dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5754

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

[Equipment] OBi110 stopped authing correctly w/ Google this afternon

This morning I made an outbound call, proving everything was OK with OBi110 plus Google Voice. But this afternoon when looking over at it, only the power LED was lit, meaning one of the services lost connectivity. (It's supposed to have power plus the one with the telephone/handset logo lit.) Looking into the device, it said authentication failed on SP1, and it was backing off. I will also note that since Obihai wants to store my admin password, I normally disable the ObiTALK service and the Obi autoprovisioning, and do any updates locally (not through the ObiTALK portal). Of course, with the new OAUTH2 requirements and Obihai's chosen implementation, it is REQUIRED to provision Google Voice through ObiTALK, but once (presumably) the OAUTH2 yummy bits are placed on the device (secret? token? refresh token? I don't know what exactly is needed, just that it's a PITB), if I'm not mistaken, you can shut off communication with Obihai. It was clear back to yesterday that I did anything security related with my Google account (revoking some apps' access, but certainly nothing Obihai related), and I didn't change my password, or turn on two factor auth, or anything like that. In theory, whatever the OBi110 had should have continued working. I reenabled the ObiTALK service, reenabled Obi autoprovisioning, logged into the ObiTALK portal, presumably got an updated token put on my ATA, and it seems to operate.

A few things seem troublesome though.
  • A couple weeks ago, when things were operating just fine, as a matter of periodic maintenance, I logged into the device and created a config backup. Because ObiTALK messed up my customised digit maps, call routing, etc., I restored that config from 07-May. But that caused GV not to auth properly again. I would hope any config dump wouldn't contain the credentials (at least not passwords), but apparently it does.

  • Where was the breakdown? I am reasonably sure I didn't change anything Obi related on the Google side, yet it failed something like 18 hours after the last Google account change.

  • I don't like that auth tokens for Google go through Obihai, but I guess 'dems the breaks; at this point, it's either accept it or don't use GV with an ATA

  • Altering things other than the credentials (like putting in my name instead of leaving it, I think, blank) also caused GV not to auth.

On the positive side, I have Callcentric provisioned on SP2, which seems relatively unaffected. I was expecting Obihai to wipe out all my local changes. It seemed anything I changed locally after the OAUTH2 firmware update would be countermanded by the ObiTALK portal, sort of like resetting it to factory, and rebooting it. (Storing my password is horrid enough, but the other detestable thing is the reboot after EVERY ObiTALK Expert change. At least with local changes, I can make a whole batch of them on several pages and THEN reboot.) So to stop that from happening, as mentioned, I turn off Obi autoprovisioning and the Obitalk service in an attempt to keep it from phoning home (oh the irony, or something, in that statement).

So, am I virtuallly the only one to which this happened? Anything I can do differently to prevent this from happening again?
taoman
Premium Member
join:2013-09-13
Seattle, WA

1 edit

taoman

Premium Member

said by rchandra:

So, am I virtuallly the only one to which this happened?

No, you are not the only one.

»www.obitalk.com/forum/in ··· msg73841

Edit: Remember for $6 you can use the Simonic's GV gateway which also gives you CNAM and SIP URI forwarding. Works well and is very reliable. And Bill is a frequent contributor to this forum.
That way you could rid yourself of having to mess with the GV configuration on your OBi and manage everything locally if you wish.

brg
Premium Member
join:2001-01-03
Chicago, IL

brg

Premium Member

said by taoman:

No, you are not the only one.

Thanks for pointing to that obitalk forum posting.

Curiously, compared to those posters, I also use an Obi100 but am having no problems at all. I never use Obitalk, I intentionally never upgraded to the OAUTH2-supporting firmware (I'm on 1.3.0 (Build: 2824)), and (AFAIK) I have all the remote provisioning settings turned off.

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

I am so regretful. I was driven by fear that it would stop working if I declined to upgrade the firmware. It was almost immediate, because of the restriction of once updated, it refuses to go back. It makes me wish I had the hardware and knowledge to force it (JTAG for example).
rchandra

rchandra

Premium Member

I just looked...and it's OFFLINE...AGAIN. Ugh.
OzarkEdge
join:2014-02-23
USA

OzarkEdge

Member

Now that you are hooked on GV OAuth2 firmware, consider using OBiTALK.com only to configure GV, then quit it/disable it and proceed to manage your OBi locally. Keep a record of your non-default settings for recovery. And you might want to start fresh with a manual install and reset of the latest firmware.

OE

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

What I'm investigating at this very moment is how to formulate a provisioning file so I can drop it on my TFTP server and have any post-ObiTALK portal mistakes corrected.

»www.obihai.com/docs/OBiP ··· uide.pdf

What I'm wondering is if I can run this file through the parameter restore Web page instead of having to TFTP it, because really, it's only a one-time correction.
OzarkEdge
join:2014-02-23
USA

OzarkEdge

Member

It appears that you can admin your OBi locally, so why not skip using OBiTALK.com except for once up front to setup the GV OAuth2 credentials. Why waste your time fixing OBiTALK.com 'mistakes' when you can just avoid them completely. If you only use OBiTALK.com to initially configure for GV, there may be no other settings affected.

The firmware backup facility normally does not include credentials, so it may not accept them from your provisioning file.

OE

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

said by OzarkEdge:

It appears that you can admin your OBi locally, so why not skip using OBiTALK.com except for once up front to setup the GV OAuth2 credentials. Why waste your time fixing OBiTALK.com 'mistakes' when you can just avoid them completely.

I'm sorry, I think you misunderstand. That's exactly what I intend to do. ObiTALK makes several mistakes. For every time I (presumably) need to fetch a new OAuth2 token, I need to correct these mistakes. I'm simply seeking an automated way of correcting Obihai's mistakes after I have to correct the GV authorization error.

I wish I could avoid them completely. But as discussed, once upgraded to the OAuth2 firmware, you're committed to the ObiTALK portal. The only way that can be avoided is somehow to find a unit with the pre-OAuth2 firmware.
OzarkEdge
join:2014-02-23
USA

OzarkEdge

Member

I am not aware of a requirement to repeatedly fetch/update a GV OAuth2 credential. I thought once was enough. How frequently are you having to revisit OBiTALK.com to fix GV registration?

OE

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

said by OzarkEdge:

How frequently are you having to revisit OBiTALK.com to fix GV registration?

Once per day so far, yesterday and today. But today is young.

I also have SP2 as Callcentric, so I'm not likely to miss any inbounds, but that will likely add some latency (going through 2 VOIP systems, Bandwidth.com (GV) and CC) and without using an Android app or Web browser, I can't do outbound unless GV is "up."
OzarkEdge
join:2014-02-23
USA

OzarkEdge

Member

said by rchandra:

said by OzarkEdge:

How frequently are you having to revisit OBiTALK.com to fix GV registration?

Once per day so far, yesterday and today. But today is young.

And you're OK with this... actually trying to live with it???

If this were the new norm, I would punt using GV with OBiTALK.com, but I suspect there is another problem in play here. Maybe it has to do with your admin of your GV account yesterday?

I would start over by installing the latest firmware manually and resetting to factory defaults and cycling power.

OE

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

Of COURSE I'm not OK with this, I want Obihai to fix this. But what choice do I have? The whole reason for spending money on this platform is to have direct GV integration instead of incurring the extra latency of forwarding calls to a SIP VOIP provider, and being able to dial out directly. What's going to really suck is if I have to leave ObiTALK autoprovisioning turned on.

I'm not the only one to which this has been happening, so I highly doubt it has anything whatsoever to do with any Google account fiddling (not GV specifically) I did. Look over on the ObiTALK forum link, this has also been happening to people who haven't done any Google account changes. Some aren't so lucky, they apparently can't sign on to ObiTALK and refresh their token, nothing seems to work for them.
OzarkEdge
join:2014-02-23
USA

OzarkEdge

Member

If so, it would appear to be a new problem yet to be resolved. I can't imagine Obihai would want OBiTALK.com trashing user settings. In any event, one more reason not to use GV and OBiTALK.com.

OE

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

1 recommendation

rchandra

Premium Member

said by OzarkEdge:

I can't imagine Obihai would want OBiTALK.com trashing user settings.

It's a support issue. Assume the user basically doesn't know what they're doing, and put in settings that for the vast majority of users will make it "just work." That's very likely why digit maps and routing are overridden, so that most users will think the portal fixed whatever was making it not work.
OzarkEdge
join:2014-02-23
USA

OzarkEdge

Member

said by rchandra:

said by OzarkEdge:

I can't imagine Obihai would want OBiTALK.com trashing user settings.

It's a support issue. Assume the user basically doesn't know what they're doing, and put in settings that for the vast majority of users will make it "just work." That's very likely why digit maps and routing are overridden, so that most users will think the portal fixed whatever was making it not work.

Best I can tell from the forum link is that the affected users have updated pre-OAuth20 firmware to OAuth20 firmware, which then requires reconfiguring GV credentials.

In your case, you are not using OBiTALK.com to admin your OBi, so you are getting your locally managed configuration stepped on by OBiTALK.com (?). You may need to start over, using OBiTALK.com initially to configure GV, and then back out of using it to continue managing your OBi locally. You can't manage your OBi locally and continue to access OBiTALK.com without it messing with your settings.

OE

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

1 edit

rchandra

Premium Member

Look...I'll try to explain this one last time. The only thing I use the OBiTALK portal for is to establish/fix GV. Once that's done, since I don't want Obihai fiddling with it after they do their secret thing, I turn off Obihai autoprovisioning, and manage it locally. I am already well aware that it cannot be managed by both. But when the GV auth breaks down, there is no choice, it must be fixed through the portal, and the portal messes up some of the settings. Maybe there's some way to allow OBiTALK not to alter the settings made locally, or to use the right ones; maybe not.

EDIT: what I mean by that last is, I have several settings which were made on the local box, especially all of the SP2 and ITSP B settings for Callcentric, which are not on the OBiTALK portal; it skips those and leaves them alone.
OzarkEdge
join:2014-02-23
USA

OzarkEdge

Member

Then the problem remains that your GV registration is breaking down. The other users in that link seem to be transitioning from pre-OAuth2 firmware, and do not have your recurring post-OAuth2 registration problem.

And yes, if you have to keep accessing OBiTALK.com to fix this problem, it's going to step on your locally managed settings.

My point remains, I think the problem to solve is your GV registration breaking, not OBiTALK.com stepping on your settings.

Me, I'd start fresh as previously suggested.

OE

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

said by OzarkEdge:

Then the problem remains that your GV registration is breaking down.

well, yeah...I think we have agreed on that from the start.
said by OzarkEdge:

And yes, if you have to keep accessing OBiTALK.com to fix this problem, it's going to step on your locally managed settings.

unfortunately, which is why I'm looking for automated ways of fixing anything the portal gets wrong w/o disturbing Obihai's fragile GV token fiddly bits.
said by OzarkEdge:

Me, I'd start fresh as previously suggested.

not necessary, because it's mostly right. No need to do a lot of work after "starting fresh."
phonesimon
join:2014-10-08
Pennsylvania

1 recommendation

phonesimon to rchandra

Member

to rchandra
You may want to inquire more about the technology with Obihai or the Obihai users forum. The issue appears to be the refreshing of the oauth token.

There are two tokens involved: a short-lived auth token and a long-lived refresh token. The refresh token is presented to the provider to get an auth token, and the auth token is presented to the service to log in. The lifetime of the auth token is one hour.

The question is whether the Obihai device does the work of presenting the refresh token for an auth token or the Obitalk service does this on behalf of the user and then gives the auth token to the device for logging in.

If the Obitalk service does this, then the only way you will be able to continue logging in is if your device is using Obitalk provisioning.
OzarkEdge
join:2014-02-23
USA

OzarkEdge to rchandra

Member

to rchandra
said by rchandra:

unfortunately, which is why I'm looking for automated ways of fixing anything the portal gets wrong w/o disturbing Obihai's fragile GV token fiddly bits.

This is the only reason I'm posting to this topic... to suggest that you are heading in the wrong direction here to solve your problem. There have been no reports of fragile GV OAuth2 credentials; your linked reference does not support this. And attempting to semi-automate a DAILY workaround to OBiTALK.com stepping on your locally managed settings compounds a completely unacceptable workaround to solving the recurring GV registration breaking problem.

BTW, make sure you disable all of these when trying to back away from using OBiTALK.com (now on a daily basis):

System Management
Auto Provisioning - Auto Firmware Update::Method = Disabled
Auto Provisioning - ITSP Provisioning::Method = Disabled
Auto Provisioning - OBiTalk Provisioning::Method = Disabled
Voice Services
OBiTALK Service - OBiTALK Service Settings::Enable = NOT checked

OE
taoman
Premium Member
join:2013-09-13
Seattle, WA

taoman to rchandra

Premium Member

to rchandra
My question is why is this only happening to OBi 1xx devices? Not a single report on this issue from anyone with a 20x device or higher.

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

4 edits

1 recommendation

rchandra

Premium Member

Oh, boy, here we go. Now when I log into OBiTALK, and click on the "OK, my device is shnockered, let's go get a new Google OAuth2 token," I get this:

Please Note:
This OBi device's annual support entitlement has expired. An important software update with enhanced security and ease of use features is required to maintain Google Voice service on this OBi device. To automatically upgrade this device using the OBiTALK portal as well as get access to Obihai’s Premium Support help desk, a paid support plan is required. To purchase 1-year of Obihai Premium Support, use the button found in the Support and Warranty tab. When device's support status is Active, the software update can continue by selecting the update triangle adjacent to the device, in the OBiTALK dashboard.

