Can't login - 'Error': 'BadAuthentication'

[hugostegeman]

hi,

I cant login with my google account. is the google username the same as your google account .......@gmail.com?

[leikoilja]

@stboch, can you please try something out for me?

1. Login into ssh of your HA instance. Here are some instructions how to ssh to your device if you are using Home Assistant Operating System.
2. Get into the docker container docker exec -it homeassistant /bin/bash
3. Get into python shell by running python
4. Import glocaltokens
5. Create client using the test credentials i have just created (see the snippet below)
6. Get master token

   >>> from glocaltokens.client import GLocalAuthenticationTokens
   >>> client = GLocalAuthenticationTokens(username='leikoilja.homeassistant@gmail.com', password=''(Edit:removed it), verbose=True, android_id='9DE38201B51C4C')
   >>> client.get_master_token()

   See if you will get a master_token.

7. Make sure your have google_home logs set to debug on your HA
8. Try using the same test credentials in HA when adding Google Home as an integration. Check logs, it should print you the master_token when the config is created.

Please let me know how it goes and if it would still fail for you. I have tested all those steps on my setup and it all has worked as expected.

[stboch]

Ok tested what you asked above, Got the master token when using the local SSH method (same thing I was doing before) there it worked, and in the UI failed.

Got my dev system rebuilt, only Terminal/SSH and HACS, installed google_home and restarted, after the boot logged in and it worked... gonna try and work backwards install some of the same custom_intergrations I have on my production instance and see if I can tell what might be conflicting or breaking...

[stboch]

Also my production instance has been an upgraded instance for a long while... at least 1 1/2 yr since last rebuild so who knows what cobwebs are hiding...

[leikoilja]

Thanks, @stboch for trying it out. As you say the issue is most likely caused by some other conflicting custom integration or specific HA configuration/settings. Please keep us posted with your findings, those can be helpful for many :)

[stboch]

@cs42 Are you also using YouTube Music Player component with your environment?

[stboch]

I found it! @cs42 @nckslater do either of you use LG SmartThinq custom Component? it looks like it lowers the SSL ciphers level

requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += "HIGH:!DH:!aNULL"

I added this to the file to test...

import ssl
import requests
from urllib3.poolmanager import PoolManager
from requests.adapters import HTTPAdapter
from urllib.parse import urljoin, urlencode, urlparse, parse_qs

requests.packages.urllib3.disable_warnings()
# requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += "HIGH:!DH:!aNULL"

Toggle the line to test, anyone know what the supported ciphers are supposed to be? can add a fix by changing them before the client call I think. going to test.

[KapJI]

Default is 'ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!MD5:!DSS'

I think !DH part means "disable Diffie-Hellman based ciphers". Maybe Google endpoint expects it? In this list it's DH+AESGCM and DH+AES.

!aNULL is "disable cipher suits offering no authentication".

And HIGH is "high encryption cipher suites". With key lengths larger than 128 bits, and some cipher suites with 128-bit keys.

[notherealmarco]

I tried installing it in a clean dev environment and it worked (no device was created, but the dev environment is in another subnet, so I guess this is expected). I then tried to reinstall the glocaltokens library in the Docker container on the Raspberry (Pi 4) running Home Assistant OS, with: docker exec -it homeassistant pip3 install glocaltokens==0.2.7

Then I've got this error:

[KapJI]

@notherealmarco it's not related to this issue. Your Docker container doesn't have build-essential package which is required to build grpc. Please open a separate issue for this.

[stboch]

Anyone who is having this issue and wasn't running the LG custom components. can you grep for "DEFAULT_CIPHERS" in your custom_components directory to see if there are any third party components causing the issue. If it find nothing and your able to get to your docker HA Container try this... grep -R "DEFAULT_CIPHERS" /usr/local/lib/python3.8/site-packages

[cs42]

I found it! @cs42 @nckslater do either of you use LG SmartThinq custom Component? it looks like it lowers the SSL ciphers level

Yes, I'm using the LG custom component.

[KapJI]

@leikoilja do we have this patch in gpsoauth? Looks related. https://github.com/simon-weber/gpsoauth/pull/25

[stboch]

@cs42 custom_components/smartthinq_sensors/wideq/core_v2.py delete lines 115-125, not sure why they are changing the supported ciphers as it doesn't seem to cause any problems with LG... I will send a Issue and PR for them.

[nckslater]

Yes, I'm using the LG custom component.

[cs42]

@cs42 custom_components/smartthinq_sensors/wideq/core_v2.py delete lines 115-125, not sure why they are changing the supported ciphers as it doesn't seem to cause any problems with LG... I will send a Issue and PR for them.

With this change it finally works! I could even use my email as username, as I would expect for a google account.

[KapJI]

Actually I think we should rather make gpsoauth more bulletproof. It probably should set ciphers explicitly without relying on DEFAULT_CIPHERS.

