Authentication expiring after 30 min - 5 hrs (Nest and Google Accounts)

[Happyllama25]

Describe the bug
When authenticating a Nest account with the access_token, it stops working after 30 minutes with Auth failed: access token specified in Homebridge configuration rejected
I then did the Google account authentication (with issueToken and cookies) and it also expired after 5 hours.

I did not log out, I closed the browser tab, and the Nest home.nest.com/session shows expires_in: "Thu, 05-Oct-2023 07:36:22 GMT", but after 30 minutes it asks to login again.

To Reproduce
Steps to reproduce the behavior:

1. Authenticate with either Nest or Google cookies
2. 30 minutes for Nest and 5 hours for Google cookies

[lensbos]

Can confirm, seeing same issue.

[51av0sh]

Same here. I just installed Homebridge two days ago and added the Nest integration. I first tried the Nest authentication (by error) and that token no longer worked after 20ish minutes. I then tried the Google authentication method and that token stopped working after a few hours. I can confirm my account uses Google authentication to log in. I went through the procedure 3 different times to get a new token but it stops working after a few hours each time

[51av0sh]

It would appear this is user error since it's only a few of us. Any tips for troubleshooting this?

[Happyllama25]

Agreed, I tried various methods including finding the API token from a header with no luck either... I'm not too sure what next, I also recall one of the iframe/oauth2 URL's was different, or I would get an invalid UTF character error for one but not another (?), but I was setting up late at night and I do not remember what process I did, I will try experimenting again soonish

[Happyllama25]

I also saw somewhere (Don't remember, maybe it was a fork of this repo?) saying that only google chrome browsers work, firefox or others don't give the right token??

[bartholomuej]

Same issue, re-entered the session several times, works for 30mins at most.

[51av0sh]

I also saw somewhere (Don't remember, maybe it was a fork of this repo?) saying that only google chrome browsers work, firefox or others don't give the right token??

I'm on Chrome so this might not be the issue (at least for me)

[Skates1616]

Same issue with Chrome and I even tried the HOOBS Nest Sidecar addon to get the information (it was the same as I was extracting).

[jradwan]

Yeah I'm not having any luck with the HOOBS Nest Sidecar extension either (Edge or Chrome). The values work for a little while in Homebridge but then just stop working.

[tablatronix]

Same, worked for a bit now wont auth already. Shoot thought i finally got it back in homekit.

[JoeMarsh]

Have the same issue both google and nest authentication methods time out after a couple of hours.

Auth failed: access token specified in Homebridge configuration rejected

[wrsjr04]

I have been having issues with this for a minute now. I'm going to end up trying homebridge-google-nest-sdm but the only thing that sucks with that is you have an initial fee from google.

[sunnyd24]

@adriancable @chrisjshull I hope one of you can help.

This issue has been persisting for approx. a month, but I don't know what has caused it.
Google/Nest website authentication changes or something else?
It blanks all nest responses, e.g. in homebridge it shows nest current temperature as 0 degC, etc.

Update:
Going to https://home.nest.com/session shows:
"expires_in": "Sat, 04-Nov-2023 10:13:14 GMT",
Then refreshing a few minutes later shows:
"expires_in": "Sat, 04-Nov-2023 10:16:40 GMT",

I was expecting that session expires_in is indefinate, i.e. so far in the future the session will never expire. Have I misunderstood this?

The times it has been repaired, i,e, logged out, logged back in again, and capturing details, it seems to work for approx. 50-60 mins, here is a log on the periods it works with:

General Info:

04 Oct 2023 - 12:46:27 - Fully logged out of Edge browser, logged back in, it displayed the nest home page, AND kept tab open in browser.
04 Oct 2023 - 13:41:24 - Stopped reported true current temperature and reverted back to 0 degC

From Homebridge Logs:

[10/4/2023, 12:46:27 PM] [Nest] initing thermostat "Thermostat Thermostat": deviceId: <REDACTED> structureId: <REDACTED>
[Thermostat Thermostat@@Heating Threshold Temperature] characteristic was supplied illegal value: number 0 exceeded minimum of 9
[10/4/2023, 12:46:27 PM] [Nest] initing home_away_sensor "Home Occupied": deviceId: <REDACTED> structureId: <REDACTED>
[10/4/2023, 12:56:11 PM] [Homebridge UI] Starting terminal session
[10/4/2023, 1:40:55 PM] [Homebridge UI] Terminal session ended.
[10/4/2023, 1:41:24 PM] [Nest] Google authentication was unsuccessful. Make sure you did not log out of your Google account after getting your googleAuth parameters.
{
  error: 'USER_LOGGED_OUT',
  detail: 'No active session found.',
  status: undefined
}

