Refresh token has been revoked

[MitchTalmadge]

Hey there, great integration, thank you for your hard work.

I am receiving this error about once a week, and need to remove & re-add the integration to login again and generate a new refresh token:

An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Refresh Token has been revoked

Full Trace

``` Traceback (most recent call last): File "/usr/src/homeassistant/homeassistant/config_entries.py", line 383, in async_setup result = await component.async_setup_entry(hass, self) File "/config/custom_components/kwikset/__init__.py", line 37, in async_setup_entry await client.renew_access_token() File "/usr/local/lib/python3.10/site-packages/aiokwikset/api.py", line 189, in renew_access_token refresh_response = await client.initiate_auth( File "/usr/local/lib/python3.10/site-packages/aiobotocore/client.py", line 225, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Refresh Token has been revoked ```

Mostly I'm just wondering if this has happened to anyone else lately, or if it's my bad somehow. I saw #56, but it was closed. #46 would certainly help, but it would be addressing the symptom and not the cause. I haven't been changing my password.

Thanks for any suggestions!

[mingaldrichgan]

It's happening to me too, FWIW.

On Mon, May 29, 2023, 1:19 AM Mitch Talmadge @.***> wrote:

Hey there, great integration, thank you for your hard work.

I am receiving this error about once a week, and need to remove & re-add the integration to login again and generate a new refresh token:

An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Refresh Token has been revoked

Full Trace

Traceback (most recent call last): File "/usr/src/homeassistant/homeassistant/config_entries.py", line 383, in async_setup result = await component.async_setup_entry(hass, self) File "/config/custom_components/kwikset/init.py", line 37, in async_setup_entry await client.renew_access_token() File "/usr/local/lib/python3.10/site-packages/aiokwikset/api.py", line 189, in renew_access_token refresh_response = await client.initiate_auth( File "/usr/local/lib/python3.10/site-packages/aiobotocore/client.py", line 225, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Refresh Token has been revoked

Mostly I'm just wondering if this has happened to anyone else lately, or if it's my bad somehow. I saw #56 https://github.com/explosivo22/kwikset-ha/issues/56, but it was closed.

46 https://github.com/explosivo22/kwikset-ha/issues/46 would certainly

help, but it would be addressing the symptom and not the cause. I haven't been changing my password.

Thanks for any suggestions!

— Reply to this email directly, view it on GitHub https://github.com/explosivo22/kwikset-ha/issues/59, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANMBZ75NPSBZG2XGTQMRB3XIQ5WDANCNFSM6AAAAAAYSMMFMY . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[explosivo22]

From your log, I am beginning to think kwikset has changed something on their end that is doing a global sign out causing all refresh tokens to become invalid. I need to see if I can replicate this manually so I can understand better how to handle the error.

[MitchTalmadge]

Thank you! Some interesting observations:

• The Android app never seems to log out. I wonder how authentication is accomplished on the app.

• I just realized I have 2FA enabled. I saw you talking about this in #58. I wonder if 2FA is causing tokens to expire? I'll have to experiment.

Appreciate all you do.

[explosivo22]

I would say we can't rule anything out, but the main thing with 2FA is that the integration right now requires it as they didn't let you turn it off before.

I'm guessing the official app has some way to handle the revoking process. I am hoping I can replicate it manually and then find out how to handle it.

[mingaldrichgan]

I previously attempted to recreate this integration for Hubitat and kept running into this issue too. I don't have the bandwidth to investigate right now but I'll be following this issue closely!

[explosivo22]

Can someone who has gotten this error share what you are using the integration for? I have been unable to get this error and I wanted to try and replicate some of the use cases so hopefully I can too so I can better debug this.

[MitchTalmadge]

Can someone who has gotten this error share what you are using the integration for? I have been unable to get this error and I wanted to try and replicate some of the use cases so hopefully I can too so I can better debug this.

I use the integration to control Kwikset Halo Touch locks. Mostly just to see the status and lock/unlock them remotely if needed, though rarely. I have four of them.

