Get 404: not found during authentication - DO NOT USE v4.13.8! Solution: Revert to v4.13.7

[m1r4x]

IMPORTANT: Please search the issues, including closed issues, and the FAQ before opening a new issue. The template is mandatory; failure to use it will result in issue closure.

Describe the bug

I get 404: page not found error when I click on Sign in in the external page opened when I try to add the integration.

To Reproduce

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Screenshots

System details

• Home Assistant version: 2024.11.1
• alexa_media version (from const.py or HA startup log): 4.13.8
• alexapy version (from pip show alexapy in homeasssistant container or HA startup log): 1.29.4
• Is Amazon 2FA/2SV enabled <!---We will not debug login issues if unanswered---> (y/n): y
• Amazon Domain: amazon.it

Debug Logs (alexa_media & alexapy)
Please provide logs.

Additional context

I tried with and without 2FA key (I validated the OTP correctly). same result.
I tried to Deactivate and activate again the 2FA in amazon but get same result.

[danielbrunt57]

What did you enter for Local URL to access Home Assistant?
It needs to be a URL that you can access Home Assistant with from your local browser.

[m1r4x]

192.168.50.183:8123
Local ip of my HA server
I use vpn to remote access to HA

[toin-toin]

Hello, I have exactly the same problem with exactly the same configuration as m1r4x.
But personally, I did not use a VPN to connect

[danielbrunt57]

192.168.50.183:8123 Local ip of my HA server I use vpn to remote access to HA

http://192.168.1.104:8123 works fine for me. AMP sends me off to the Alexa login page and after completing email+password & OTP, the proxy callback returns me to HA which then completes its setup.

The /ap/cvf/approval part is weird. Does that come after you've completed the Alexa login pages or before them immediately after you've submitted the configuration?

There's zero instances in AMP for that path.
alexalogin.py has a instance for /ap/cvf/approval/poll but nothing for just /ap/cvf/approval.

Is there anything in the debug logs??

        # determine post url if not logged in
        if status.get("approval_status") == "TransactionCompleted":
            site = self._data.get("openid.return_to")
        elif form_tag and "login_successful" not in status:
            formsite: str = form_tag.get("action")
            if self._debug:
                _LOGGER.debug("Found form to process: %s", form_tag)
            if formsite and formsite == "verify":
                search_results = re.search(r"(.+)/(.*)", str(site))
                assert search_results is not None
                site = search_results.groups()[0] + "/verify"
                _LOGGER.debug("Found post url to verify; converting to %s", site)
            elif formsite and formsite == "get":
                if "ap_error" in status and status.get("ap_error_href"):
                    assert isinstance(status["ap_error_href"], str)
                    site = status["ap_error_href"]
                elif self._headers.get("Referer"):
                    site = self._headers["Referer"]
                else:
                    site = self.start_url
                _LOGGER.debug("Found post url to get; forcing get to %s", site)
                self._lastreq = None
            elif formsite and formsite == "/ap/cvf/approval/poll":
                self._data = self.get_inputs(soup, {"id": "pollingForm"})
                url = urlparse(site)
                site = f"{url.scheme}://{url.netloc}{formsite}"
                # site = form_tag.find("input", {"name": "openid.return_to"}).get("value")
                _LOGGER.debug("Found url for polling page %s", site)
            elif formsite and forgotpassword_tag:
                site = self.start_url
                _LOGGER.debug("Restarting login process %s", site)
            elif formsite:
                site = formsite
                _LOGGER.debug("Found post url to %s", site)
        return str(site)

[m1r4x]

Yes, the page (is it a page?) appears after I click Sign in in the Amazon form.
Which log can I check? The integration is not installed at all and I don't see anything in the HA core log

[danielbrunt57]

Yes, the page (is it a page?) appears after I click Sign in in the Amazon form.

So it occurs after the Amazon login form. Then there is either a) something weird about your setup b) maybe an issue with your Amazon login or c) Amazon has changed things yet again in your region?

After you click submit, you should get:

http://homeassistant:8123/auth/alexamedia/proxy?config_flow_id=01JCP0MDF9ASYAW86E6Z5FE5SV&callback_url=http://homeassistant:8123/auth/alexamedia/callback?flow_id%3D01JCP0MDF9ASYAW86E6Z5FE5SV

http://homeassistant:8123/auth/alexamedia/proxy/ap/signin

and then...

[m1r4x]

Till here it is correct
http://192.168.50.183:8123/auth/alexamedia/proxy?config_flow_id=01JCP1Z8WC9C303MWR514QW0MX&callback_url=http://192.168.50.183:8123/auth/alexamedia/callback?flow_id%3D01JCP1Z8WC9C303MWR514QW0MX

When I click Sign in I get the error (and the wrong url)
I can use my Amazon login normally...but as 2fa i ever get the approve notification by the Amazon app (not otp generated by Authenticator)

[m1r4x]

Anyway this issue is equal to #2318 discussion.
He speak about a lock on Amazon account...but how can I check it??

[danielbrunt57]

Till here it is correct http://192.168.50.183:8123/auth/alexamedia/proxy?config_flow_id=01JCP1Z8WC9C303MWR514QW0MX&callback_url=http://192.168.50.183:8123/auth/alexamedia/callback?flow_id%3D01JCP1Z8WC9C303MWR514QW0MX

When I click Sign in I get the error (and the wrong url) I can use my Amazon login normally...but as 2fa i ever get the approve notification by the Amazon app (not otp generated by Authenticator)

When you use your Amazon login normally, are you having to enter an OTP or just email & password. If email & password only works, then you've not configured 2SV properly in Amazon as it has to be required all the time for AMP to be able to use OTP. Also, Send me a Code does not work either.
To properly set up Amazon 2SV via Authenticator App, the barcode has to be scanned to add it to your authenticator app (or manually enter the key) which then generates an OTP. That OTP has to entered into the Amazon Authenticator App setup to verify success and activate that app key. Then you can use that app key in AMP. For online authenticator key/OTP generation, you can browse to TOTP.APP (yes, that's a valid URL!)
Alternatively, you can enter the unactivated App key in AMP and when it issues the OTP successfully verified window, you can take that OTP and enter it into the Amazon Authenticator App setup to verify the key and activate it. Then you can proceed with the next step from AMP's OTP Verified window to go to Amazon's login windows.

[danielbrunt57]

AMP needs a major rewrite to eliminate all of this and just prepare itself to send you to Amazon to authenticate yourself however you like so that it can get the damn cookie that it needs to get itself going. This is the way alexa-remote2 works (it's called "proxy method") which is much simpler and never requires your email, password or OTP codes. You just have to manually browse to http://<your_local_ip>:3456 and successfully log in to Amazon. Once that is completed, the browser page informs you it's done and you can close the window. It now has the initial login session cookie and bob's yer uncle.

[m1r4x]

When you use your Amazon login normally, are you having to enter an OTP or just email & password. If email & password only works, then you've not configured 2SV properly in Amazon as it has to be required all the time for AMP to be able to use OTP. Also, Send me a Code does not work either.

To properly set up Amazon 2SV via Authenticator App, the barcode has to be scanned to add it to your authenticator app (or manually enter the key) which then generates an OTP. That OTP has to entered into the Amazon Authenticator App setup to verify success and activate that app key. Then you can use that app key in AMP. For online authenticator key/OTP generation, you can browse to TOTP.APP (yes, that's a valid URL!)

Alternatively, you can enter the unactivated App key in AMP and when it issues the OTP successfully verified window, you can take that OTP and enter it into the Amazon Authenticator App setup to verify the key and activate it. Then you can proceed with the next step from AMP's OTP Verified window to go to Amazon's login windows.

My 2SV Amazon is correctly configured

[danielbrunt57]

My 2SV Amazon is correctly configured

So when you sign into Amazon normally, you have to provide email, password and OTP?

[m1r4x]

Typically I get a notification on Amazon app on my phone "somebody tried to login to your Amazon account....approve or not approve?" Same if I change the preferred method to "use sms to your phone" in Amazon security settings

[danielbrunt57]

Typically I get a notification on Amazon app on my phone "somebody tried to login to your Amazon account....approve or not approve?" Same if I change the preferred method to "use sms to your phone" in Amazon security settings

I'm 99.99% positive that is interrupting the proxy callback method as it introduces an additional screen which AMP is not programmed to handle. It can only deal with 2 URL changes: email+password then OTP after which it returns to HA. In your case you are getting email+password, then notification screen after which the proxy callback returns to HA and therefore thus you never see the OTP screen. I can't find any such option in my amazon.ca personal account.

Perhaps you have something in your browser preventing Amazon cookies from being saved?
I think after you've logged in successfully, an Amazon cookie is saved which it accesses next time you log in to determine whether this is a new sign in attempt or not. If not then it won't alert you.