So now I think we know what's afoot. They want more money.

Hey, to be fair, it's only $10 and it's a year. So overall, not too bad. I'm just kind of disappointed they've chosen to go in this direction, instead of allowing people a means to auth to GV independently of them. So it looks like this box just changed from $0/year for GV to at least $10/yr for GV. Not complaining (too hard), just sayin'

EDIT: Additionally, it appears as though the option to do GV setup is no longer possible through their portal. All it does is put up that message again.

EDIT2: Oh, wonderful. In order to use Amazon Payments with their page for paying for this support, you must lower your browser security settings by allowing third-party cookies. How loverly.

EDIT3: I'll say this much...each step of the way, from spending $50 for the device, to relying on Google to provide the Voice service for no charge, to authorizing Callcentric to charge me $1.50 each month for 9-1-1 service in order to partake of their "free"(-ish) incoming number when Google warned (threatened?) that my device might not work, to accepting Obihai's firmware due to fear that not accepting it would result in making Google's warning/threat be realized, to paying Obihai about an hour ago, I had to make a decision. It doesn't mean that I totally liked making each of these decisions. At any point, I could have decided, "screw Obihai and their slimey practices" and ceased to use the GV features of the device, or totally disused it and used another (the SPA2000 I bought from VoicePulse in 2004 for example). Storing my device's credentials, and possibly having access to some auth tokens for my Google account, are horrid practices in my opinion. It's a gamble that I'm taking, that Obihai will remain (reasonably) secure so that noone else is able to obtain my device's Google token (if Obihai have it), but I'm going to mitigate someone having admin access to my device by turning off Obitalk remote provisioning then changing the admin password. It will have a (non-default) password for when I have to do the OBiTALK portal dance again, and one for day-to-day operations.

Still it kind of feels like extortion. Give us money, or your device's distingishing feature will cease to work. At least for now, it's worth it at the (relatively) small price for the convenience of being able to dial a phone normally instead of having to bring up an app or a Web page in order to call out.
thUzu7AkU
Premium Member
join:2014-05-05
Beverly Hills, CA

thUzu7AkU

Premium Member

Do you have "less secure apps" turned ON for your Google account? »www.google.com/settings/ ··· cureapps

Reference: »support.google.com/accou ··· 55?hl=en

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105

rchandra

Premium Member

pretty sure.

Don't quite know how that's relevant. It worked fine for over a year. I think it's Obihai's decision to update their user base's firmware, and to demand $10 for that.
thUzu7AkU
Premium Member
join:2014-05-05
Beverly Hills, CA

thUzu7AkU

Premium Member

Are you able to update firmware from phone connected to Obi by dialing ***6 ?

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

No.

Actually, it happened "the other way 'round." After I paid me $10, and refreshing the OBiTALK page, a JavaScript popup offered to upgrade the device for me by clicking "OK," or declining by clicking "cancel." So, not wanting to waste the (admittedly minor after this much time) investment in the hardware, and not wanting to waste a perfectly good $10, I clicked "OK" (or "yes," or whatever it was...in the affirmative, go do it), at which time the Ethernet LED went nuts, then the power LED went nuts, then the power LED went solid red and the relay clicked. (well, you probably recognize this as the unit's behavior for a firmware update and reboot.) And wouldn't you know, there were once again options to get a token for my Google account again.
taoman
Premium Member
join:2013-09-13
Seattle, WA

taoman

Premium Member

said by rchandra:

a JavaScript popup offered to upgrade the device for me by clicking "OK," or declining by clicking "cancel."

After paying the $10 and "upgrading" did your firmware version level change? Latest version I'm aware of for 1xx series is 1.3.0 (Build: 2872).

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105

1 edit

2 recommendations

rchandra

Premium Member

SoftwareVersion 1.3.0 (Build: 2886)

I am reasonably certain for this you will have to pay (at least $10).
rchandra

rchandra to OzarkEdge

Premium Member

to OzarkEdge
said by OzarkEdge:

There have been no reports of fragile GV OAuth2 credentials

OK, I'll give you one then. I got my auth token(s) through OBiTALK this morning, after the reboot it was showing good. I did (the usual) disabling of OBiTALK provisioning and ObiTALK service, and simply changed my name on the Google Voice page (can't remember now if that's in SP1 or ITSP A)...not that it'd matter, if anything any CallerID with name would probably be taken from my Google profile, but anyways....to get on with the narrative: After committing only the name change, and rebooting, it would not log onto Google. I call that fragile.