Authentication expiring after 30 min - 5 hrs (Nest and Google Accounts)

[Happyllama25]

Describe the bug When authenticating a Nest account with the access_token, it stops working after 30 minutes with Auth failed: access token specified in Homebridge configuration rejected I then did the Google account authentication (with issueToken and cookies) and it also expired after 5 hours.

I did not log out, I closed the browser tab, and the Nest home.nest.com/session shows expires_in: "Thu, 05-Oct-2023 07:36:22 GMT", but after 30 minutes it asks to login again.

To Reproduce Steps to reproduce the behavior:

1. Authenticate with either Nest or Google cookies
2. 30 minutes for Nest and 5 hours for Google cookies

[lensbos]

Can confirm, seeing same issue.

[51av0sh]

Same here. I just installed Homebridge two days ago and added the Nest integration. I first tried the Nest authentication (by error) and that token no longer worked after 20ish minutes. I then tried the Google authentication method and that token stopped working after a few hours. I can confirm my account uses Google authentication to log in. I went through the procedure 3 different times to get a new token but it stops working after a few hours each time

[51av0sh]

It would appear this is user error since it's only a few of us. Any tips for troubleshooting this?

[Happyllama25]

Agreed, I tried various methods including finding the API token from a header with no luck either... I'm not too sure what next, I also recall one of the iframe/oauth2 URL's was different, or I would get an invalid UTF character error for one but not another (?), but I was setting up late at night and I do not remember what process I did, I will try experimenting again soonish

[Happyllama25]

I also saw somewhere (Don't remember, maybe it was a fork of this repo?) saying that only google chrome browsers work, firefox or others don't give the right token??

[bartholomuej]

Same issue, re-entered the session several times, works for 30mins at most.

[51av0sh]

I also saw somewhere (Don't remember, maybe it was a fork of this repo?) saying that only google chrome browsers work, firefox or others don't give the right token??

I'm on Chrome so this might not be the issue (at least for me)

[Skates1616]

Same issue with Chrome and I even tried the HOOBS Nest Sidecar addon to get the information (it was the same as I was extracting).

[jradwan]

Yeah I'm not having any luck with the HOOBS Nest Sidecar extension either (Edge or Chrome). The values work for a little while in Homebridge but then just stop working.

[tablatronix]

Same, worked for a bit now wont auth already. Shoot thought i finally got it back in homekit.

[JoeMarsh]

Have the same issue both google and nest authentication methods time out after a couple of hours.

Auth failed: access token specified in Homebridge configuration rejected

[wrsjr04]

I have been having issues with this for a minute now. I'm going to end up trying homebridge-google-nest-sdm but the only thing that sucks with that is you have an initial fee from google.

[sunnyd24]

@adriancable @chrisjshull I hope one of you can help.

This issue has been persisting for approx. a month, but I don't know what has caused it. Google/Nest website authentication changes or something else? It blanks all nest responses, e.g. in homebridge it shows nest current temperature as 0 degC, etc.

Update: Going to https://home.nest.com/session shows: "expires_in": "Sat, 04-Nov-2023 10:13:14 GMT", Then refreshing a few minutes later shows: "expires_in": "Sat, 04-Nov-2023 10:16:40 GMT",

I was expecting that session expires_in is indefinate, i.e. so far in the future the session will never expire. Have I misunderstood this?

The times it has been repaired, i,e, logged out, logged back in again, and capturing details, it seems to work for approx. 50-60 mins, here is a log on the periods it works with:

General Info:

04 Oct 2023 - 12:46:27 - Fully logged out of Edge browser, logged back in, it displayed the nest home page, AND kept tab open in browser.
04 Oct 2023 - 13:41:24 - Stopped reported true current temperature and reverted back to 0 degC

From Homebridge Logs:

[10/4/2023, 12:46:27 PM] [Nest] initing thermostat "Thermostat Thermostat": deviceId: <REDACTED> structureId: <REDACTED>
[Thermostat Thermostat@@Heating Threshold Temperature] characteristic was supplied illegal value: number 0 exceeded minimum of 9
[10/4/2023, 12:46:27 PM] [Nest] initing home_away_sensor "Home Occupied": deviceId: <REDACTED> structureId: <REDACTED>
[10/4/2023, 12:56:11 PM] [Homebridge UI] Starting terminal session
[10/4/2023, 1:40:55 PM] [Homebridge UI] Terminal session ended.
[10/4/2023, 1:41:24 PM] [Nest] Google authentication was unsuccessful. Make sure you did not log out of your Google account after getting your googleAuth parameters.
{
  error: 'USER_LOGGED_OUT',
  detail: 'No active session found.',
  status: undefined
}