[10/4/2023, 1:41:24 PM] [Nest] Access token acquisition via googleAuth failed (code USER_LOGGED_OUT).
[10/4/2023, 1:46:22 PM] [Nest] Reauthenticating on Nest service ...
[10/4/2023, 1:46:22 PM] [Nest] Google authentication was unsuccessful. Make sure you did not log out of your Google account after getting your googleAuth parameters.
[10/4/2023, 1:46:22 PM] [Nest] Access token acquisition via googleAuth failed (code USER_LOGGED_OUT).
{
  error: 'USER_LOGGED_OUT',
  detail: 'No active session found.',
  status: undefined
}

[10/4/2023, 1:46:23 PM] [Nest] Auth failed: access token specified in Homebridge configuration rejected
[10/4/2023, 1:46:23 PM] [Nest] API observe: error not_connected
[10/4/2023, 1:46:23 PM] [Nest] ^^^^^ this message is for information only, it does not mean there is a problem, please do not 
file a ticket unless you actually have a problem with the function of the plug-in
[10/4/2023, 1:46:23 PM] [Nest] Retrying in 10 seconds.
[10/4/2023, 2:36:28 PM] [Nest] Google authentication was unsuccessful. Make sure you did not log out of your Google account after getting your googleAuth parameters.
[10/4/2023, 2:36:28 PM] [Nest] Access token acquisition via googleAuth failed (code USER_LOGGED_OUT).
{
  error: 'USER_LOGGED_OUT',
  detail: 'No active session found.',
  status: undefined
}
[10/4/2023, 2:36:28 PM] [Nest] Auth failed: access token specified in Homebridge configuration rejected

The above errors keep repeating forever.

[tablatronix]

I think there is something in google auth that auto de-auth and re-auths, maybe chrome profiles, maybe some other mechanism. I was looking through their oauth and security and gave up after a bit.

[sunnyd24]

I have used Edge so unlikely to be Chrome profiles as the issue........

…

On Thu, 5 Oct 2023, 5:35 pm Shawn A, ***@***.***> wrote: I think there is something in google auth that auto de-auth and re-auths, maybe chrome profiles, maybe some other mechanism. I was looking through their oauth and security and gave up after a bit. — Reply to this email directly, view it on GitHub <#630 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALDYCAQ7JOLKYTAYVHGUP2LX53OVPAVCNFSM6AAAAAA4LK3PHCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBZGI3TQMJSG4> . You are receiving this because you commented.Message ID: ***@***.***>

[Happyllama25]

I used firefox to get my auth data

[Happyllama25]

Possibly relevant: https://support.google.com/googlenest/answer/9293712

tl;dr: Google killed "Works With Nest" connections which likely is the cause of this

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[hamstead]

Possibly relevant: https://support.google.com/googlenest/answer/9293712

tl;dr: Google killed "Works With Nest" connections which likely is the cause of this

I don't think this is related since WWN was deprecated on 9/29 and the issue was reported here almost a month prior. I'm still seeing this issue on my end but I'm not sure what could be causing it.

[sunnyd24]

Still having issues too:

[12/12/2023, 12:11:09 PM] [Nest] Google authentication was unsuccessful. Make sure you did not log out of your Google account after getting your googleAuth parameters.
{
  error: 'USER_LOGGED_OUT',
  detail: 'No active session found.',
  status: undefined
}
[12/12/2023, 12:11:09 PM] [Nest] Access token acquisition via googleAuth failed (code USER_LOGGED_OUT).
[12/12/2023, 12:11:09 PM] [Nest] Unable to authenticate with Google/Nest.
[12/12/2023, 12:11:09 PM] [Nest] NOTE: Because we couldn't connect to the Nest service, your Nest devices in HomeKit will not be responsive.

[adrienthebo]

I'm experiencing the same auth timeout as well; running Firefox on MacOS. The integration works for 30+ minutes and then presents the same error as others.

[ethan021021]

Same issue on my end as well

[dthorndyke]

Encountering the same issue. I had used this plugin successfully around a year ago, but now (after moving and trying to get my homelab setup again) it’s no longer functional due to this issue.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[NathObeaN]

I managed to find a workaround to this issue. First, I should state that I am using the "Using a Google Account" --> Cookie method. I figured the fundamental issue was that this integration is working like a standard web session and timing out due to inactivity. The key is keeping the session alive. But, I suspect if you configure a basic time-based keep-alive, Google's session algorithm would realise it's not user interactivity and kill the session. So, I thought about randomising the 'keep-alive'.

My workaround was to set up several HomeKit automations using various sensors. When those sensors detect motion, they trigger the Nest Occupancy sensor to "On". This effectively sends an API push using your session information to set your Home/Away status to "Home". Even if you are already "Home", the update is sent and keeps things 'alive'.

I've used this setup for a week so far and it's been flawless.

Limitations:

1. It assumes you have sensors to trigger the automation.
2. If you have pets, it might trigger the Home status when you are in fact away. I made sure the only sensors that can trigger the update are not those that would be triggered by pets.
3. If you are away for an extended period of time/holiday, the session might ultimately time out. So, you might want to combine this with another form of keep-alive or simply reconnect if the session does drop.
4. In order for this to work, you have to disable Nest's built-in Home/Away assistance. I didn't have a problem with this, because I found it to be useless anyway (turning to Away when I was Home, even with location tracking enabled). But, I again used HomeKit automations to set to "Away" when I am not at home, which again, works flawlessly.

Hope this helps!

For the developers of this module, I wonder if it's possible to build in some kind of randomised keep-alive which would negate the need for this workaround...

[tablatronix]

Nice I figured it was something like this. I wonder if there is a session option to disable this via a cookie or static auth token

[brookjablonski]

I was also having this issue and I disabled IPv6 on my network and for now this seems to have fixed my issue. I found this suggestion here

Update this did not fix my issue it's still happening.

[scopefield]

IPv6 is already disabled on my router so no difference here unfortunately.

[brookjablonski]

New thing to try. Under the cookies method I was leaving api key blank because I didn't have one. Upon researching I found the api key and put it in and so far so good. It's been 24 hours and no issues. This is the key: AIzaSyAdkSIMNc51XGNEAYWasX9UOWkS5P6sZE4

[ethan021021]

New thing to try. Under the cookies method I was leaving api key blank because I didn't have one. Upon researching I found the api key and put it in and so far so good. It's been 24 hours and no issues. This is the key: AIzaSyAdkSIMNc51XGNEAYWasX9UOWkS5P6sZE4

Where are you inputting the API key? The docs don't mention an API key for the cookie method.

[brookjablonski]

New thing to try. Under the cookies method I was leaving api key blank because I didn't have one. Upon researching I found the api key and put it in and so far so good. It's been 24 hours and no issues. This is the key: AIzaSyAdkSIMNc51XGNEAYWasX9UOWkS5P6sZE4

Where are you inputting the API key? The docs don't mention an API key for the cookie method.

In the plug in config there is a section for api key under the Google account cookies method. I found the api key in reference in this reddit link. I hope this helps if not I can share my config.json

[brookjablonski]

If that doesn't work for you someone recommended this utility nest-googleAuth.

[wrsjr04]

I used the api key and all seems to be working. Been using it for a week now.

[adriancable]

@wrsjr04 - like @NathObeaN's "workaround" this is a placebo. Cookie expiry times vary hugely and having things work for a day one time, and two months the next, is not unusual. API keys do not impact cookie expiry time.

[wrsjr04]

@wrsjr04 - like @NathObeaN's "workaround" this is a placebo. Cookie expiry times vary hugely and having things work for a day one time, and two months the next, is not unusual. API keys do not impact cookie expiry time.

So google's cookies vary in time between each one? To where you can eventually get one that expires after x amount of time?

[adriancable]

@wrsjr04 - cookies should have a long expiry time so that you don't constantly need to log back in to web services, which is a pain. On the other hand, cookies should have a short expiry time so you don't have long-running active login credentials hanging around which could be harvested by malware, used by other people using the same computer/device, etc. since this presents a security risk. Obviously these two aims pull in opposite directions, so Google has an algorithm which decides how long cookies should be valid for. The inputs to the algorithm are not public, to prevent manipulation, but it's known for example that the IP address that you are making API requests from makes a difference, presumably because Google applies some heuristic to how 'public' the machine behind it may be. For example, logins to lots of different accounts from the same IP in a short space of time will lead to short cookie expiry times. But there are almost certainly many many many other factors which we don't know.

