not certain).

We have an endpoint for sending 2SA codes (SMS) /sendVerificationCode, but not for 2FA (codes displayed on trusted devices). The trusted device code is automatically displayed on devices when requesting /signin/complete, which returns a 409 response code, when a code is displayed.

In pyicloud, there's a function in base.py (https://github.com/picklepete/pyicloud/blob/master/pyicloud/base.py#L457). However, we use the endpoint /verify/phone/securitycode to validate SMS codes instead, as the one used by piycloud wasn't working so I reverse-engineered this from iCloud.com's current 2SA handling:

 def send_verification_code(self, device):
        """Requests that a verification code is sent to the given device."""
        data = json.dumps(device)
        request = self.session.post(
            "%s/sendVerificationCode" % self.SETUP_ENDPOINT,
            params=self.params,
            data=data,
        )
        return request.json().get("success", False)

    def validate_verification_code(self, device, code):
        """Verifies a verification code received on a trusted device."""
        device.update({"verificationCode": code, "trustBrowser": True})
        data = json.dumps(device)

        try:
            self.session.post(
                "%s/validateVerificationCode" % self.SETUP_ENDPOINT,
                params=self.params,
                data=data,
            )
        except PyiCloudAPIResponseException as error:
            if error.code == -21669:
                # Wrong verification code
                return False
            raise

        self.trust_session()

        return not self.requires_2sa

I believe the only way to trigger displaying a 2FA code on devices is by attempting authentication with /signin/complete but possibly, there is another endpoint available...

@tomdh76
Copy link

tomdh76 commented Dec 5, 2024

Thanks for the advice to return to 3.0.5.9: Everything is working now with this old release.

Had the same issue with 503 errors, returning to 3.0.5.9 and everything works again. Thx @gcobb321 !

@Elaia91
Copy link

Elaia91 commented Dec 6, 2024

Downgraded to 3.0.5.9 but still unable to login
Screenshot 2024-12-06 alle 11 52 19

@gcobb321
Copy link
Owner Author

gcobb321 commented Dec 7, 2024

@Elaia91
Go to the _Configure > Data Sources-Apple Accts & MobApp _ screen and make sure the iCloud/Spple Acct is enabled as a data source. The Event Log screen image shows iCloud is not used as a data source.

@26tajeen
Copy link

So it seems if you downgrade to 3.0.5.9 then the apple acct.
Also it reports invalid password despite the fact the password works fine and the 2FA handshake with Apple works/completes successfully.
Screenshot 2024-12-12 at 08 22 51
s & mobapp options get ticked off?

@gcobb321
Copy link
Owner Author

It it is working, that might be a left over error message. Select Event Log > Actions > Restart iCloud3 and see if that clears the message. If you still see it but iCloud3 is getting data, ignore it. I hope to get v3.1.4 out in a few days.

@derekoharrow
Copy link

I also have the same issue and have downgraded.

Out of curiosity, what's the best/recommended way to monitor iCloud3 and detect if there are issues such as this, so I can raise this as a problem in my HA setup?

@gcobb321 gcobb321 unpinned this issue Dec 24, 2024
@ErikFontanel
Copy link

Release 3.1.4.1 has fixed my authentication issues. Thanks @gcobb321 ! 🥇

@avd706
Copy link

avd706 commented Dec 26, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants