403 Client Error: Forbidden for url: https://ocapi-app.arlo.com/api/auth about arlo HOT 19 OPEN

@bjia56 - im circling back to this issue - trying out your fix, but getting the error below. not sure what's wrong here - have my gmail credential expired?

2023-10-13 13:21:04,566 | INFO | Function: autodetect() | Line 49 | file_cache is only supported with oauth2client<4.0.0
2023-10-13 13:21:09,778 | ERROR | Function: download_mp4s() | Line 103 | ('invalid_grant: Bad Request', {'error': 'invalid_grant', 'error_description': 'Bad Request'})
Traceback (most recent call last):
 File "/Users/username/Documents/Github/arlo-cloudflarefix/arlo_download.py", line 27, in download_mp4s
   arlo = Arlo(USERNAME, PASSWORD, google_credential_file=MFA)
 File "/Users/username/Documents/Github/arlo-cloudflarefix/arlo.py", line 69, in __init__
   self.LoginMFA(username, password, google_credential_file)
 File "/Users/username/Documents/Github/arlo-cloudflarefix/arlo.py", line 256, in LoginMFA
   ).execute()
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
   return wrapped(*args, **kwargs)
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/googleapiclient/http.py", line 923, in execute
   resp, content = _retry_request(
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/googleapiclient/http.py", line 191, in _retry_request
   resp, content = http.request(uri, method, *args, **kwargs)
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/google_auth_httplib2.py", line 209, in request
   self.credentials.before_request(self._request, method, uri, request_headers)
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/google/auth/credentials.py", line 134, in before_request
   self.refresh(request)
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/google/oauth2/credentials.py", line 319, in refresh
   ) = reauth.refresh_grant(
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/google/oauth2/reauth.py", line 349, in refresh_grant
   _client._handle_error_response(response_data, retryable_error)
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/google/oauth2/_client.py", line 69, in _handle_error_response
   raise exceptions.RefreshError(
google.auth.exceptions.RefreshError: ('invalid_grant: Bad Request', {'error': 'invalid_grant', 'error_description': 'Bad Request'})
2023-10-13 13:21:09,783 | INFO | Function: main() | Line 89 | 

ok never mind, I just went through the google MFA steps again and re-created the credentials and now it works!!!!
wow, your PR should def get merged into the master! thank you so much for the fix!

from arlo.

FYI, it looks like scrypted issued a patch to deal with the exact same type of 403 issue. Also, the issue appeared around May 10 right around same time as the issue that I am seeing.

koush/scrypted@0a020f2

Trying to understand exactly what they did to fix the issue, no comments in the code.

from arlo.

Just took a quick look, but it looks to me like the assumption is that CloudFlare is causing the issue. So they hardcoded some IP's direct to Arlo (in base64), and if the main one fails, they try to find one of those with the correct SSL cert, and use that instead.

Doesn't seem like a great option, since those IP's can change at any time (and if I checked right, at lest one is already not pointing at Arlo.)

from arlo.

Hmm, not even sure the scrypted solution works at all anymore. The API is protected behind CloudFront. Have not found any way to access it. And all the IP:s are broken as well.

Perhaps better luck building a "private server" for the Arlo cameras.

from arlo.

I'd guess CloudFlare is doing some sort of TLS fingerprinting or similar. I played around a bit, both using Cloudscraper and swapping around the TLS cipher order. Didn't have any luck.

I'll wait a bit to see what anyone else comes up with, but at this point I may just go with another vendor if Arlo doesn't want me to have access to my own recordings.

from arlo.

Well, given this: koush/scrypted@8eb533c
Maybe they've found a way around using cloud scraper. Note that they had to update their IP list as well. I expect that'll have to be done regularly.

from arlo.

I had a similar issue with Arlo and Cloudscraper based on another Python module (https://github.com/m0urs/arlo-fhem). For me, the Cloudflare login issue has been resolved by adding this parameter to the cloudscraper call:

self._session = cloudscraper.create_scraper(ecdhCurve='secp384r1')

together with Cloudscraper 1.2.71 and the following User Agent String:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.58

Not sure if the last two things are related to that, but the Cloudscraper parameter definitely has been necessary for me. Maybe it could resolve the issue for others as well ...

from arlo.

@m0urs thank you for the suggestions, but I'm unclear as to where exactly i should add the cloud scraper call into my code.
A search of the arlo library has no ref to cloudscraper.

from arlo.

To be honest, I do not know this code here, but I guess that something similar is used to handle the Cloudflare checking for HTTP requests. Maybe @jeffreydwalter should know how this code is doing it and maybe there are similar settings.

from arlo.

In arlo.py at line 139, something like this could be done:
self.request = cloudscraper.create_scraper(ecdhCurve='secp384r1')
Instead of Request()
Need to import cloudscraper too like import cloudscraper along with other imports. I cannot verify this actually works at this moment.

from arlo.

@tomelsj thanks for the suggestions, i tried it, unfortunately, still get a 403 error, so frustrating -
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://ocapi-app.arlo.com/api/auth

from arlo.

Did you wait a day between the last login try without the parameter and the next try with the parameter? If not, please wait some hours until Cloudflare has unbanned your IP address.

from arlo.

@m0urs yes, i updated my code and waited a few days before trying again
unfortunately I still see a 403-Forbidden response.

from arlo.

I still have not been able to get this to work.
is there someone who actually has the login working with Arlo library?
if so, would you be able to send a PR for this package to addresses this issue?

from arlo.

Any updates for this error?

from arlo.

Hoping for any leads/fixes for this error. Unsure if it is possible to proceed without a fix

from arlo.

@bjia56 - im circling back to this issue - trying out your fix, but getting the error below.
not sure what's wrong here - have my gmail credential expired?

2023-10-13 13:21:04,566 | INFO | Function: autodetect() | Line 49 | file_cache is only supported with oauth2client<4.0.0
2023-10-13 13:21:09,778 | ERROR | Function: download_mp4s() | Line 103 | ('invalid_grant: Bad Request', {'error': 'invalid_grant', 'error_description': 'Bad Request'})
Traceback (most recent call last):
 File "/Users/username/Documents/Github/arlo-cloudflarefix/arlo_download.py", line 27, in download_mp4s
   arlo = Arlo(USERNAME, PASSWORD, google_credential_file=MFA)
 File "/Users/username/Documents/Github/arlo-cloudflarefix/arlo.py", line 69, in __init__
   self.LoginMFA(username, password, google_credential_file)
 File "/Users/username/Documents/Github/arlo-cloudflarefix/arlo.py", line 256, in LoginMFA
   ).execute()
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
   return wrapped(*args, **kwargs)
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/googleapiclient/http.py", line 923, in execute
   resp, content = _retry_request(
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/googleapiclient/http.py", line 191, in _retry_request
   resp, content = http.request(uri, method, *args, **kwargs)
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/google_auth_httplib2.py", line 209, in request
   self.credentials.before_request(self._request, method, uri, request_headers)
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/google/auth/credentials.py", line 134, in before_request
   self.refresh(request)
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/google/oauth2/credentials.py", line 319, in refresh
   ) = reauth.refresh_grant(
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/google/oauth2/reauth.py", line 349, in refresh_grant
   _client._handle_error_response(response_data, retryable_error)
 File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/google/oauth2/_client.py", line 69, in _handle_error_response
   raise exceptions.RefreshError(
google.auth.exceptions.RefreshError: ('invalid_grant: Bad Request', {'error': 'invalid_grant', 'error_description': 'Bad Request'})
2023-10-13 13:21:09,783 | INFO | Function: main() | Line 89 | 

from arlo.

Last I knew @jeffreydwalter was no longer using this library .. maybe time for a hand-off of fork?

from arlo.

Last I knew @jeffreydwalter was no longer using this library .. maybe time for a hand-off of fork?

yeah, I hope we can keep this library alive, I have a lot of money invested in Arlo cams. And all I really
want to do is download my videos for a local archive, so in that regard, the arlo package has been been a huge help.

from arlo.