The cookie expiration logic is implemented as part of Google's user authentication layer, which happens before anything else, including figuring out what service the call is being made to, interpreting the body of the call, parsing other headers like API keys etc. So fiddling with any of these things cannot impact cookie lifetime.

When receiving a cookie, you don't know in advance how long it will be valid for. The cookie does have an expiration date, but this is always far in the future, and not meaningful since Google can (and does) expire cookies at any time before this date.

In general I applaud experimentation but please know that in this case, it is like sacrificing goats to make it rain. If you sacrifice enough goats, it will eventually rain, because if you wait long enough, it rains. The sacrifice has nothing to do with it.

[adriancable]

Adding a note: if you are looking for a productive direction on how to solve this, forget about cookies. The right approach is to figure out how to generate refresh tokens in the browser, like the OOB flow used to be able to do, before Google disabled it. This is almost certainly possible using puppeteer-plugin-extra-stealth or something similar to log into Google from the browser using the app-based OAuth2 flow and then intercepting the response at the end which contains the refresh token, before the OAuth2 flow redirects to a custom URI which a browser can't handle. Unfortunately, I don't have the free time right now to spend digging into this.

[alexwohlbruck]

I suppose it's possible to simulate a web login using puppeteer like you mentioned or some kind of headless selenium instance. It would require that you hand over login access to your google account in some way (app passwords? TOTP key?), but as long as we keep things local and secure this should be okay. I might like to take on this project if one of the project maintainers can kick me off with the high level overview of how the auth process works. @adriancable @chrisjshull

[tablatronix]

Could nodered do this?

[alexwohlbruck]

Could nodered do this?

Possibly, but it would be better to achieve a solution without any dependencies

[wrsjr04]

As Alex said is there any with documentation available would love to help get the issue fixed and find a new auth method that could be used to allow us to interact with nest as the smart device management api doesn't allow all the features.

Edit: Spelling

[wrsjr04]

Also can we add something in the readme.md file stating this is a know issue and linking this thread?

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[lNOFXl]

yup, updated my google password and now I'm stuck in this mess as well. Now I'm no computer professional by any means, wish i could help fix this but... I'm just a mechanic that's very good at following instructions. I've setup google assistant SDK to at least lock my locks from homeassistant automatically... i guess on the bright side... this makes my setup safer as it can only lock haha

[jballer]

I ended up buying a Starling hub and hadn't thought about this issue since. Wondering what they do differently? I suppose they grab an API key with the iPhone app and copy it to the hub programmatically?

[lNOFXl]

Yeah, thought about it but I don't want another hub to power with the battery backup. My computer is already running

[lNOFXl]

alright so I've just purchased a Starling hub on ebay and got that working now and literally killed my homebridge setup completely cause i was literally just using it for my door locks. I came across this little tidbit of info that i think may actually work for this but someone is going to need to try it cause well, I'm just not going through all that again haha. Basically just gotta get a 0Auth through this method to give you access to your google account once 2fa is setup with a new password after the new restrictions google has changed to. You'll need to run a docker called ha-google-home_get-token and might need to login with an app password

https://support.google.com/accounts/answer/185833?hl=en

After you have Docker installed, enter the following commands.

docker pull breph/ha-google-home_get-token:latest
docker run -it -d breph/ha-google-home_get-token

Copy the returned container ID to use in the following command.

docker exec -it <ID> bash

Inside the container, enter the following command and answer the prompts to generate a master token. For the password, you should preferably use an app password in the link i put above,

python3 get_tokens.py

The script will generate two tokens, a "master token" and an "access token"

Use this token in the integration's configuration process by entering it into the token field

[PrinceOfEgypt]

I'm willing to try this, but where exactly am I supposed to put the access token? under Nest Account?

[mildertduck]

I have tried doing this, but like @PrinceOfEgypt, I can't see where to put the token.

[tablatronix]

I will try this when I get a chance

[lNOFXl]

To be honest I posted it more as a guess that it may work but it's looking like there really is no spot in the current implementation of the plugin to put the appropriate information. I'll try ans see if I can take a closer look soon enough, sorry for the possible false hope, was not my aim.

[amercer86]

Just getting spun up on this and, yeah, can confirm. Same issue. I think at this point, my solution is going to phase out products that can't play nice with others in favor of platform agnostic devices. Google is such a disappointment.

Even w/ the starling hub - its only a matter of time before google patches whatever methodology starling uses.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.