-
-
Notifications
You must be signed in to change notification settings - Fork 28.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iCloud integration continiously pops MFA approval on all Apple devices #101816
Comments
Hey there @Quentame, @nzapponi, mind taking a look at this issue as it has been labeled with an integration ( Code owner commandsCode owners of
(message by CodeOwnersMention) icloud documentation |
I have been experiencing the same issue the last couple of days |
Exactly the same for me. In the past I have managed to pop the reauth code flow, by disabling and enabling the integration. But after several attempts, I now had to delete and reinstall the integration. |
This has started for me too today. Nowhere to enter the code under the integration, and the integration does not seem to believe there is a problem. |
Update: this was driving me mad, so I deleted the integration. But I am still receiving the MFA requests?! |
Had this happen to me overnight. It woke me up on my watch 3-4 times and has continued to do so this morning. Quite worrying as it told me the sign in requests were coming from Bristol (I'm in Leeds). Tried to narrow down what it was. Disabled the integration, still got them. Deleted the integration, then recreated and got the same prompt on login from Bristol so I know it's HA at fault here. Have deleted the integration for now. Will keep an eye on this bug. |
@mattcharlton In the end I had to delete the integration and go into the terminal remove the storage folder. It just wasn't going to quit otherwise. I can (and will) live without this integration, but I do hope they fix it. Supporting app passwords (which according to other issues it does not) would put an end to this. |
@stuartford Yeah I've just had another prompt now. Trying a server restart but will have a look at the storage folder now, thank you :) |
iCloud Storage folder gone, hopefully that'll sort it till they fix it. I might have a look around the code in a bit. |
Looks like the 2fa/verification code stuff is hardcoded into the flow. Easiest fix might be to pull all that out and state that you have to use an app specific password with it. Don't have a local test/dev env set up for HA so not in the best position to have a look at this, hopefully the code owners will pick it up soon enough. |
Same for me. Deleted it for now, as even deactivated every 5 to 10 minutes MFA requests arrived on all devices. |
Exactly every 30 minutes I get the notification on my phone, tonight I had to turn off my phone to be able to sleep, I definitely deleted the application |
I also have this unfortunate issue, probably like everybody else on the planet who is using this. This is critical showstopper, please anyone who knows how, please submit a pull request or something... :-( |
same problem here |
Same here |
same, started 2 days ago |
Small Workarround from other forum, then is for the time being again silence....
|
Apple allows creating app specific passwords https://support.apple.com/102654 instead of using 2FA. I just removed and readded my account to the integration using such a password. (Honestly, that should be the default way instead of using your real AppleID password.) |
Ah this is awesome. I have just done the same thing. |
Perfect, that worked. After a reboot all devices were back again! Thank you! |
Coming into this only now but if I want to enter an app-specific password instead of going the 2FA route, does that mean I have to delete the integration and re-add it again? Thanks, |
@MrEbbinghaus That is great news! Last time I checked, they did not allow this. (But I must admit it was some time ago...) The documentation for the iCloud component should be updated to strongly recommend this, both from the security point of view, to getting rid of the 2FA annoyances. |
Also, for the record, here is a direct link for the page which allows you to create app-specific passwords: https://appleid.apple.com/account/manage/section/security |
That is exactly what it means. After deleting and re-adding, it is best to restart once, only then were all devices in again for me. |
@magicus Unfortunately it was followed by bad news a couple of hours later. The integration wasn't able to communicate with iCloud any more, and I got a "Your password was used to login" mail from Apple every minute until I disabled the integration again. |
The app password method doesn't work for me, it just returns "Invalid authentication". |
@MrEbbinghaus Oh, that is too bad. :-( |
app-specific password not working for me as well. |
Yesterday, the code authentication came to my devices every second. Otherwise, this integration works really well. |
Delete the iCloud folder under .storage in your config directory It only worked for one login for me. It can probably be fixed but there doesn’t seem to be any active maintainers. I tried the icloud3 integration from HACS, but I didn’t work with app password. The dev on that addin claims app-passwords only works from apps, something I find hard to understand. It’s a great idea , but I will turn iCloud integration off for now. As far as I can tell there’s no working integration |