Let me know if you need more info

[mingaldrichgan]

Can someone who has gotten this error share what you are using the integration for? I have been unable to get this error and I wanted to try and replicate some of the use cases so hopefully I can too so I can better debug this.

My use case is to automate locking of the Kwikset Halo (keypad with physical buttons). I trigger locking as soon as the door is closed (contact sensor).

[bh56]

I received the error again. But it has been a while. I also updated the core HASS update today just before. Wondering if this is related. Will try to track any HASS update and Kwikset errors if they are related. I have 3 Halo Locks. I have quite a few automations. (Battery low notifications at different thresholds, auto-close to my rules not 10 minute max that KS has, Tell me if lock is open for a longer period of time, alert if unavailable, open if my garage door is opened). Hope this helps, let me know if you need more details. I also have 2-step verification enabled.

Logger: homeassistant.config_entries Source: custom_components/kwikset/init.py:37 Integration: Kwikset Smart Locks (documentation) First occurred: 11:40:52 AM (1 occurrences) Last logged: 11:40:52 AM

Error setting up entry House-Name for kwikset Traceback (most recent call last): File "/usr/src/homeassistant/homeassistant/config_entries.py", line 387, in async_setup result = await component.async_setup_entry(hass, self) File "/config/custom_components/kwikset/init.py", line 37, in async_setup_entry await client.renew_access_token() File "/usr/local/lib/python3.10/site-packages/aiokwikset/api.py", line 189, in renew_access_token refresh_response = await client.initiate_auth( File "/usr/local/lib/python3.10/site-packages/aiobotocore/client.py", line 225, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Refresh Token has been revoked

[mingaldrichgan]

Anecdotally, my Google Home integration with Kwikset also seems to require "reconnecting"/reauth every so often. Definitely seems like something's up with Kwikset.

[dlgraham3]

I'm getting this error starting today as well. I replaced the batteries in my lock yesterday, opened HA to make sure it loaded a new battery level and it did. Then today I started getting this error. I don't remember if I ran any updates last night.

[dlgraham3]

Can someone who has gotten this error share what you are using the integration for? I have been unable to get this error and I wanted to try and replicate some of the use cases so hopefully I can too so I can better debug this.

I use Node Red for most of my automations with the locks, but it won't even work with the dashboard because of the token.

[explosivo22]

Thanks for all the input everyone. I have been working on some possible code cleanup and improvements, but I have been trying to replicate the issue with some automations. I have been toggling a switch on the lock every 15 minutes to see if it is an issue with how often the integration contacts kwikset, but I have not been able to replicate this yet.

I will continue to go through the code and work on this. If anyone would like to try a manual install from the dev branch, I have added some code in an attempt to catch the exception of the token and provide a method to reauthenticate inside HA.

[MitchTalmadge]

Thank you @explosivo22 for all your efforts. Please don't feel stressed or pressured to find a fix! You have done so much already. We appreciate everything you do ❤️. The onus falls on everyone who uses this plugin to work together to find a fix, not just you.

If I get free time I'll also look into a fix, but it's hard to get time with my job and I imagine you probably have a similar experience, so don't fret it.

Just wanted to say thanks!

[dlgraham3]

I deleted and reinstalled the integration a few days ago and haven't had a problem since.

HALO-01 Firmware: 02.07.47.00 kwikset-ha v. 0.2.2

[bh56]

I haven't had any issues since 6/2/23. I've upgraded HASS a couple of times, so that must not be the issue. Do you have any instructions of how to use/update to the DEV branch. Does that require a new install and new settings/automations? Thanks for all of your work on this.

[drac0linux]

I updated Home Assistant to 2032.6.3 this morning and my Kwikset Halo lock immediately stopped working again. Started getting the same errors in my logs as the OP. I uninstalled and re-installed it once again. The password was copied and pasted after verifying it was correct to ensure it wasn't being mistyped. It took several attempts before it finally worked. I wonder if it's just Kwikset's service.

