core: ICloud integration gives invalid auth w/ app-specific pw

@balloob @frenck Sorry for the ping, but I don’t know how to get visibility for this otherwise. The icloud integration is basically abandoned and broken. It needs either to have an active developer assigned as owner, or it should be removed from the core distribution.

It is listed as owned by @Quentame and @nzapponi, but neither of them have responded to any of the open bugs. @nzapponi said in https://github.com/home-assistant/core/issues/101816#issuecomment-1817365713 that he only contributed a few changes 3 years ago, and is not maintaining the component.

There are about a dozen open bugs on the icloud integration, all of them basically boiling down to the fact that authentication with Apple does not work properly anymore. The failure modes are a bit different, but typically you can install the integration and it works for a while, but then the login with Apple expires, and the problems begin.

I’m currently in the process of replacing the standard icloud integration with icloud3. It is not really a smooth ride. Apparently icloud3 is much more capable, but that also means turning a lot more knobs to get it to work. Get me right, I love the kind of add-ons that gives you the full power to tweak anything, but for a default option in HA, there need to be a simple to use solution that solves most cases with good defaults.

I think icloud3 would need some work to get there, possibly splitting it in two, one simplified version to put in HA core, and one separate with full power. If the icloud3 developer(s) support this, I think it would be great, but it might not be painless for icloud3.

In fact, for me, the standard icloud solution was kind of perfect, except for the slightly annoying fact that it stopped working.

So an alternative is to just see what icloud3 does differently in terms of authentication, and copy that over to the standard icloud integration. Possibly it’s just a more up-to-date fork of pyicloud (pyicloud_ic3.py).

I did more digging with the underlying pyicloud library (see comment in my issue there) - seems like pyicloud is emulating to be a web browser and not using any official API. Apparently, Apple changed the login flow or rejects app-specific passwords completely now - in any case the library no longer receives the necessary login tokens to work. My conclusion is that we need a rewrite of pyicloud for app-specific passwords or another library for the icloud plugin in Home Assistant… 😦

I solved the problem by installing it with my Apple ID and password. After 2FA number it is installed. Then removed the apple id integration and added it again with the One time password and it worked for me.

Hi bot, this is in no way resolved. The lack of activity is due to the lack of anyone responsible for fixing it. 😕

I started looking at the current code, to check for differences to what iCloud3 does, and if it would be possible to just replace the standard pyicloud implementation with the fork from iCloud 3. I still think this is a viable way forward, keeping most of the current functionality of the standard iCloud integration, but borrowing bits and pieces from iCloud 3 to get it to work.

Unfortunately, it would require more time than I can spend at this at the moment. 😦 Is there anyone else around here who has some python and/or HA knowledge and would be willing to work on this? I can probably put down a few hours but that in itself is not likely to be enough. But maybe it could be a start that someone can continue working on…?

Hi,

Thanks for the response, i Checked it on the latest version and it seems that this issue is not resolved by the team yet. So kindly do not close and it take it on high priority because no one would like to use actual password in configuration So we should have the option to login with app specific password.

Here is a link to the feature request in v3: https://github.com/gcobb321/icloud3_v3/issues/78. Doest appear that either the development branch nor the integrated feature in core will support app specific passwords anytime soon. Everything runs on an older python implementation (https://pypi.org/project/pyicloud/) which essentially recreates the web calls rather than using any modern API which Apple now supports. The lack of app specific passwords is also an issue in this python code as well (https://github.com/picklepete/pyicloud/issues/349). This is truly a double whammy of crud from a security perspective:

• One doesnt want to use / encode / hard code / whatever their master icloud password in some config file on an automation server. App passwords are meant to over come this, where you have a different password for a specific application and can easily revoke or change, without affecting your other logins.
• One doesnt want email spam from the python cloud re-auth occurring a few times daily as tokens age out, which are then ignored, and may result in a true compromise or attack being missed.

In summary, doesnt look good.

@ADXGlock and @grave176 Has it stayed working since then? Or did the password expire after a month, and you had to redo everything again?

I solved the problem by installing it with my Apple ID and password. After 2FA number it is installed. Then removed the apple id integration and added it again with the One time password and it worked for me.

This workaround worked for me as well. I deleted the cloud addon folder, signed in w/ normal password and then removed the integration and re-added it with app specific password.

There hasn’t been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

I just report those mails as spam since I can’t unsubscribe from them. After a little while gmail learns to trash them 😃

Please set up a filter instead! This could cause false-positives for other people and may mean someone misses an indicator of an account breach.

Any mail that you cannot unsubscribe from is spam in my book. Perhaps this way Apple will fix their broken system at some point

Version 2 performs pretty well for me since more than 2 years with only a few mails (~1-2 a week max.) Definitely worth to invest some time in my opinion.

According to the author the app-specific password is on the list of things he wants to look into for version 3 which is currently in beta.

Yes this works so well!

I believe yes, this should be possible. Reading the docs often helps, it’s very well maintained: https://gcobb321.github.io/icloud3/#/chapters/3.4-services

I would recommend folks with 2FA try https://gcobb321.github.io/icloud3/#/

It takes a bit more RTFM to setup. But just works better than this integration.

Seems to be an issue for me as well; as long as I log in with the regular password, I get the linkage going just fine, but no dice with the app specific passwords.

I’m not really a developer by any reasonable yardstick, but I have a black belt in googling odd stuff out, and it seems that the issue is that Apple is not allowing the app-specific passwords to be used in browser sessions…

…and this plugin is doing exactly that, logging in as a browser session. I’m not a detective either, just a regular Columbo, only with better hair - but I’d say that the email alert in my inbox saying “Your Apple ID was used to sign in to iCloud via a web browser” is a 🤏 wee bit of a smoking gun in that direction.

So: someone who knows how to code, maybe has coded / maintains this extension or something, ought to migrate to using Apple’s API login methods instead of trying to work through the browser login path.

I disagree. While it has a few issues it largely works for me and is quite convenient to have. And much more reliable than the home assistant ios app since that one requires being opened at a regular interval.

Bump!