[danielbrunt57]

You need to find a way to stop Amazon from alerting you if it's not a new sign in attempt.

[MetaImi]

I'm 99.99% positive that is interrupting the proxy callback method as it introduces an additional screen which AMP is not programmed to handle. It can only deal with 2 URL changes: email+password then OTP after which it returns to HA. In your case you are getting email+password, then notification screen after which the proxy callback returns to HA and therefore thus you never see the OTP screen. I can't find any such option in my amazon.ca personal account.

I'm struggling with 500 server error. I have OTP with authenticator app configured, but when trying to install the integration the browser asks email + pwd then catchpa page then 500 server error. So if it only supports 2 redirects that could be the reason for many 500 errors. Do you have a suggestion what can I do to make sure amazon asks otp insted of catchpa? Tried different browsers/ sign out / remove data etc.

[m1r4x]

No way to get it work.
I disabled the 2sv, actived again using as preferred method the otp sms. Cancelled all cookies, changed device...nothing, ever error 404.

[danielbrunt57]

When you login normally, does it always present a captcha?

[hisham211]

hi all,

I don't think this localized to m1r4x's region or setup. I'm in the US and I'm experiencing very similar problems.

[m1r4x]

Glad I'm not alone

[PloyThought]

I also have the same issue here in US. But I am using NABA Casa, does that change what should be in the URL field?

[danielbrunt57]

I also have the same issue here in US. But I am using NABA Casa, does that change what should be in the URL field?

Local URL? No. It needs to be the URL that the browser you are running to do all this from can use to access your homeassistant instance from. I.e. if the browser and HA are both local, then http://homeassistant.local:8123 (or http://192.168.1.x:8123). It's only needed/used during initial setup for the proxy callback after Alexa/Amazon initial login to validate credentials and is never used again after that.

[Pharkie]

UK here and unable to get Alexa Media Player configured and working. Similar problems to the above.

I installed it via HACs, then go to Settings > Devices and Services > Add Integration > Alexa Media Player.
I fill out all the fields:

• Amazon region domain: amazon.com (seems to work better than amazon.co.uk even though I'm in UK?)
• Email address and password for my login
• Built-in 2FA App Key = the long code when I "Add new app" from Amazon 2FA webpage.
• URL to access home assistant: http://192.168.1.130:8123 - which works if I paste into a browser. I've also tried other network addresses for my Home Assistant.

Submit >> confirm the 2FA code provided by Alexa Media Player back on Amazon and confirm in the interface. Then takes me to Amazon sign in page as shown by @danielbrunt57. Follow those steps. Use the 2FA code automatically filled in. Tick boxes to remember me. Returns to the integration set up, looks like it's about to work and then "Alexa Media Player failed to login":

Nothing helpful in the logs.

I'm on the latest HA.

Is this integration now working for new setups, at present, or is there something wrong with my setup or the steps I'm taking? I've tried 6 times, so now got 5 "apps" on my Amazon 2FA that don't work.

Best wishes,

[danielbrunt57]

Use version 4.13.7. v4.18.8 is bad. PR to undo it has been merged into Dev but Alan hasn't bundled a new version release yet.

[m1r4x]

Use version 4.13.7. v4.18.8 is bad. PR to undo it has been merged into Dev but Alan hasn't bundled a new version release yet.

I reverted to 4.13.7 but I still get the error 404

[ianground]

This is one very fustrating integration. Following all the steps as above and some of the apparent workarounds and still end up with 500 Internal Server Error- Server got itself in trouble. I appreciate that the dev. has done this freely and has the capricious Amazon to deal with but this has been going on for months now and never seems to address the issues that many have encountered. It would be good to know if this problems are soluble or if it this is beyond repair given the amazon end of things. Then we can take this out of our HA setups till someone else has a try.

[danielbrunt57]

I disabled the 2sv, actived again using as preferred method the otp sms.

but as 2fa i ever get the approve notification by the Amazon app (not otp generated by Authenticator)

OTP via SMS or an amazon approval notification will not work as that introduces another step in the auth sequence and AMP's proxy callback is only written to handle one or two callbacks looking for "authentication successful" before it fails.

It will be a while before I am able to tear this thing apart and try and write something different to get the initial login successful cookie, which will be along the lines of Apollon's alexa-remote2. But that's a javascript library that's used in Node-RED's node-red-contrib-alexa-remote2-applestrudel and is not something that can just be "dropped" into HA's Python environment...

