Get 404: not found during authentication - DO NOT USE v4.13.8! Solution: Revert to v4.13.7

[m1r4x]

IMPORTANT: Please search the issues, including closed issues, and the FAQ before opening a new issue. The template is mandatory; failure to use it will result in issue closure.

Describe the bug

I get 404: page not found error when I click on Sign in in the external page opened when I try to add the integration.

To Reproduce

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Screenshots

System details

• Home Assistant version: 2024.11.1
• alexa_media version (from const.py or HA startup log): 4.13.8
• alexapy version (from pip show alexapy in homeasssistant container or HA startup log): 1.29.4
• Is Amazon 2FA/2SV enabled <!---We will not debug login issues if unanswered---> (y/n): y
• Amazon Domain: amazon.it

Debug Logs (alexa_media & alexapy)
Please provide logs.

Additional context

I tried with and without 2FA key (I validated the OTP correctly). same result.
I tried to Deactivate and activate again the 2FA in amazon but get same result.

[danielbrunt57]

What did you enter for Local URL to access Home Assistant?
It needs to be a URL that you can access Home Assistant with from your local browser.

[m1r4x]

192.168.50.183:8123
Local ip of my HA server
I use vpn to remote access to HA

[toin-toin]

Hello, I have exactly the same problem with exactly the same configuration as m1r4x.
But personally, I did not use a VPN to connect

[danielbrunt57]

192.168.50.183:8123 Local ip of my HA server I use vpn to remote access to HA

http://192.168.1.104:8123 works fine for me. AMP sends me off to the Alexa login page and after completing email+password & OTP, the proxy callback returns me to HA which then completes its setup.

The /ap/cvf/approval part is weird. Does that come after you've completed the Alexa login pages or before them immediately after you've submitted the configuration?

There's zero instances in AMP for that path.
alexalogin.py has a instance for /ap/cvf/approval/poll but nothing for just /ap/cvf/approval.

Is there anything in the debug logs??

        # determine post url if not logged in
        if status.get("approval_status") == "TransactionCompleted":
            site = self._data.get("openid.return_to")
        elif form_tag and "login_successful" not in status:
            formsite: str = form_tag.get("action")
            if self._debug:
                _LOGGER.debug("Found form to process: %s", form_tag)
            if formsite and formsite == "verify":
                search_results = re.search(r"(.+)/(.*)", str(site))
                assert search_results is not None
                site = search_results.groups()[0] + "/verify"
                _LOGGER.debug("Found post url to verify; converting to %s", site)
            elif formsite and formsite == "get":
                if "ap_error" in status and status.get("ap_error_href"):
                    assert isinstance(status["ap_error_href"], str)
                    site = status["ap_error_href"]
                elif self._headers.get("Referer"):
                    site = self._headers["Referer"]
                else:
                    site = self.start_url
                _LOGGER.debug("Found post url to get; forcing get to %s", site)
                self._lastreq = None
            elif formsite and formsite == "/ap/cvf/approval/poll":
                self._data = self.get_inputs(soup, {"id": "pollingForm"})
                url = urlparse(site)
                site = f"{url.scheme}://{url.netloc}{formsite}"
                # site = form_tag.find("input", {"name": "openid.return_to"}).get("value")
                _LOGGER.debug("Found url for polling page %s", site)
            elif formsite and forgotpassword_tag:
                site = self.start_url
                _LOGGER.debug("Restarting login process %s", site)
            elif formsite:
                site = formsite
                _LOGGER.debug("Found post url to %s", site)
        return str(site)

[m1r4x]

Yes, the page (is it a page?) appears after I click Sign in in the Amazon form.
Which log can I check? The integration is not installed at all and I don't see anything in the HA core log

[danielbrunt57]

Yes, the page (is it a page?) appears after I click Sign in in the Amazon form.

So it occurs after the Amazon login form. Then there is either a) something weird about your setup b) maybe an issue with your Amazon login or c) Amazon has changed things yet again in your region?

After you click submit, you should get:

http://homeassistant:8123/auth/alexamedia/proxy?config_flow_id=01JCP0MDF9ASYAW86E6Z5FE5SV&callback_url=http://homeassistant:8123/auth/alexamedia/callback?flow_id%3D01JCP0MDF9ASYAW86E6Z5FE5SV

http://homeassistant:8123/auth/alexamedia/proxy/ap/signin

and then...

[m1r4x]

Till here it is correct
http://192.168.50.183:8123/auth/alexamedia/proxy?config_flow_id=01JCP1Z8WC9C303MWR514QW0MX&callback_url=http://192.168.50.183:8123/auth/alexamedia/callback?flow_id%3D01JCP1Z8WC9C303MWR514QW0MX

When I click Sign in I get the error (and the wrong url)
I can use my Amazon login normally...but as 2fa i ever get the approve notification by the Amazon app (not otp generated by Authenticator)

[m1r4x]

Anyway this issue is equal to #2318 discussion.
He speak about a lock on Amazon account...but how can I check it??

[danielbrunt57]

Till here it is correct http://192.168.50.183:8123/auth/alexamedia/proxy?config_flow_id=01JCP1Z8WC9C303MWR514QW0MX&callback_url=http://192.168.50.183:8123/auth/alexamedia/callback?flow_id%3D01JCP1Z8WC9C303MWR514QW0MX

When I click Sign in I get the error (and the wrong url) I can use my Amazon login normally...but as 2fa i ever get the approve notification by the Amazon app (not otp generated by Authenticator)

When you use your Amazon login normally, are you having to enter an OTP or just email & password. If email & password only works, then you've not configured 2SV properly in Amazon as it has to be required all the time for AMP to be able to use OTP. Also, Send me a Code does not work either.
To properly set up Amazon 2SV via Authenticator App, the barcode has to be scanned to add it to your authenticator app (or manually enter the key) which then generates an OTP. That OTP has to entered into the Amazon Authenticator App setup to verify success and activate that app key. Then you can use that app key in AMP. For online authenticator key/OTP generation, you can browse to TOTP.APP (yes, that's a valid URL!)
Alternatively, you can enter the unactivated App key in AMP and when it issues the OTP successfully verified window, you can take that OTP and enter it into the Amazon Authenticator App setup to verify the key and activate it. Then you can proceed with the next step from AMP's OTP Verified window to go to Amazon's login windows.

[danielbrunt57]

AMP needs a major rewrite to eliminate all of this and just prepare itself to send you to Amazon to authenticate yourself however you like so that it can get the damn cookie that it needs to get itself going. This is the way alexa-remote2 works (it's called "proxy method") which is much simpler and never requires your email, password or OTP codes. You just have to manually browse to http://<your_local_ip>:3456 and successfully log in to Amazon. Once that is completed, the browser page informs you it's done and you can close the window. It now has the initial login session cookie and bob's yer uncle.

[m1r4x]

When you use your Amazon login normally, are you having to enter an OTP or just email & password. If email & password only works, then you've not configured 2SV properly in Amazon as it has to be required all the time for AMP to be able to use OTP. Also, Send me a Code does not work either.

To properly set up Amazon 2SV via Authenticator App, the barcode has to be scanned to add it to your authenticator app (or manually enter the key) which then generates an OTP. That OTP has to entered into the Amazon Authenticator App setup to verify success and activate that app key. Then you can use that app key in AMP. For online authenticator key/OTP generation, you can browse to TOTP.APP (yes, that's a valid URL!)

Alternatively, you can enter the unactivated App key in AMP and when it issues the OTP successfully verified window, you can take that OTP and enter it into the Amazon Authenticator App setup to verify the key and activate it. Then you can proceed with the next step from AMP's OTP Verified window to go to Amazon's login windows.

My 2SV Amazon is correctly configured

[danielbrunt57]

My 2SV Amazon is correctly configured

So when you sign into Amazon normally, you have to provide email, password and OTP?

