➤ Solution-Cannot log into Apple Acct, 503 Error, 0 of 0 Devices Tracked

[gcobb321]

Apple broke iCloud3 Again

At the end of October, Apple changed the method of validating passwords to use the Secure Remote Password method where a hash token is calculated using the password on the iCloud3 and the Apple side. Icy sends this hash token to Apple instead of the password and if they are the same value, the password is valid and the login process. This broke iCloud3 and a lot of other programs. iCloud3 v3.1 fixed this and could log into the Apple account again.

Apple has reverted to the old method of verifying passwords and broke iCloud3 again so it could no longer log into the account. Messages like the following are in the Event Log:

USERNAME, Authentication Failed, Connection Error, Secure Password Validation Data was not returned from Apple. ErrorCode-503

Apple Acct > USERNAME, Login Successful
Apple Acct > USERNAME, All Devices Located
Apple Acct > USERNAME, 0 of 0 tracked

Revert iCloud3 Back to v3.0.5.9

Downgrading to v3.0.5.9 goes back to the old way of verifying the password and getters iCloud3 working again.

Do this:
1. Go to HACS.
2. Find iCloud3 or the iCloud3 Developer Edition if you are using that version
3. Choose redownload from menu
4. Choose the v3.0.5.9
5. Install like you normally do.
6. Restart HA

Then do this:
1. Reenable using the Family Sharing data source and Mobile App data source if you are using the Mobile App on the Configure > Data Sources-Apple Accts & MobApp screen

Then restart HA again

[codebar33]

Hi @gcobb321, at least for photos, we haven’t observed any issues with the authentication using SRP.

[gcobb321]

Hi @codebar33. That is interesting. I have had many users who kept getting 503 errors in response to the signin/init request in the srp password authentication function. Going back to the iCloud3 version before the change let them login again and get a valid refresh_client response.

And, naturally, I am away right now, on a cruise off the west coast of Africa without cell service unless we dock. I cannot be located by gps (surrounded by a lot of metal) and have starlink for WiFi service. I’m getting 503s both ways logging into my Home Assistant RPi in the USA.

What’s the link to your code base. Maybe I screwed something up in the code I released.

Also, I’m checking the following to see when a 6-digit verification code needs to be entered:
‘‘‘

def is_challenge_required(self):
    # Returns True if the challenge code is needed
    return self.data.get("hsaChallengeRequired", False)

def is_trusted_browser(self):
    # Returns True if the session is trusted
    return self.data.get("hsaTrustedBrowser", False)

‘‘’
When the challenge os needed or the browser is not trusted, I delete the session file and do a refresh_client request which causes Apple to display the 6-digit code. Do you have a better way of telling Apple to generate the code and display it on the trusted devices?

thanks

[townsmcp]

Thanks for the update with this @gcobb321. I have had a problem for a couple of days and finally got round to doing something about it after seeing icloud3 no longer tracking any of the 8 devices. I went through troubleshooting (trying to request new verification 6 digit code) but got nowhere (code authentication would just not come through) so nuked everything. Then I stumbled on this ticket and followed the instructions to revert back to the suggested version - everything is now working fine.
Have a great cruise and thanks for all your efforts.

[MichaelSchaaf999]

Thanks for the advice to return to 3.0.5.9: Everything is working now with this old release.

[codebar33]

Hi @codebar33. That is interesting. I have had many users who kept getting 503 errors in response to the signin/init request in the srp password authentication function. Going back to the iCloud3 version before the change let them login again and get a valid refresh_client response.

And, naturally, I am away right now, on a cruise off the west coast of Africa without cell service unless we dock. I cannot be located by gps (surrounded by a lot of metal) and have starlink for WiFi service. I’m getting 503s both ways logging into my Home Assistant RPi in the USA.

What’s the link to your code base. Maybe I screwed something up in the code I released.

Also, I’m checking the following to see when a 6-digit verification code needs to be entered: ‘‘‘

def is_challenge_required(self):
    # Returns True if the challenge code is needed
    return self.data.get("hsaChallengeRequired", False)

def is_trusted_browser(self):
    # Returns True if the session is trusted
    return self.data.get("hsaTrustedBrowser", False)

‘‘’ When the challenge os needed or the browser is not trusted, I delete the session file and do a refresh_client request which causes Apple to display the 6-digit code. Do you have a better way of telling Apple to generate the code and display it on the trusted devices?

thanks

Hi @gcobb321, which Apple API endpoint returns the 503 error for your user?

To know if 2FA is required, we check for a 409 response during authentication with /signin/complete.

[gcobb321]

@codebar33
Since iCloud3 is logged in all the time, i had to check when one is needed based on the return data field values I noted when it is getting a new location using the refreshClient call.

There are times when the verification code is old, they forgot it or it came up on a device they don’t have with them and want to get a new code. If so, I have an option on the code entry form to request a new one. If they do that, I delete the session file and do an account login. Apple then displays the code.

I was wondering if you had a url you can call to tell Apple to display a code instead of going through that process.

[codebar33]

Thank you for your clarifications @gcobb321, that makes more sense. In our experience, Apple servers return a 503 (Service Temporarily Unavailable) during authentication after too many failed login attempts with incorrect credentials. This occurs at the /signin/complete API endpoint (or possibly /signin/init, I'm not certain).

We have an endpoint for sending 2SA codes (SMS) /sendVerificationCode, but not for 2FA (codes displayed on trusted devices). The trusted device code is automatically displayed on devices when requesting /signin/complete, which returns a 409 response code, when a code is displayed.

In pyicloud, there's a function in base.py (https://github.com/picklepete/pyicloud/blob/master/pyicloud/base.py#L457). However, we use the endpoint /verify/phone/securitycode to validate SMS codes instead, as the one used by piycloud wasn't working so I reverse-engineered this from iCloud.com's current 2SA handling:

 def send_verification_code(self, device):
        """Requests that a verification code is sent to the given device."""
        data = json.dumps(device)
        request = self.session.post(
            "%s/sendVerificationCode" % self.SETUP_ENDPOINT,
            params=self.params,
            data=data,
        )
        return request.json().get("success", False)

    def validate_verification_code(self, device, code):
        """Verifies a verification code received on a trusted device."""
        device.update({"verificationCode": code, "trustBrowser": True})
        data = json.dumps(device)

        try:
            self.session.post(
                "%s/validateVerificationCode" % self.SETUP_ENDPOINT,
                params=self.params,
                data=data,
            )
        except PyiCloudAPIResponseException as error:
            if error.code == -21669:
                # Wrong verification code
                return False
            raise

        self.trust_session()

        return not self.requires_2sa

I believe the only way to trigger displaying a 2FA code on devices is by attempting authentication with /signin/complete but possibly, there is another endpoint available...

[tomdh76]

Thanks for the advice to return to 3.0.5.9: Everything is working now with this old release.

Had the same issue with 503 errors, returning to 3.0.5.9 and everything works again. Thx @gcobb321 !

[Elaia91]

Downgraded to 3.0.5.9 but still unable to login

[gcobb321]

@Elaia91
Go to the _Configure > Data Sources-Apple Accts & MobApp _ screen and make sure the iCloud/Spple Acct is enabled as a data source. The Event Log screen image shows iCloud is not used as a data source.

[26tajeen]

So it seems if you downgrade to 3.0.5.9 then the apple acct.
Also it reports invalid password despite the fact the password works fine and the 2FA handshake with Apple works/completes successfully.

s & mobapp options get ticked off?

[gcobb321]

It it is working, that might be a left over error message. Select Event Log > Actions > Restart iCloud3 and see if that clears the message. If you still see it but iCloud3 is getting data, ignore it. I hope to get v3.1.4 out in a few days.

[derekoharrow]

I also have the same issue and have downgraded.

Out of curiosity, what's the best/recommended way to monitor iCloud3 and detect if there are issues such as this, so I can raise this as a problem in my HA setup?

[ErikFontanel]

Release 3.1.4.1 has fixed my authentication issues. Thanks @gcobb321 ! 🥇

[avd706]

Yes. Totally painless.  Sent from AOL on Android On Thu, Dec 26, 2024 at 8:06 AM, Erik ***@***.***> wrote: Release 3.1.4.1 has fixed my authentication issues. Thanks @gcobb321 ! 🥇 — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>