[KapJI]

Thank you @stboch for finding what causes this! Appreciate that a lot 🎉

[leikoilja]

@stboch, awesome job for finding where the issue was buried 💥 🔥

@KapJI, we seem to have the gpsoauth patch enabled that you are referring to. It came out in gpsoauth==0.4.3, which is what we are using.

Let's keep the issue open for tracking purpose for the time being and once the [LG custom component]`(https://github.com/ollo69/ha-smartthinq-sensors/issues/139) stboch's issue is resolved we can close it

[nckslater]

I have removed smartthinq_sensors completely from my custom_components but still no joy.

Same error: Source: custom_components/google_home/config_flow.py:97 and Logger: glocaltokens.client Source: /usr/local/lib/python3.8/site-packages/glocaltokens/client.py:201 First occurred: 15:17:23 (2 occurrences) Last logged: 15:17:50

[!] Could not get master token.

Maybe I have the wrong code in the google_home custom components.

[stboch]

@nckslater you did the hacs uninstall of smartthinq_sensors and restarted and still not working? what other custom components do you have installed?

[Edo78]

In my case this issue vanished after updating the HA docker image to the last one and updating one of my custom components sonoff. I've done both things and restarted HA then I was able to login without this issue.

[nckslater]

@stboch I have a number of custom components:

sonoff securitas_direct withings qvr_pro vesync surepetcare google_fit strava

[Edo78]

@nckslater wich version of sonoff do you have?

[nckslater]

@Edo78 v2.4.1 AlexxIT / SonoffLAN

[Edo78]

@Edo78 v2.4.1 AlexxIT / SonoffLAN

same here so it can't be and I don't have any other components of your list

[leikoilja]

@nckslater, i know it will be painful to do, but as we have just seen - chances are that some (or just one sucker) of those custom components are causing conflict(s). I would recommend you to try removing them one by one and see if that issue would go away. smartthinq_sensors was one of them, but there might be more 😅 You could go different ways about it: one is to do a full backup of your current setup and experiment on that, another, if you have a chance to setup a test environment to replicate your current setup and play there. Either way, please keep us posted if you'll be able to find anything - will be useful for others having the same issue

[nckslater]

@leikoilja I'll give it a go. I've got a lot of custom components so probably best to create a test environment. I'll add google_home first then build it up. Busy with work at the mo so won't get round to it for a while but I'll post back my findings 👍 Thanks for your help

[joggs]

Interesting thread! I am also getting 2021-03-31 13:41:22 ERROR (SyncWorker_26) [glocaltokens.client] [!] Could not get master token. 2021-03-31 13:41:22 ERROR (MainThread) [custom_components.google_home]

I'm aso using the LG custom component following...

[leikoilja]

@stboch, awesome job for finding the issue with LG-smartthinq integration, it seems that there is an update that fixes the issue with a chipset, can you please try updating LG-smartthinq to the latest version to see if it fixes the BadAuthentication problem? :)

[joggs]

Yay! After submitting login and app password, the configuration window gets crazy and starts to resize itself about 10 times per second and it goes on for 30 seconds. After that, the integration is added successfully :-)

[leikoilja]

@joggs, it's a funny behaviour but i m pretty sure not caused from ha-google-home integration :D If you feel so, please make a separate ticket with more details. Happy it works for you now 💥

[leikoilja]

@joggs, sorry, i'll remove your messages since they are not related to BadAuthentication error. Please open a new issue and follow it's template by providing all necessary logs so we'd see what problem you are encountering :)

[brianhanifin]

I also have an LG Smartthinq Custom Component installed. I was successfull with authenticating the Google Home integration today, after the recent LG Smartthinq update. (Was there a conflicting verison of a requirement?)

Anyway, I'm looking forward to exploring it today. :)

[myklebosten]

I also have an LG Smartthinq Custom Component installed. I was successfull with authenticating the Google Home integration today, after the recent LG Smartthinq update. (Was there a conflicting verison of a requirement?)

Anyway, I'm looking forward to exploring it today. :)

Same behaviour here. Tested seting up the Google Home integration unsuccessfully just before updating smartthinq. After updating and a reboot, the setup of Google Home completed without a hitch :)

[stboch]

@leikoilja I think maybe add to the readme under troubleshooting login problems ensure if your using the LG smartthinq custom component that the version is 0.6.7 or newer.

[leikoilja]

@stboch, we have just added a remark to the troubleshooting section to refer to this issue if someone still gets BadAuthentication problem. As we saw from @nckslater, LG smartthinq is not the only custom integration that can cause that behavior, I think we are better off generalizing in the troubleshooting section and just refer people here. So far it was been working well for many :)

[KapJI]

Ok, I'm closing this. Actions we've taken to remediate this:

• Added troubleshooting section in README.
• Pointed out to LG ThinQ integration author that they shouldn't alter urllib3's DEFAULT_CIPHERS. They have fixed this already in the new version.
• Updated gpsoauth to use fixed list of ciphers to prevent similar issues in the future.