Home Assistant 2023.6.3 Supervisor 2023.06.2 Operating System 10.3 Frontend 20230608.0 - latest

[MitchTalmadge]

I've run into the problem a couple more times since posting this. It's still an issue, unfortunately. I'm still very curious how the phone app manages to stay signed in; I've never been logged out there. I wonder if it gets a longer session when using a certain User Agent in the request.

[bh56]

I've updated HASS a couple of times since my last occurrence on 6/2/22. Keeping my fingers crossed, but I've not had any expired tokens since. Home Assistant 2023.6.3 Supervisor 2023.06.2 Operating System 10.3 Frontend 20230608.0 - latest

[mingaldrichgan]

I've updated HASS a couple of times since my last occurrence on 6/2/22. Keeping my fingers crossed, but I've not had any expired tokens since.

Unfortunately I am still experiencing this. I tried turning on Debug Logging but do not see any more details in the Logs, beyond

Error setting up entry Home for kwikset
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/config_entries.py", line 390, in async_setup
    result = await component.async_setup_entry(hass, self)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/config/custom_components/kwikset/__init__.py", line 37, in async_setup_entry
    await client.renew_access_token()
  File "/usr/local/lib/python3.11/site-packages/aiokwikset/api.py", line 189, in renew_access_token
    refresh_response = await client.initiate_auth(
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/aiobotocore/client.py", line 225, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Refresh Token has been revoked

[bh56]

That's interesting. Still keeping my fingers crossed. Have done a couple more HASS updates and haven't had token error yet.

[bh56]

I guess I spoke too soon. I was able to go 41 days before I got the Refresh Token has been revoked issue again. There was a HASS core update waiting, but I hadn't applied it yet.

[dlgraham3]

I just noticed something interesting that may or may not be related to what they changed on you. I haven't searched KS's stuff to see if it is a separate issue. I got a new phone and loaded the KS app on it. The settings for the lock show there are no codes set. I tested a few of my family's codes and they all still work. I added a new code with the app, and it worked. The app only shows the one new code, but all of them still work.

Maybe I need to pair it via bluetooth to get the other codes, but it isn't a big deal until they stop working.

[mingaldrichgan]

I got a new phone and loaded the KS app on it. The settings for the lock show there are no codes set. I tested a few of my family's codes and they all still work.

This has happened to me before, and IIRC the "missing" code did not get restored after pairing with Bluetooth. However, I recently factory reset my (Android) phone and after logging into the Kwikset app (and yes, I did pair with Bluetooth immediately this time), my existing code(s) were displayed in the app as expected.

[bh56]

Just an FYI. This morning I got a new notification saying that I needed to Reconfigure the Kwikset integration. I clicked on it and authenticated. Didn't get the same prompts as I usually do when I delete and re-add the KS integration. But after I did a reload, I get the same message when the refresh token has been revoked. I'm on the below versions. I've updated the latest HACS update, so hopefully you have more details of what's going on. Home Assistant 2023.8.1 Supervisor 2023.08.1 Operating System 10.4 Frontend 20230802.0 - latest

I didn't have anything in the logs until I did the reconfigure, then I get the two below system log entries.

• Log Entry 1 Logger: custom_components.kwikset Source: custom_components/kwikset/init.py:40 Integration: Kwikset Smart Locks (documentation) First occurred: 12:42:27 PM (2 occurrences) Last logged: 12:42:36 PM

Your refresh token has been revoked and you must re-authenticate the integration

• Log Entry 2 Logger: homeassistant.config_entries Source: custom_components/kwikset/init.py:41 Integration: Kwikset Smart Locks (documentation) First occurred: 12:42:27 PM (2 occurrences) Last logged: 12:42:36 PM

Error setting up entry Adelwood for kwikset Traceback (most recent call last): File "/usr/local/lib/python3.11/site-packages/aiokwikset/api.py", line 191, in renew_access_token refresh_response = await client.initiate_auth( ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/aiobotocore/client.py", line 225, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Refresh Token has been revoked

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/config/custom_components/kwikset/init.py", line 37, in async_setup_entry await client.renew_access_token() File "/usr/local/lib/python3.11/site-packages/aiokwikset/api.py", line 218, in renew_access_token raise NotAuthorized("Refresh Token has been revoked.") aiokwikset.errors.NotAuthorized: Refresh Token has been revoked.

