ibeam
ibeam copied to clipboard
Voyz
Authentication failure despite successful login
Describe the bug This bug started yesterday. Upon starting the container and authenticating through the mobile app, system displays "Logging in succeeded" immediately followed by "Repeatedly reauthenticating failed 3 times".
I experienced this upon trying to migrate from macOS to Linux. Upon trying to run the tunnel on macOS this morning, my macOS deployment has regressed and has the same issue, rendering ibeam inoperable on both systems.
Environment IBeam version: tested on 0.5.8 and 0.5.9 Docker image or standalone: docker OS: macOS Sequoia 15.7.1 (0.5.8) and Bazzite 43 (0.5.9)
Terminal Output on Bazzite
$ docker run --env-file .env -p 5001:5000 voyz/ibeam
2025-11-18 16:38:18,606|I| ############ Starting IBeam version 0.5.9 ############
2025-11-18 16:38:18,608|I| Secrets source: env
2025-11-18 16:38:18,609|I| Health server started at port=5001
2025-11-18 16:38:18,609|I| Configuration:
{'INPUTS_DIR': '/srv/inputs/', 'OUTPUTS_DIR': '/srv/outputs', 'GATEWAY_DIR': '/srv/clientportal.gw', 'CHROME_DRIVER_PATH': '/usr/bin/chromedriver', 'GATEWAY_STARTUP': 20, 'GATEWAY_PROCESS_MATCH': 'ibgroup.web.core.clientportal.gw.GatewayStart', 'MAINTENANCE_INTERVAL': 60, 'SPAWN_NEW_PROCESSES': False, 'LOG_LEVEL': 'INFO', 'LOG_TO_FILE': True, 'LOG_FORMAT': '%(asctime)s|%(levelname)-.1s| %(message)s', 'REQUEST_RETRIES': 2, 'REQUEST_TIMEOUT': 15, 'RESTART_FAILED_SESSIONS': True, 'RESTART_WAIT': 15, 'REAUTHENTICATE_WAIT': 15, 'HEALTH_SERVER_PORT': 5001, 'SECRETS_SOURCE': 'env', 'GCP_SECRETS_URL': None, 'START_ACTIVE': True, 'GATEWAY_BASE_URL': 'https://localhost:5000', 'ROUTE_AUTH': '/sso/Login?forwardTo=22&RL=1&ip2loc=on', 'ROUTE_VALIDATE': '/v1/portal/sso/validate', 'ROUTE_REAUTHENTICATE': '/v1/portal/iserver/reauthenticate?force=true', 'ROUTE_INITIALISE': '/v1/api/iserver/auth/ssodh/init', 'ROUTE_AUTH_STATUS': '/v1/api/iserver/auth/status', 'ROUTE_TICKLE': '/v1/api/tickle', 'ROUTE_LOGOUT': '/v1/api/logout', 'USER_NAME_EL': None, 'PASSWORD_EL': 'NAME@@password', 'SUBMIT_EL': 'CSS_SELECTOR@@.btn.btn-lg.btn-primary', 'ERROR_EL': None, 'SUCCESS_EL_TEXT': 'TAG_NAME@@Client login succeeds', 'LIVE_PAPER_TOGGLE_EL': 'FOR@@label[for=toggle1]', 'USE_PAPER_ACCOUNT': False, 'OAUTH_TIMEOUT': 15, 'PAGE_LOAD_TIMEOUT': 15, 'ERROR_SCREENSHOTS': False, 'MAX_FAILED_AUTH': 5, 'MIN_PRESUBMIT_BUFFER': 5, 'MAX_PRESUBMIT_BUFFER': 30, 'MAX_IMMEDIATE_ATTEMPTS': 10, 'IBKEY_PROMO_EL_CLASS': 'CLASS_NAME@@ibkey-promo-skip', 'AUTHENTICATION_STRATEGY': 'B', 'MAX_STATUS_CHECK_RETRIES': 120, 'MAX_REAUTHENTICATE_RETRIES': 3, 'UI_SCALING': 1.0, 'TWO_FA_EL_ID': 'ID@@twofactbase', 'TWO_FA_NOTIFICATION_EL': 'CLASS_NAME@@login-step-notification', 'TWO_FA_INPUT_EL_ID': 'ID@@xyz-field-bronze-response', 'TWO_FA_HANDLER': None, 'STRICT_TWO_FA_CODE': True, 'TWO_FA_SELECT_EL_ID': 'ID@@xyz-field-bronze-response', 'TWO_FA_SELECT_TARGET': 'IB Key', 'CUSTOM_TWO_FA_HANDLER': 'custom_two_fa_handler.CustomTwoFaHandler'}
2025-11-18 16:38:18,609|I| Gateway not found, starting new one...
2025-11-18 16:38:18,609|I| Note that the Gateway log below may display "Open https://localhost:[PORT] to login" - ignore this command.
2025-11-18 16:38:18,609|I| Starting Gateway as Linux process with params: ['bash', 'bin/run.sh', 'root/conf.yaml']
running
runtime path : root:dist/ibgroup.web.core.iblink.router.clientportal.gw.jar:build/lib/runtime/*
config file : root/conf.yaml
2025-11-18 16:38:18,614|I| Gateway started with pids: [11]
2025-11-18 16:38:18,615|I| Cannot ping Gateway. Retrying for another 20 seconds
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by io.netty.util.internal.ReflectionUtil (file:/srv/clientportal.gw/build/lib/runtime/netty-common-4.1.15.Final.jar) to constructor java.nio.DirectByteBuffer(long,int)
WARNING: Please consider reporting this to the maintainers of io.netty.util.internal.ReflectionUtil
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
-> mount demo on /demo
Java Version: 11.0.24
****************************************************
version: a27ed42161ad96c53e715ca5c5e3e3fa4cff5262 Mon, 24 Apr 2023 15:41:53 -0400
****************************************************
This is the Client Portal Gateway
for any issues, please contact [email protected]
and include a copy of your logs
****************************************************
https://www.interactivebrokers.com/api/doc.html
****************************************************
Open https://localhost:5000 to login
App demo is available after you login under: https://localhost:5000/demo#/
2025-11-18 16:38:19,980|I| Gateway connection established
2025-11-18 16:38:20,145|I| NO SESSION Status(running=True, session=False, connected=False, authenticated=False, competing=False, collision=False, session_id=None, server_name=None, server_version=None, expires=None)
2025-11-18 16:38:20,145|I| Authentication strategy: "B"
2025-11-18 16:38:20,145|I| No active sessions, logging in...
2025-11-18 16:38:20,145|I| Loading auth webpage at https://localhost:5000/sso/Login?forwardTo=22&RL=1&ip2loc=on
2025-11-18 16:38:27,630|I| Gateway auth webpage loaded
2025-11-18 16:38:27,630|I| Login attempt number 1
2025-11-18 16:38:32,842|I| Submitting the form
2025-11-18 16:38:40,595|I| Webpage displayed "Client login succeeds"
2025-11-18 16:38:41,595|I| Cleaning up the resources. Display: <pyvirtualdisplay.display.Display object at 0x7fe5f585ffd0> | Driver: <selenium.webdriver.chrome.webdriver.WebDriver (session="aed78e68fbea59c6022a0e97973428cc")>
2025-11-18 16:38:41,620|I| Logging in succeeded
2025-11-18 16:38:41,882|I| NO SESSION Status(running=True, session=False, connected=False, authenticated=False, competing=False, collision=False, session_id=None, server_name=None, server_version=None, expires=None)
2025-11-18 16:38:41,882|E| Repeatedly reauthenticating failed 3 times. Killing the Gateway and restarting the authentication process.
2025-11-18 16:38:42,886|I| Starting maintenance with interval 60 seconds
Terminal output on macOS
% docker run --env-file .env -p 5001:5000 voyz/ibeam
2025-11-18 16:41:16,935|I| ############ Starting IBeam version 0.5.8 ############
2025-11-18 16:41:16,939|I| Secrets source: env
2025-11-18 16:41:16,942|I| Health server started at port=5001
2025-11-18 16:41:16,942|I| Configuration:
{'INPUTS_DIR': '/srv/inputs/', 'OUTPUTS_DIR': '/srv/outputs', 'GATEWAY_DIR': '/srv/clientportal.gw', 'CHROME_DRIVER_PATH': '/usr/bin/chromedriver', 'GATEWAY_STARTUP': 20, 'GATEWAY_PROCESS_MATCH': 'ibgroup.web.core.clientportal.gw.GatewayStart', 'MAINTENANCE_INTERVAL': 60, 'SPAWN_NEW_PROCESSES': False, 'LOG_LEVEL': 'INFO', 'LOG_TO_FILE': True, 'LOG_FORMAT': '%(asctime)s|%(levelname)-.1s| %(message)s', 'REQUEST_RETRIES': 2, 'REQUEST_TIMEOUT': 15, 'RESTART_FAILED_SESSIONS': True, 'RESTART_WAIT': 15, 'REAUTHENTICATE_WAIT': 15, 'HEALTH_SERVER_PORT': 5001, 'SECRETS_SOURCE': 'env', 'GCP_SECRETS_URL': None, 'START_ACTIVE': True, 'GATEWAY_BASE_URL': 'https://localhost:5000', 'ROUTE_AUTH': '/sso/Login?forwardTo=22&RL=1&ip2loc=on', 'ROUTE_VALIDATE': '/v1/portal/sso/validate', 'ROUTE_REAUTHENTICATE': '/v1/portal/iserver/reauthenticate?force=true', 'ROUTE_INITIALISE': '/v1/api/iserver/auth/ssodh/init', 'ROUTE_AUTH_STATUS': '/v1/api/iserver/auth/status', 'ROUTE_TICKLE': '/v1/api/tickle', 'ROUTE_LOGOUT': '/v1/api/logout', 'USER_NAME_EL': None, 'PASSWORD_EL': 'NAME@@password', 'SUBMIT_EL': 'CSS_SELECTOR@@.btn.btn-lg.btn-primary', 'ERROR_EL': None, 'SUCCESS_EL_TEXT': 'TAG_NAME@@Client login succeeds', 'LIVE_PAPER_TOGGLE_EL': 'FOR@@label[for=toggle1]', 'USE_PAPER_ACCOUNT': False, 'OAUTH_TIMEOUT': 15, 'PAGE_LOAD_TIMEOUT': 15, 'ERROR_SCREENSHOTS': False, 'MAX_FAILED_AUTH': 5, 'MIN_PRESUBMIT_BUFFER': 5, 'MAX_PRESUBMIT_BUFFER': 30, 'MAX_IMMEDIATE_ATTEMPTS': 10, 'IBKEY_PROMO_EL_CLASS': 'CLASS_NAME@@ibkey-promo-skip', 'AUTHENTICATION_STRATEGY': 'B', 'MAX_STATUS_CHECK_RETRIES': 120, 'MAX_REAUTHENTICATE_RETRIES': 3, 'UI_SCALING': 1.0, 'TWO_FA_EL_ID': 'ID@@twofactbase', 'TWO_FA_NOTIFICATION_EL': 'CLASS_NAME@@login-step-notification', 'TWO_FA_INPUT_EL_ID': 'ID@@xyz-field-bronze-response', 'TWO_FA_HANDLER': None, 'STRICT_TWO_FA_CODE': True, 'TWO_FA_SELECT_EL_ID': 'ID@@xyz-field-bronze-response', 'TWO_FA_SELECT_TARGET': 'IB Key', 'CUSTOM_TWO_FA_HANDLER': 'custom_two_fa_handler.CustomTwoFaHandler'}
2025-11-18 16:41:16,942|I| Gateway not found, starting new one...
2025-11-18 16:41:16,942|I| Note that the Gateway log below may display "Open https://localhost:[PORT] to login" - ignore this command.
2025-11-18 16:41:16,942|I| Starting Gateway as Linux process with params: ['bash', 'bin/run.sh', 'root/conf.yaml']
running
runtime path : root:dist/ibgroup.web.core.iblink.router.clientportal.gw.jar:build/lib/runtime/*
config file : root/conf.yaml
2025-11-18 16:41:16,954|I| Gateway started with pids: [11]
2025-11-18 16:41:16,956|I| Gateway running but not serving yet. Consider increasing IBEAM_GATEWAY_STARTUP timeout. Error: <urlopen error [Errno 111] Connection refused>
2025-11-18 16:41:16,957|I| Gateway connection established
2025-11-18 16:41:16,957|I| Gateway running but not serving yet. Consider increasing IBEAM_GATEWAY_STARTUP timeout. Error: <urlopen error [Errno 111] Connection refused>
2025-11-18 16:41:16,957|I| NO SESSION Status(running=True, session=False, connected=False, authenticated=False, competing=False, collision=False, session_id=None, server_name=None, server_version=None, expires=None)
2025-11-18 16:41:16,957|I| Authentication strategy: "B"
2025-11-18 16:41:16,957|I| No active sessions, logging in...
2025-11-18 16:41:16,957|I| Loading auth webpage at https://localhost:5000/sso/Login?forwardTo=22&RL=1&ip2loc=on
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by io.netty.util.internal.ReflectionUtil (file:/srv/clientportal.gw/build/lib/runtime/netty-common-4.1.15.Final.jar) to constructor java.nio.DirectByteBuffer(long,int)
WARNING: Please consider reporting this to the maintainers of io.netty.util.internal.ReflectionUtil
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
-> mount demo on /demo
Java Version: 11.0.24
****************************************************
version: a27ed42161ad96c53e715ca5c5e3e3fa4cff5262 Mon, 24 Apr 2023 15:41:53 -0400
****************************************************
This is the Client Portal Gateway
for any issues, please contact [email protected]
and include a copy of your logs
****************************************************
https://www.interactivebrokers.com/api/doc.html
****************************************************
Open https://localhost:5000 to login
App demo is available after you login under: https://localhost:5000/demo#/
2025-11-18 16:41:25,116|I| Gateway auth webpage loaded
2025-11-18 16:41:25,116|I| Login attempt number 1
2025-11-18 16:41:30,372|I| Submitting the form
2025-11-18 16:41:40,574|I| Webpage displayed "Client login succeeds"
2025-11-18 16:41:41,577|I| Cleaning up the resources. Display: <pyvirtualdisplay.display.Display object at 0xffff91511bd0> | Driver: <selenium.webdriver.chrome.webdriver.WebDriver (session="21e01610f8fb1901aee3efe80c5e1e2f")>
2025-11-18 16:41:41,616|I| Logging in succeeded
2025-11-18 16:41:41,740|I| NO SESSION Status(running=True, session=False, connected=False, authenticated=False, competing=False, collision=False, session_id=None, server_name=None, server_version=None, expires=None)
2025-11-18 16:41:41,740|E| Repeatedly reauthenticating failed 3 times. Killing the Gateway and restarting the authentication process.
2025-11-18 16:41:42,750|I| Starting maintenance with interval 60 seconds
I had this issue after I used the CP Gateway for the same account from different IPs (local and remote). It was fixed by logging in using the web interface, which triggered an additional authentication/identity confirmation request (e-mail confirmation in addition to the regular mobile 2FA). Note that neither TWS nor CP Gateway triggered this additional verification, only the website login.