[m1r4x]

Typically I get a notification on Amazon app on my phone "somebody tried to login to your Amazon account....approve or not approve?" Same if I change the preferred method to "use sms to your phone" in Amazon security settings

[danielbrunt57]

Typically I get a notification on Amazon app on my phone "somebody tried to login to your Amazon account....approve or not approve?" Same if I change the preferred method to "use sms to your phone" in Amazon security settings

I'm 99.99% positive that is interrupting the proxy callback method as it introduces an additional screen which AMP is not programmed to handle. It can only deal with 2 URL changes: email+password then OTP after which it returns to HA. In your case you are getting email+password, then notification screen after which the proxy callback returns to HA and therefore thus you never see the OTP screen. I can't find any such option in my amazon.ca personal account.

Perhaps you have something in your browser preventing Amazon cookies from being saved?
I think after you've logged in successfully, an Amazon cookie is saved which it accesses next time you log in to determine whether this is a new sign in attempt or not. If not then it won't alert you.

[danielbrunt57]

You need to find a way to stop Amazon from alerting you if it's not a new sign in attempt.

[MetaImi]

I'm 99.99% positive that is interrupting the proxy callback method as it introduces an additional screen which AMP is not programmed to handle. It can only deal with 2 URL changes: email+password then OTP after which it returns to HA. In your case you are getting email+password, then notification screen after which the proxy callback returns to HA and therefore thus you never see the OTP screen. I can't find any such option in my amazon.ca personal account.

I'm struggling with 500 server error. I have OTP with authenticator app configured, but when trying to install the integration the browser asks email + pwd then catchpa page then 500 server error. So if it only supports 2 redirects that could be the reason for many 500 errors. Do you have a suggestion what can I do to make sure amazon asks otp insted of catchpa? Tried different browsers/ sign out / remove data etc.

[m1r4x]

No way to get it work.
I disabled the 2sv, actived again using as preferred method the otp sms. Cancelled all cookies, changed device...nothing, ever error 404.

[danielbrunt57]

When you login normally, does it always present a captcha?

[hisham211]

hi all,

I don't think this localized to m1r4x's region or setup. I'm in the US and I'm experiencing very similar problems.

[m1r4x]

Glad I'm not alone

[PloyThought]

I also have the same issue here in US. But I am using NABA Casa, does that change what should be in the URL field?

[danielbrunt57]

I also have the same issue here in US. But I am using NABA Casa, does that change what should be in the URL field?

Local URL? No. It needs to be the URL that the browser you are running to do all this from can use to access your homeassistant instance from. I.e. if the browser and HA are both local, then http://homeassistant.local:8123 (or http://192.168.1.x:8123). It's only needed/used during initial setup for the proxy callback after Alexa/Amazon initial login to validate credentials and is never used again after that.

[Pharkie]

UK here and unable to get Alexa Media Player configured and working. Similar problems to the above.

I installed it via HACs, then go to Settings > Devices and Services > Add Integration > Alexa Media Player.
I fill out all the fields:

• Amazon region domain: amazon.com (seems to work better than amazon.co.uk even though I'm in UK?)
• Email address and password for my login
• Built-in 2FA App Key = the long code when I "Add new app" from Amazon 2FA webpage.
• URL to access home assistant: http://192.168.1.130:8123 - which works if I paste into a browser. I've also tried other network addresses for my Home Assistant.

Submit >> confirm the 2FA code provided by Alexa Media Player back on Amazon and confirm in the interface. Then takes me to Amazon sign in page as shown by @danielbrunt57. Follow those steps. Use the 2FA code automatically filled in. Tick boxes to remember me. Returns to the integration set up, looks like it's about to work and then "Alexa Media Player failed to login":

Nothing helpful in the logs.

I'm on the latest HA.

Is this integration now working for new setups, at present, or is there something wrong with my setup or the steps I'm taking? I've tried 6 times, so now got 5 "apps" on my Amazon 2FA that don't work.

Best wishes,

[danielbrunt57]

Use version 4.13.7. v4.18.8 is bad. PR to undo it has been merged into Dev but Alan hasn't bundled a new version release yet.

[m1r4x]

Use version 4.13.7. v4.18.8 is bad. PR to undo it has been merged into Dev but Alan hasn't bundled a new version release yet.

I reverted to 4.13.7 but I still get the error 404