[m1r4x]

It exactly what happens to me. The only 2wa method available is through Amazon app and I cannot change it in Amazon security settings.

[danielbrunt57]

It exactly what happens to me. The only 2wa method available is through Amazon app and I cannot change it in Amazon security settings.

I don't understand. Why can you not change your Amazon 2SV settings to use Authenticator App and create/add a new App?

[danielbrunt57]

Sign in to your Amazon domain (i.e. https://amazon.ca, https://amazon.com, etc.)
Select Your Account > Login & security > 2-step verification > Manage > Preferred method > Authenticator App > Add a new app.

If you already have OTP's being sent to your phone, then...

Setting an app as your preferred method
If you want to generate one-time passwords from an app instead of having them sent to your phone, you'll need to clear your two-step verification settings. To do so, tap or click disable, then check the box next to ‘Also clear my two-step verification settings’ on the window that appears. Lastly, re-enable two-step verification using your authenticator app as your preferred method.

[m1r4x]

One is my Authenticator app on my phone, the other one is AMP.

I ever get 404 error. Using AMP version 4.13.7

[danielbrunt57]

I ever get 404 error. Using AMP version 4.13.7

I don't understand your English This is what you said in Italian: "Ricevo sempre l'errore 404. Utilizzando la versione AMP 4.13.7"

"Metodo preferito App di autenticazione Cambia 2 applicazioni registrate Aggiungi una nuovo app"
translates to
"Preferred method Authentication app Change 2 applications registered Add a new app"
This is my page translated to Italian:

[danielbrunt57]

Hmmm.

Typically I get a notification on Amazon app on my phone "somebody tried to login to your Amazon account....approve or not approve?"

That would be this page then...

That full URL is https://192.168.50.183:8123/ap/cvf/approval?
If so, AMP Proxy is not programmed to deal with /ap/cvf/approval in the proxied callback hence the "500" error.
All I see in alexapy/alexalogin.py is elif formsite and formsite == "/ap/cvf/approval/poll":.

Since you have the error and I do not and cannot test anything, you could try editing /usr/local/lib/python3.12/site-packages/alexapy/alexalogin.py line 1679 to read:

elif formsite and formsite == "/ap/cvf/approval/approval":

I.e replace poll with approval, save, restart HA and try adding the integration again.
I've no idea how it will behave though...

[m1r4x]

That full URL is https://192.168.50.183:8123/ap/cvf/approval?
If so, AMP Proxy is not programmed to deal with /ap/cvf/approval in the proxied callback hence the "500" error.

Yes it is that one.

Hm, last time I tried to modify an integration, I broke everything.
I will wait confident...

[m1r4x]

version 5.0.0 just installated but same problem.
anyway the problem is:

if you don't know italian, it says:
Open your iOS Amazon App to continue..
And there is no way to chenge the authentication method....it ever asks to open the amazon app

[danielbrunt57]

What Amazon is telling you to do is for you to go and open the Amazon app to verify and prove that this login session is legitimately being done by you. So, you have to open the app on your phone and it should alert you to the fact that someone has tried to log in and you need to authorize that attempt. There's no way for AMP to automate that approval! If there were, then any scammer could do it and Amazon's protection methods would be pointless.

[m1r4x]

Yes, of course....but when I try to login with AMP i don't get the notification to open the Amazon app for authentication approval...So, could AMP manage this authentication method in the future?

[danielbrunt57]

Yes, of course....but when I try to login with AMP i don't get the notification to open the Amazon app for authentication approval...So, could AMP manage this authentication method in the future?

Ok, I think I see the picture now. Your independent Amazon login session prompts you to open the app for authentication, which all works. But this never happens from AMP.
When you login to Amazon, does it always prompt you to open the app to approve?
Which browser are you using?
Can you try repeated login sessions using a different browser?

I'm trying to rule out a browser's failure to remember that you already proved yourself (via cached cookies).
I'm using MS Edge and I only see that Amazon initial "prove you are really you" or get a CAPTCHA screen if I reset the browser &/or clear cached files & cookies.

[m1r4x]

Actually I ever used Chrome (from different devices). Anyway, yes it always prompt that type of approval. (Also if I delete the Amazon app from my devices🫣)
I will try on MS edge asap.
Thank you for your patience Daniel!

[m1r4x]

Just tried with MS edge and same problem...