How can I delete the iCloud integration? The integration is showing up as "Discovered" and the button underneath reads "Reconfigure". If I click on the 3 dots on the side, I don't get an option to delete as I do with working integrations - the only option that appears is for the Documentation. |
For me, it helped tobest up an application specific password in my Apple ID. |
But for how long has it been working? |
You are right. Problem re-appears in the meantime. |
App-specific password is not working for me. |
You are my hero |
@anthonymkz Or is there now experience of it working for longer? |
This Hacs integration may be a long-term solution. |
Yes, iCloud3 works, but it is more "messy" than the clean built-in iCloud component. Despite this messiness, I have been using it for a while, since at the end of the day, "working but ugly" is better than "smooth UX but broken". If someone were to spend a few cycles on it, I believe it would be not too hard to lift out the authentication mechanism from iCloud3 and move it into the bundled iCloud integration, which would solve this problem. I think I could be able to do it myself, but unfortunately I already have too many other projects going on to be ready to tackle this as well. :( |
Was using app-specific password and it seems to last 1-2 days then I get authentication errors
deleting the iCloud folder forces it to request password again. Went with the normal password and 2fa this time |
Fighting the same issue as others. Going to have to remove this integration unless a more reliable authentication means comes available. Having multiple iOS devices, it's been a nice to have, but it's wearing me out with the repeated pop-ups for it trying to sign back in. |
app password doesn't work - I deleted it all and setup again and got a break again. Something happened (maybe a missed MFA) that causes it to popup like every 15-20m |
I think we're at a point where all of us made same experience, that the integration isn't working properly. No need that everyone else states the same non working situation. Just click the thumbs up (👍) icon of the first post in this thread so you can leave your mark here. |
I usually don't bother posting "me too" -comments, but this issue is quite annoying. Also, I believe some GitHub -bots don't count reaction clicks as activity (also I don't know if this repository has any bots configured, so this might not be necessary). Specifically this becomes hyper annoying in a case where you are absolutely unable to access the HA's UI to input the code; your only options are I would even appreciate if this happened only every 6h or so ... or if it didn't happen at all during night hours (which can be a true pain - thankfully you can these days mute the device(s) and Apple might still manage to play your wake up alarm) I'll check out the code and see if I can make heads or tails out of it. However, since I haven't contributed on this project before, getting familiar with it might take a mighty long time :-/ |
@DiscoNova If you do intend to spend time on fixing this (would be highly appreciated!), I recommend to start by looking at what iCloud3 does. I have personally switched to iCloud3, since it works, but it is a bad fit with the Home Assistance experience; ugly and messy and too many fiddly details. My plan (if I ever had time to spend on it) would be to look at how iCloud3 does the authentication thing with Apple, and copy that into this integration. It is in python too, so parts of it can probably just be lifted out straight forward, and it's MIT license so I believe it is compatible with Home Assistant's Apache license. The main idea to get this to work are the following steps:
It is crucial that you can re-request a code if the original one was lost or timed out, and it would be ideal if it were possible to enter a 2FA code without needing to request one first. (Otherwise if there are delays until your code arrives and you want to enter it, the integration will start by invalidating that code by requesting a new). The UI interface of how this is done in iCloud3 could do with some improvement, though... :) |
A bit of "flow-of-though"-commenting regarding what I've figured out so far (the thing is - Python isn't generally my first language of choice, so I'm admittedly rather rusty on some specifics ... but it is just another language, so that thankfully is mostly just a speed bump instead of a barrier:) while familiarising myself with the components in question. First of all, it looks like both the official component as well as HACS/iCloud3 seem to offload most of the heavy lifting to the pyicloud-library†, which - not exactly unsurprisingly - shares a number of contributors with the official HA component. I can also see why the iCloud3-component is under HACS ... it - kinda tries to do maybe a bit too much - including things that are only remotely (if at all) related to iCloud-integration and should IMHO probably be completely separate packages. Nearly 5000 lines of config_flow - ouch. That having been said, I do like that many of the functions have rather detailed comments, though - it does make following the logic at least somewhat easier. In the iCloud3-component, the state-machine surrounding the reauthentication-step(s) seems to be more complex than in the official component. This in itself is not a bad thing, because it looks like this complexity at least appears to be the thing that addresses the various ways things could go wrong in a slightly more robust way than the official component ... that mostly seems to rely on either walking the happy path or "trying again next time" ... which - on a hunch - seems to be the source of trouble seen in real life. A few things I'm juggling in my head as necessary safeguards around the current reauthentication-logic:
...the initial authentication (or manual reauthentication) probably should not be subjected to such safeguards, because that just makes things a bit complicated for the end user. † EDIT: Sorry, forgot to expand on this ... the reason I mention the library is that some developers feel like the library should handle the rate limiting. I don't feel that way. It is a great thing if a library offers a way to handle it, but I don't see that as a necessity. |
I think iCloud3 uses a rather heavily modified version of pyicloud; at least that was my understanding last time I looked at it. It is possible that one way forward is to try and actually integrate the fixes done in iCloud3 to the upstream pyicloud project, so they can be used in the HA component. |
just want to mention, that I also have issues with icould integration. Either requireing identification now and then, and since yesterday it's not loading at all after last CORE update 2024.2.3 |
This seems like a sensible approach ... too bad that the author has decided to bundle the library "as is", which makes keeping tabs on what actually has changed, what is the relevance of those changes, etc. rather difficult "after the fact". Also, it doesn't really help that I only have about one day per week that I'm able to spend with hobby-projects so this will not be as fast a solution as I would've hoped :-/
Currently only way to make heads or tails of the code is going through it line by line and trying to manually correlate things between the official and the modified version. Also, it doesn't really help that the modified version is very much tied up to the rest of functionality of what the component is doing, so the benefit of it being a library is basically lost in its current form. Furthermore; keeping in a lot of variables that end up being unused, switching from double- to single-quotes for comments ... all this feels like rather unnecessary confuscation of the source code. Or ... it might be that the library iCloud3 actually uses as its base is a very old fork - as said, very difficult to say due to not actually having proper file history to go through. With all of that having been said; most of the significant differences do appear to be in the PyiCloudSession and PyiCloudService -classes ... which is kinda what I was expecting. Now I just need to figure out which of those changes actually make a major difference :) |
Has there been a fix for this yet? |
Also inquiring if an update is planned on this. I'm still needing to re-login (and force reload the integration a few times a week as well) in order to maintain connectivity / updates into HA. Greatly appreciate the work to date and in advance if anyone(s) able to update the authentication mechanism(s) to fix this issue! |
This happens every 60-90 days for me.
The MFA pop-ups & integration warnings go away. |
Hi,
Deleting one of them fixed this issue for me. |
I'm not entirely sure it's this integration, but things have become far worse since yesterday, with multiple devices constantly prompting for MFA. This continued overnight and seems now to ignore sleep focus. I've disabled the integration, but the prompts keep coming. I'm sure I've seen others note that disabling doesn't work. Is there some way to remove the integration entirely? |
|
The problem
Every 30 days or so, it seems like the authentication with iCloud expires. I am notified about this in Home Assistant, so I go to my integration and hits reconfigure, enter my password and get "reauth successfull". Now on all my phones, a prompt will appear every 20 minutes, asking if I want to allow a sign-on, and if yes it displays a mfa code.
The integrations seems to be fetching data from iCloud just fine... I cannot make these annoying pop-ups on my phones go away. Even if I disable the integration and reenable it after some days. I am only asked for password, not the mfa code.
What version of Home Assistant Core has the issue?
core-2023.10.1
What was the last working version of Home Assistant Core?
No response
What type of installation are you running?
Home Assistant OS
Integration causing the issue
icloud
Link to integration documentation on our website
https://www.home-assistant.io/integrations/icloud
Diagnostics information
No response
Example YAML snippet
No response
Anything in the logs that might be useful for us?
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: