TP-Link Omada integration broken after Implementing 2FA Authentication.

[dmelideo]

The problem

Implemented the required Omada 2FA Authentication using MS Authenticator. Integration error states Two-factor authentication required for local user (-30165). I have functional local and cloud control, both ask for a @fa code. Realize the HA integration won't work with cloud control. Was previously working before transition. Appreciate any help you can provide.

What version of Home Assistant Core has the issue?

2024.7.3

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

TP-Link Omada

Link to integration documentation on our website

No response

Diagnostics information

home-assistant_tplink_omada_2024-07-21T13-06-48.100Z.log

Example YAML snippet

No response

Anything in the logs that might be useful for us?

2024-07-21 07:47:05.204 ERROR (MainThread) [homeassistant.components.tplink_omada.config_flow] Unexpected API error: Omada controller responded 'Two-Factor Authentication is required for local user.' (-30165)
2024-07-21 07:48:42.058 ERROR (MainThread) [homeassistant.components.tplink_omada.config_flow] Unexpected API error: Omada controller responded 'Two-Factor Authentication is required for local user.' (-30165)

Additional information

No response

[home-assistant]

Hey there @MarkGodwin, mind taking a look at this issue as it has been labeled with an integration (tplink_omada) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of tplink_omada can trigger bot actions by commenting:

• @home-assistant close Closes the issue.
• @home-assistant rename Awesome new title Renames the issue.
• @home-assistant reopen Reopen the issue.
• @home-assistant unassign tplink_omada Removes the current integration label and assignees on the issue, add the integration domain after the command.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

_{^{(message by CodeOwnersMention)}}

---

tplink_omada documentation
tplink_omada source
_{^{(message by IssueLinks)}}

[MarkGodwin]

For now, you can't enable 2FA if you want to use the HA integration. The whole point of 2FA is that you prove your credentials via a second method. HA can't check your phone messages for you to complete the login.

There is a newer Omada API which supports OAuth client secret credentials. While this could potentially be used, but this is quite limited and will require a lot of work to get close to feature parity with the v2 API we currently use. We'll probably be forced onto the new API eventually, but there is no short-term fix possible for 2FA support.

[dmelideo]

Thank you Mark. I had initiated 2FA based on messages from TP-Link that shortly 2FA was going to be required on all accounts. Appreciate your response.

…

On Mon, Jul 22, 2024 at 4:34 AM MarkGodwin ***@***.***> wrote: For now, you can't enable 2FA if you want to use the HA integration. The whole point of 2FA is that you prove your credentials via a second method. HA can't check your phone messages for you to complete the login. There is a newer Omada API which supports OAuth client secret credentials. While this could potentially be used, but this is quite limited and will require a lot of work to get close to feature parity with the v2 API we currently use. We'll probably be forced onto the new API eventually, but there is no short-term fix possible for 2FA support. — Reply to this email directly, view it on GitHub <#122309 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A2T4HZSYXL7HJ4NUAYPCIWTZNS7ZLAVCNFSM6AAAAABLG3JCM6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBSGM4TIMBZGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[MarkGodwin]

Yeah, I think you only need 2FA for cloud login? Can you use a local account for local access to the controller?

The new Omada Open API is apparently being removed from the OC200 controller in the next update, so this won't be an appropriate alternative to switch to either. The only solution is to not use a cloud account to log in to the controller. I have Cloud access disabled on my controller.

[dmelideo]

Thank you. I tried both local and cloud options without success. I disabled the 2FA and tried logging in again without success. I then remived and reinstalled the integration, login worked perfectly. I will just ride it out like this as long as I can. Appreciate your feedback and follow-up.

…

On Sun, Aug 4, 2024 at 11:09 AM MarkGodwin ***@***.***> wrote: Yeah, I think you only need 2FA for cloud login? Can you use a local account for local access to the controller? The new Omada Open API is apparently being removed from the OC200 controller in the next update, so this won't be an appropriate alternative to switch to either. The only solution is to not use a cloud account to log in to the controller. I have Cloud access disabled on my controller. — Reply to this email directly, view it on GitHub <#122309 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A2T4HZUJOBT4WKI6POXMUS3ZPY72XAVCNFSM6AAAAABLG3JCM6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRXGU3TKNRSHA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[Wibout]

It seems that nowadays (since the last firmware update of my OC200) 2FA is also required for local logins and that is quite anoying.
I sincerely hope TP-Link wil fix this where 2FA will only be necessary for cloud logins.

[levski]

+1

perhaps an option to use a service account with granular permissions for the integration. and to secure the service account, its permissions can only be edited by an account that has 2FA enabled.