Maintaining user identity from SSO, within web AMI for shotgun API (and more)

The Python API is our older solution to interact with Shotgun. It encapsulate requests using our custom query language. Purely data driven, no GUI.

The REST API is our current language agnostic solution.

While the way to use them does differ, they share the same authentication possibilities:

  1. using a script name and API key pair
  2. using a username and password pair
  3. using a session token (this is Shotgun specific, and you can see one such token in your browser if you look at your Shotgun cookies)

Script Name / API Key : these are meant to be used for service-related tasks. Not really appropriate for regular user interaction with Shotgun.

Username / Password : not possible on a SSO-using Shotgun site (see the gory details here ).

Session Token : the cookie used by Shotgun is tagged as Secure and HTTP only, so your JavaScript code will not be able to get to it.

So for a purely web based application, I do not see any current path at this time for you to make it work without first obtaining an existing and valid session token (via copy/paste or by using an external application).

In our native applications (Shotgun Desktop, Shotgun Create and RV), we leverage Qt’s WebEngine to lead the user into a login flow (details in the article I cited up), and simply get the session token out of the cookie jar. We then turn around and use that token to initiate a connection to Shotgun.

I am trying to think of a way to make things work for you, and unfortunately I cannot think anything that is not a hack and that does not require a native app to bootstrap the process.

Sorry.

-Patrick