search

icloud-photos-downloader / icloud_photos_downloader

A command-line tool to download photos from iCloud
MIT License
6.84k stars 554 forks source link

Support for App-Specific Passwords #948

Open gheydon opened 2 months ago

gheydon commented 2 months ago

Summary

Add support for Apple's App-Specific Password to allow safer access to the photos in the cloud. Also it allows for better management of the cloudpd accessing the someones icloud. The access can be revoked and also do not have to deal with the 2FA or having to re-authenticate the application.

https://support.apple.com/en-gb/102654

Context

I use a hardware key to protect my apple account, something that cloudpd doesn't support. However by using App Specific Passwords I can set a single login with all the access that is needed and can be easily revoked.

boredazfcuk commented 2 months ago

https://github.com/icloud-photos-downloader/icloud_photos_downloader/issues/42

https://github.com/boredazfcuk/docker-icloudpd/issues/288

https://github.com/boredazfcuk/docker-icloudpd/issues/118

AndreyNikiforov commented 2 months ago

@gheydon please create app-specific password for your account and access icloud.com photos with it. If it works, then your suggestion will be considered. Last time i checked a number of years back app-specific passwords did not for icloud.com photos

mveplus commented 3 weeks ago

Just discovered icloud_photos_downloader and while testing it I was wondering the same thing? as I'm using hardware security keys as second FA which seems to override the device code prompts - device still gets a notification about the new login but there is no code shown after "OK | That was not Me" prompt. As @AndreyNikiforov mentions I'm unable to login to the icloud.com with App-Specific Password only with the primary apple account pass and FIDO2 device. Apple is unclear if icloud web is supported when using App-Specific Password and third party apps. The next best thing would be potentially adding FIDO2 support and use the main id pass.

lebenitza commented 1 week ago

@mveplus I am in the same boat as you.

Does anyone know if it would be possible to implement this with something like WebAuthn while using icloudpd with the webui?

AndreyNikiforov commented 1 week ago

Does anyone know if this would be possible to implement this with something like WebAuthn while using icloudpd with the webui?

I have a very vague understanding how FIDO2 flow works with regards to client devices, so I cannot say if it is possible to passthrough "FIDO AUTH" from icloudpd webui to Apple. So far that passthrough capability seems to be the only way we can support FIDO in all use cases (e.g. think of a headless NAS with icloudpd docker)