Please update to 1.3.0 where this should be solved.

[agarbato]

I just installed the integration but I have the same issue. "Username/Password is incorrect. If your google account has 2FA enabled please generate app password"

Integration version 1.9.10 Home Assistant Core 2022.5.5

Multifactor enabled with app password.

This is what I get on logs with debug enabled:

2022-05-19 21:41:03 DEBUG (MainThread) [glocaltokens.client] Initializing new GLocalAuthenticationTokens instance.
2022-05-19 21:41:03 DEBUG (MainThread) [glocaltokens.client] Set GLocalAuthenticationTokens client access_token, homegraph, access_token_date and homegraph_date to None
2022-05-19 21:41:03 DEBUG (MainThread) [glocaltokens.client] Set GLocalAuthenticationTokens client username to "a***********************", password to "r***************", master_token to "" and android_id to 
2022-05-19 21:41:03 DEBUG (SyncWorker_22) [glocaltokens.client] There is no stored master_token, logging in using username and password
2022-05-19 21:41:03 DEBUG (SyncWorker_22) [glocaltokens.client] There is no stored android_id, generating a new one
2022-05-19 21:41:03 DEBUG (SyncWorker_22) [glocaltokens.client] Generating android id...
2022-05-19 21:41:03 DEBUG (SyncWorker_22) [glocaltokens.client] Generated android id: eb89dc38eabe277b
2022-05-19 21:41:03 ERROR (SyncWorker_22) [glocaltokens.client] [!] Could not get master token.
2022-05-19 21:41:03 DEBUG (SyncWorker_22) [glocaltokens.client] Request response: {'Error': 'NeedsBrowser', 'Url': 'https://accounts.google.com/signin/continue?sarp=1&scc=1&continue=https://accounts.google.com/o/android/auth?hl%3Den_us%26xoauth_display_name%3DAndroid%2BLogin%2BService%26source%3DAndroid%2BLogin&plt=AKgnsbsDJKWaUmGA7j9ZQgmP21WBsuifozeb2bYmmZzbwe7DG54J4FJL5qFRuxh-rLsByr-YBgeMTMSgj15nDZQITNbpAJbjQSZBp2yUgG7EC8eS2IBjvg3Cyv4RdTjWdsRl1XAyvsuv', 'ErrorDetail': 'To access your account, you must sign in on the web. Touch Next to start browser sign-in.'}
2022-05-19 21:41:03 ERROR (MainThread) [custom_components.google_home] 

To access your account you must sign in on the web but I don't see any Next on the integration to login. Tried to access the link by browser, I can pass the multifactor auth but then nothing happens and I still have the same error. Tried to reinstall it but no lock. I don't have LgThinQ integration installed.

[ArnyminerZ]

@agarbato this issue has been detected, and it is being addressed at leikoilja/glocaltokens#245.

[adam91holt]

It looks like the glocaltokens package has been fixed now.

We just need to update that package to 0.6.4.

@ArnyminerZ / @leikoilja are you able to assist in releasing a new version?

Thanks!

[leikoilja]

yep, i was in the middle of doing so, @adam91holt, but some things got on the way :) Will do it tomorrow morning and then update you here as well :)

[adam91holt]

Beautiful! Thanks for your hard work @leikoilja 🚀🚀🚀

[leikoilja]

Fixed in ha-google-home v1.9.11 🚀 https://github.com/leikoilja/ha-google-home/releases/tag/v1.9.11

Please update to the latest version and verify it works :)

[Neolanco]

Don't know if I'm missing something, but I still get the error 'needsbrowser' afer updating

[ArnyminerZ]

@Neolanco have you rebooted HA?

[Neolanco]

Yes, I've also reinstalled the integration Don't know if this matters, but I'm using ha os on a pi 4

[agarbato]

Same here. Updated, restarted HA, restarted VM but still get the same exact error.

If you need me to do some tests or provide info about my env I'm happy to help.

Home Assistant Core 2022.5.5 Home Assistant Supervisor 2022.05.3 Home Assistant OS 8.1 Kernel version 5.15.41

[nathanmarlor]

Same here - have tested gpsoauth 1.0.1/1.0.2 using this and still can't generate a master token using app password.

[agarbato]

with v1.9.12 it's fixed for me! Thanks a lot for your effort :-)

[RaddedMC]

Just updated, I'm recieving a ValueError that 'plaintext is too long'. My email address is 34 characters long lol 😅

Used my main account and it works, but I'd prefer (as you recommend) to use an alt. For now I'll just make another account but figured I should mention this,