[10/4/2023, 1:41:24 PM] [Nest] Access token acquisition via googleAuth failed (code USER_LOGGED_OUT).
[10/4/2023, 1:46:22 PM] [Nest] Reauthenticating on Nest service ...
[10/4/2023, 1:46:22 PM] [Nest] Google authentication was unsuccessful. Make sure you did not log out of your Google account after getting your googleAuth parameters.
[10/4/2023, 1:46:22 PM] [Nest] Access token acquisition via googleAuth failed (code USER_LOGGED_OUT).
{
  error: 'USER_LOGGED_OUT',
  detail: 'No active session found.',
  status: undefined
}

[10/4/2023, 1:46:23 PM] [Nest] Auth failed: access token specified in Homebridge configuration rejected
[10/4/2023, 1:46:23 PM] [Nest] API observe: error not_connected
[10/4/2023, 1:46:23 PM] [Nest] ^^^^^ this message is for information only, it does not mean there is a problem, please do not 
file a ticket unless you actually have a problem with the function of the plug-in
[10/4/2023, 1:46:23 PM] [Nest] Retrying in 10 seconds.
[10/4/2023, 2:36:28 PM] [Nest] Google authentication was unsuccessful. Make sure you did not log out of your Google account after getting your googleAuth parameters.
[10/4/2023, 2:36:28 PM] [Nest] Access token acquisition via googleAuth failed (code USER_LOGGED_OUT).
{
  error: 'USER_LOGGED_OUT',
  detail: 'No active session found.',
  status: undefined
}
[10/4/2023, 2:36:28 PM] [Nest] Auth failed: access token specified in Homebridge configuration rejected

The above errors keep repeating forever.

[tablatronix]

I think there is something in google auth that auto de-auth and re-auths, maybe chrome profiles, maybe some other mechanism. I was looking through their oauth and security and gave up after a bit.

[sunnyd24]

I have used Edge so unlikely to be Chrome profiles as the issue........

On Thu, 5 Oct 2023, 5:35 pm Shawn A, @.***> wrote:

I think there is something in google auth that auto de-auth and re-auths, maybe chrome profiles, maybe some other mechanism. I was looking through their oauth and security and gave up after a bit.

— Reply to this email directly, view it on GitHub https://github.com/chrisjshull/homebridge-nest/issues/630#issuecomment-1749278127, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALDYCAQ7JOLKYTAYVHGUP2LX53OVPAVCNFSM6AAAAAA4LK3PHCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBZGI3TQMJSG4 . You are receiving this because you commented.Message ID: @.***>

[Happyllama25]

I used firefox to get my auth data

[Happyllama25]

Possibly relevant: https://support.google.com/googlenest/answer/9293712

tl;dr: Google killed "Works With Nest" connections which likely is the cause of this

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[hamstead]

Possibly relevant: https://support.google.com/googlenest/answer/9293712

tl;dr: Google killed "Works With Nest" connections which likely is the cause of this

I don't think this is related since WWN was deprecated on 9/29 and the issue was reported here almost a month prior. I'm still seeing this issue on my end but I'm not sure what could be causing it.

[sunnyd24]

Still having issues too:

[12/12/2023, 12:11:09 PM] [Nest] Google authentication was unsuccessful. Make sure you did not log out of your Google account after getting your googleAuth parameters.
{
  error: 'USER_LOGGED_OUT',
  detail: 'No active session found.',
  status: undefined
}
[12/12/2023, 12:11:09 PM] [Nest] Access token acquisition via googleAuth failed (code USER_LOGGED_OUT).
[12/12/2023, 12:11:09 PM] [Nest] Unable to authenticate with Google/Nest.
[12/12/2023, 12:11:09 PM] [Nest] NOTE: Because we couldn't connect to the Nest service, your Nest devices in HomeKit will not be responsive.

[adrienthebo]

I'm experiencing the same auth timeout as well; running Firefox on MacOS. The integration works for 30+ minutes and then presents the same error as others.

[ethan021021]

Same issue on my end as well

[dthorndyke]

Encountering the same issue. I had used this plugin successfully around a year ago, but now (after moving and trying to get my homelab setup again) it’s no longer functional due to this issue.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[NathObeaN]

I managed to find a workaround to this issue. First, I should state that I am using the "Using a Google Account" --> Cookie method. I figured the fundamental issue was that this integration is working like a standard web session and timing out due to inactivity. The key is keeping the session alive. But, I suspect if you configure a basic time-based keep-alive, Google's session algorithm would realise it's not user interactivity and kill the session. So, I thought about randomising the 'keep-alive'.

My workaround was to set up several HomeKit automations using various sensors. When those sensors detect motion, they trigger the Nest Occupancy sensor to "On". This effectively sends an API push using your session information to set your Home/Away status to "Home". Even if you are already "Home", the update is sent and keeps things 'alive'.

I've used this setup for a week so far and it's been flawless.

Limitations:

1. It assumes you have sensors to trigger the automation.
2. If you have pets, it might trigger the Home status when you are in fact away. I made sure the only sensors that can trigger the update are not those that would be triggered by pets.
3. If you are away for an extended period of time/holiday, the session might ultimately time out. So, you might want to combine this with another form of keep-alive or simply reconnect if the session does drop.
4. In order for this to work, you have to disable Nest's built-in Home/Away assistance. I didn't have a problem with this, because I found it to be useless anyway (turning to Away when I was Home, even with location tracking enabled). But, I again used HomeKit automations to set to "Away" when I am not at home, which again, works flawlessly.

Hope this helps!

For the developers of this module, I wonder if it's possible to build in some kind of randomised keep-alive which would negate the need for this workaround...

[tablatronix]

Nice I figured it was something like this. I wonder if there is a session option to disable this via a cookie or static auth token

[adriancable]

@NathObeaN - this is almost certainly a placebo. Cookie expiry times can vary massively from one day/week to the next.

The plug-in is constantly talking to the Nest service using the cookies, every few seconds. Adding additional 'talk' over the same API endpoints by e.g. changing a setting will not make things any better.

[NathObeaN]

@adriancable you may well be right. I will continue to test over time and report back. All I can say is that I tested for about a week without any workaround in place and I was consistently timing out after 30~ mins with no activity, and if I kept the session "chatty" then it would stay open for the day, but then time out over night. This happened consistently for a week. Ever since the workaround, the session has stayed up, over 2 weeks now. It could be coincidence, but we'll see. I will report back if anything changes.

[jradwan]

I have been having issues with this for a minute now. I'm going to end up trying homebridge-google-nest-sdm but the only thing that sucks with that is you have an initial fee from google.

I just switched to the SDM-based plugin. Paid Google the $5 and went through the complicated setup instructions, but seem to have it working. Of course, I'll have to wait a few days to confirm it still works when the token expires and it needs to refresh it. Also, it won't take a snapshot "on demand" so it just shows the Nest/Google logos in the thumbnails until you actually start the stream (or an event has recently occurred).

[NathObeaN]

I have been having issues with this for a minute now. I'm going to end up trying homebridge-google-nest-sdm but the only thing that sucks with that is you have an initial fee from google.

I just switched to the SDM-based plugin. Paid Google the $5 and went through the complicated setup instructions, but seem to have it working. Of course, I'll have to wait a few days to confirm it still works when the token expires and it needs to refresh it. Also, it won't take a snapshot "on demand" so it just shows the Nest/Google logos in the thumbnails until you actually start the stream (or an event has recently occurred).

I tried the SDM variant also and it works fine, but it’s more limited - no Nest Protect support and no hot water support to name the most important to me.

For what it’s worth, my ‘workaround’ still appears to be fine, three weeks and counting.

[adriancable]

@NathObeaN - I am 99.999% sure your 'workaround' is doing nothing. (3 weeks, or even 3 months, is not unexpected for cookie lifetime, and the intervals seems to change 'randomly' for individual people.)

The main reason is that the homebridge-nest plug-in is already doing exactly what you are doing manually, i.e. continually sending commands to the Nest service. And, the plug-in is actually doing it far more frequently than your manual 'workaround' is doing it. So it is not plausible that the 'workaround' is making any difference.

"Wait", you say, "I am specifically regularly switching the structure mode, which the plug-in is not doing". You are right, but this cannot be relevant to authentication. Authentication systems (including Google's cookie system) never 'introspect' the data within packets. They just check the authentication is valid before forwarding the packet data onto the respective service (the Nest service in this case). This is a critical part of the design because, to be secure, authentication systems are always fully isolated from processing layers below them, to minimize attack surface. So the authentication system (which handles cookie expiry) absolutely 100% does not 'know' you are changing structure mode. All it sees are that you are sending requests from xxx IP, and that those requests are intended to be processed by the Nest CDN infrastructure, and then decides to allow them, or not.

Your 'workaround' is basically the same as you saying "I was getting very short oil change intervals on my truck, but since I changed the radio station, I'm now able to go much longer between oil changes". First this may well be completely true, in that since changing the radio station, you're finding the truck is going longer between oil changes. But there is no plausible causal connection between the two, it's just a coincidence that you did X and then you noticed Y happened. The in-car entertainment system is completely isolated from the engine. This is essential by design because you don't want a blip in the radio to stall the engine. And as a consequence, nothing you do on the radio can impact the oil lifetime of the engine. Instead oil life depends on a whole range of factors that can vary enormously without your knowledge or visibility.

Cookies are just the same.

[NathObeaN]

@NathObeaN - I am 99.999% sure your 'workaround' is doing nothing. (3 weeks, or even 3 months, is not unexpected for cookie lifetime, and the intervals seems to change 'randomly' for individual people.)

The main reason is that the homebridge-nest plug-in is already doing exactly what you are doing manually, i.e. continually sending commands to the Nest service. And, the plug-in is actually doing it far more frequently than your manual 'workaround' is doing it. So it is not plausible that the 'workaround' is making any difference.

"Wait", you say, "I am specifically regularly switching the structure mode, which the plug-in is not doing". You are right, but this cannot be relevant to authentication. Authentication systems (including Google's cookie system) never 'introspect' the data within packets. They just check the authentication is valid before forwarding the packet data onto the respective service (the Nest service in this case). This is a critical part of the design because, to be secure, authentication systems are always fully isolated from processing layers below them, to minimize attack surface. So the authentication system (which handles cookie expiry) absolutely 100% does not 'know' you are changing structure mode. All it sees are that you are sending requests from xxx IP, and that those requests are intended to be processed by the Nest CDN infrastructure, and then decides to allow them, or not.

Your 'workaround' is basically the same as you saying "I was getting very short oil change intervals on my truck, but since I changed the radio station, I'm now able to go much longer between oil changes". First this may well be completely true, in that since changing the radio station, you're finding the truck is going longer between oil changes. But there is no plausible causal connection between the two, it's just a coincidence that you did X and then you noticed Y happened. The in-car entertainment system is completely isolated from the engine. This is essential by design because you don't want a blip in the radio to stall the engine. And as a consequence, nothing you do on the radio can impact the oil lifetime of the engine. Instead oil life depends on a whole range of factors that can vary enormously without your knowledge or visibility.

Cookies are just the same.

Thanks @adriancable, appreciate the explainer and it makes sense (I am far from an expert on this, just experimenting).

I guess I could verify, out of interest, if I disable my workaround and it suddenly kills the session, then it raises an interesting question re the correlation.

Out of interest, any ideas what a real solution could be? (If there is one that’s doable outside of changing Google’s systems).

[adriancable]

By (Google's) design, there isn't any way to guarantee persistent authentication that can be done from a NodeJS client and a browser. The only way to guarantee persistent authentication is to generate a refresh token. This used to be possible via the browser using what is called the OOB flow (which this plug-in used to use), but Google disabled this flow a while back, so now the only way to get a refresh token is via an iOS/Android app, akin to how the Nest and Google Home apps do it.

You could in principle write an iOS app in Xcode to do this, and then distribute the source so people with an Apple Developer Account could build it themselves and run it on an iOS device. This isn't something I'm going to do, because the number of people who would benefit from it (i.e. have the set-up/willingness/knowledge required to build and deploy iOS apps from source) is a tiny tiny percentage of total Homebridge users, so it doesn't put a meaningful dent in the issue.

[jradwan]

I tried the SDM variant also and it works fine, but it’s more limited - no Nest Protect support and no hot water support to name the most important to me.

I dumped my Protects and thermostat a while ago, so all I have left is outdoor cameras (and even those I am considering replacing) so the SDM-based plug-in is working for me. My only complaint is the lack of "snapshot on demand" in the API (addressed in the plug-in FAQ) so when I open the Home app, the cameras just show the Next logo until I start the stream.

[marcelgood]

Just ran into this issue. I wasn't even aware that the refresh token authentication is no longer supported. Mine's been working flawlessly, but I was having issues yesterday and while troubleshooting I switched to the cookie authentication. Turned out my issues were caused by my ISP, so I didn't even need to do the switch.

This morning I woke up to the plugin being logged out and found this issue. Decided to restore the Homebridge backup from the night before, which still had my refresh token in there and it worked. So I'm back online with refresh token. I guess as long as the token stays valid, this keeps working. Just can't setup a new token anymore. Hope there's gonna be a better way to authenticate moving forward. The cookie method seems to be brittle.