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "/usr/src/homeassistant/homeassistant/config_entries.py", line 388, in async_setup result = await component.async_setup_entry(hass, self) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/config/custom_components/kwikset/init.py", line 41, in async_setup_entry raise NotAuthorized from err aiokwikset.errors.NotAuthorized

[drac0linux]

Had the exact same experience as above. My log file looks the same.

Tried to see if was security settings on my kwikset account and tried with mfa enabled and disabled. Same error either way. Currently have the addon removed. Hoping to see an update soon.

[bh56]

Only went 5 days before I got both the error setting up and Refresh token has been revoked error. There was a waiting zwave update, not sure it was related. I restored to a snapshot before I did the update, did a refresh and still got an error, so don't think it's related. Hope this helps

Had this update and applied it addon_core_zwave_js_0.1.86

Current Versions Home Assistant 2023.8.2 Supervisor 2023.08.1 Operating System 10.4 Frontend 20230802.0 - latest

1st Error Logger: homeassistant.config_entries Source: custom_components/kwikset/init.py:41 Integration: Kwikset Smart Locks (documentation) First occurred: 6:21:49 PM (1 occurrences) Last logged: 6:21:49 PM

Error setting up entry House-Kwikset for kwikset Traceback (most recent call last): File "/usr/local/lib/python3.11/site-packages/aiokwikset/api.py", line 191, in renew_access_token refresh_response = await client.initiate_auth( ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/aiobotocore/client.py", line 225, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Refresh Token has been revoked

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/config/custom_components/kwikset/init.py", line 37, in async_setup_entry await client.renew_access_token() File "/usr/local/lib/python3.11/site-packages/aiokwikset/api.py", line 218, in renew_access_token raise NotAuthorized("Refresh Token has been revoked.") aiokwikset.errors.NotAuthorized: Refresh Token has been revoked.

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "/usr/src/homeassistant/homeassistant/config_entries.py", line 388, in async_setup result = await component.async_setup_entry(hass, self) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/config/custom_components/kwikset/init.py", line 41, in async_setup_entry raise NotAuthorized from err aiokwikset.errors.NotAuthorized

2nd Error Logger: custom_components.kwikset Source: custom_components/kwikset/init.py:40 Integration: Kwikset Smart Locks (documentation) First occurred: 6:21:49 PM (1 occurrences) Last logged: 6:21:49 PM

Your refresh token has been revoked and you must re-authenticate the integration

[jessedhillon]

I am using the integration with a Halo Touch as well. The Android app does get logged out periodically, but to reauthorize the app only requires a fingerprint so they likely are using some kind of fido2 authentication method to do the second auth quickly. Unfortunately Kwikset is in control of how, and how often, they want to reauth tokens. If they don't want to be scraped, they can force you to login with an OTP received via SMS or email. There's only two ways forward I see here:

1. figure out how to fake fido2 (or whatever) reauth challenge they're using here
2. or use an SMS API (e.g. Twilio) to receive OTPs and handle the subsequent authentication automatically

I am going to fork your repo and see if it's feasible to do (2). The way I imagine this working is that I'll add an HA user in my Kwikset app, and assign that user a phone number obtained from Twilio. Then, on a token revocation error, I'll reauth using the original credentials, use the Twilio API to get the passcode, then update the access token.

As far as I can see, you would need to do something like this to maximize the availability of this integration, but it does seem convoluted.

[bh56]

Got the "Your refresh token has been revoked and you must re-authenticate the integration" error again this morning. Tried the "Reconfigure" steps, but didn't work. Do you want any additional log details on this to look at or any additional information? I'm on the following: Home Assistant 2023.8.4 Supervisor 2023.08.1 Operating System 10.5 Frontend 20230802.1 - latest

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[MitchTalmadge]

Not completed, we're all just busy :)

[MitchTalmadge]

Well my tokens haven't expired in quite a while now, feels like much longer than usual. Anyone else noticing the same? Maybe Kwikset fixed their servers?