[ethan021021]

Just ran into this issue. I wasn't even aware that the refresh token authentication is no longer supported. Mine's been working flawlessly, but I was having issues yesterday and while troubleshooting I switched to the cookie authentication. Turned out my issues were caused by my ISP, so I didn't even need to do the switch.

This morning I woke up to the plugin being logged out and found this issue. Decided to restore the Homebridge backup from the night before, which still had my refresh token in there and it worked. So I'm back online with refresh token. I guess as long as the token stays valid, this keeps working. Just can't setup a new token anymore. Hope there's gonna be a better way to authenticate moving forward. The cookie method seems to be brittle.

So the refresh token method still works? Do you have instructions on how to retrieve the refresh token

[adriancable]

You can still use previously-obtained refresh tokens, potentially forever (unless you change your Google Account password, which invalidates all login-related credentials including refresh tokens). You just can't create new ones.

[marcelgood]

@ethan021021 as said, I just went back to my previously obtained refresh token, which was still valid. This is probably the next plugin that will go the way of the dodo after the myQ plugin went dead due to changes on the Chamberlain side no longer making it viable. Probably time soon to replace my Nest thermostat with one that supports Matter and/or native HomeKit and continue eliminating Homebridge.

[NathObeaN]

As much as I would love to share otherwise, looks like @adriancable you were right. I have disabled my 'workaround' method and Nest is still going strong for a week. So, it seems pure coincidence that when I implemented my 'workaround', the cookie simultaneously remained active for other a month, despite the numerous tests beforehand where it only lasted 30 or so mins. Go figure!

I guess I will just have to keep updating the cookie when it expires until Google hopefully adds Thread support, but I am not holding my breath.

[adriancable]

@NathObeaN - some Nest products already use Thread to talk to each other. This isn't helpful to getting them into Apple Home. Thread is an alternative to Wi-Fi, it isn't related to the smart home ecosystem in use (HomeKit, Alexa, Google Home etc.) which is a much much higher level thing.

[NathObeaN]

@adriancable I understand that, I meant as a synonym to Matter. I am aware of course that Matter works over Wi-Fi also, but Google seem to be going in the direction of updating their devices to support Thread and Matter in turn (which works natively work HomeKit). One can hope...

[adriancable]

@NathObeaN - Matter wasn't designed as a retrofit protocol, and adding Matter to existing products is technically and commercially difficult. Rather, it's intended as a platform to design and build new products around. So, it's very unlikely Google will be updating prior smart home accessories to support Matter. The only Google/Nest product that can act as a Matter accessory is the 2020 model Nest Thermostat, which was designed from the start with Matter support in mind (then called Project CHIP), and even then the functionality you get via Matter is very limited (e.g. no fan control, no way to change presets, etc.). Don't hold your breath!

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[scopefield]

Anybody have any updates with this? Having the same issue and can't use the SDM method since as far as I know, the Nest Yale lock is not supported.

[brookjablonski]

I was also having this issue and I disabled IPv6 on my network and for now this seems to have fixed my issue. I found this suggestion here

Update this did not fix my issue it's still happening.

[scopefield]

IPv6 is already disabled on my router so no difference here unfortunately.

[brookjablonski]

New thing to try. Under the cookies method I was leaving api key blank because I didn't have one. Upon researching I found the api key and put it in and so far so good. It's been 24 hours and no issues. This is the key: AIzaSyAdkSIMNc51XGNEAYWasX9UOWkS5P6sZE4

[ethan021021]

New thing to try. Under the cookies method I was leaving api key blank because I didn't have one. Upon researching I found the api key and put it in and so far so good. It's been 24 hours and no issues. This is the key: AIzaSyAdkSIMNc51XGNEAYWasX9UOWkS5P6sZE4

Where are you inputting the API key? The docs don't mention an API key for the cookie method.

[brookjablonski]

New thing to try. Under the cookies method I was leaving api key blank because I didn't have one. Upon researching I found the api key and put it in and so far so good. It's been 24 hours and no issues. This is the key: AIzaSyAdkSIMNc51XGNEAYWasX9UOWkS5P6sZE4

Where are you inputting the API key? The docs don't mention an API key for the cookie method.

In the plug in config there is a section for api key under the Google account cookies method. I found the api key in reference in this reddit link. I hope this helps if not I can share my config.json

[brookjablonski]

If that doesn't work for you someone recommended this utility nest-googleAuth.