Problem with new Autodesk login and Shotgun Pipeline Toolkit Core API

DirkJanMi · July 2, 2021, 11:44am

Hi everyone,

we are currently trying to port our in-house pipeline tool, which connects to ShotGrid via the Shotgun Pipeline Toolkit Core API, to working with the new Autodesk login.
Problem is, we are still using Python2 / PyQt4 as of now and it will still take us a while to get our whole tool converted to Py3.
Now we noticed some strange behavior when trying to log in:

the function “is_autodesk_identity_enabled_on_site” returns FALSE, the variable “is_unified_login_flow_enabled_on_site” returns TRUE - we haven’t switched to Autodesk login only yet, but both login types are allowed right now, so that is the reason for the functions returning as they do?
We suppose the variable “shotgun_authenticator_support_web_login” in “/tank/authentication/web_login_support.py” is meant to be set to TRUE when we want to test our web login as long as we have “is_autodesk_identity_enabled_on_site” being FALSE?
now, when we enter the URL of our website, the username and password fields disappear, as should be expected, and a message “Sign in using the web” appears.
As soon as we click on “Sign in”, a QWebView window appears which should show the website https://[our-site].shotgunstudio.com/user/login?return_path=/auth/landing?product=toolkit.
now the WebView window keeps crashing every time.
hard coding a simple “www.google.com” into the WebView url lets the window work just fine…

Is there something we need to be aware of when calling the login url with PyQt4 QWebView? Because when opening the url with Google Chrome, the login also appears without any errors.

Best regards,

Dirk Jansen-Michels
Software Developer / Pipeline TD

DirkJanMi · July 2, 2021, 3:08pm

Ok I have now discovered that when I leave the frozen QWebView window open for about 15 minutes, the web page seems to appear, but ONLY the shotgun version number which is usually shown at the bottom of the page. No login buttons, no shotgrid logo…

DirkJanMi · July 2, 2021, 4:06pm

is this maybe connected to the “polyfill” that is in the tank/authentication/sso_saml2/core/sso_saml2_core.py file?
it seems like only the javascript content of the login web page isn’t being shown, and causes the “almost freezing”.
the comments in the sso_saml2_core.py file mention some definitions missing in PyQt4 WebView which requires the JavaScript polyfill. is there anything that needs to be fixed/updated on the polyfill section? i’m not that much of a web / javascript guy, so i have no idea what might go wrong there…

patrick-hubert-adsk · July 4, 2021, 11:39pm

Hi @DirkJanMi

The is_autodesk_identity_enabled_on_site will be true only, and only when the site has fully transitioned to Autodesk Identity. While the dual-mode is enabled, the actual authentication mode is the original mode.

Where is your PySide/Qt4 bundle is coming from ? Can you provide exact versions ?

I need to dig a bit more for the answer to your other questions.

Sorry for the delays,

-Patrick

DirkJanMi · July 5, 2021, 8:55am

We are currently working with PyQt 4.8.7.

By the way, is this whole topic critical for us? I’m still a little bit confused about the way things will work once we fully switch to Autodesk login.
Is it still possible for our users to use the simple “Username / password” dialog that we are using right now? Because then we wouldn’t need the web window to pop up…
I have read in this thread here (ShotGrid Dev & API consequences - #22 by Ricardo_Musch) that it will still be possible to have a API login with username / password as long as the users have their Personal Access Token set up correctly.
So do I only need to tell all my colleagues to check their Autodesk Account and PAT and everything will work as usual?
What about new users that only have a Autodesk Identity? I mean of course they will also be represented as User entitites in our ShotGrid instance and therefore also have a “login” name set (which is their username to use I suppose), but what about the password? Can they use their ShotGrid login name combined with their Autodesk Identity password for simple API username / password login? Or isn’t that how it’s supposed to work and we will have to use a web login with our API connection?

patrick-hubert-adsk · July 5, 2021, 5:14pm

Hi @DirkJanMi

The theory is:
With Autodesk Identity enabled, APIs can authenticate:

using a Web Like environment (Qt) to initiate the login process, and capture the resulting _session_id cookie to authenticate with the API calls, or
if the user has a PAT set in their user account, and has a passphrase set, then they just need to pass on the login and passphrase. No dependency on Qt or other libraries.

The preferred authentication method is to use the QWebView : users the use their Autodesk Identity account to login.

The legacy login, leveraging the Personal Access token, should be considered only when it is not possible to use a QWebView. The login and password could be different from the Autodesk Identity login, which adds friction in the authentication process.

The current situation:

there seems to be a bug in the toolkit where the QWebView path is always used for authentication when Autodesk Identity is detected, and there are no ways to disable that.

You should definitely be able to authenticate with the old GUI that just asks for the site url/username/password.

I will investigate and report back here.

Would you be able to use a bugfix branch of tk-core, in order to test any potential fixes we might do ?

For your new users question: they will need to set a passphrase in ShotGrid for their users, in the same panel where the need to enter a Personal Access Token.

-Patrick

DirkJanMi · July 6, 2021, 2:40pm

Hi Patrick,

thanks for your reply! If you have a bugfix branch for me to test, that would be great.
Best regards,

Dirk

patrick-hubert-adsk · July 6, 2021, 7:34pm

Hi @DirkJanMi

So, I confirm that there are currently 2 bugs in tk-core:

It is not possible to use a console-based script to authenticate with ShotGrid even if the user has a PAT defined.
When a QApplication exists, we always force the user to Authenticate with a QWebView/QWebEngineView when the target site uses Autodesk Identity

I am currently working on this, and will be submitting to QA likely tomorrow.

-Patrick

patrick-hubert-adsk · July 11, 2021, 8:34pm

Hi @DirkJanMi

My apologies for the delays, there were complications in my fix (undesired impacts on the ShotGrid desktop). But that should be resolved now.

My new code still needs to undergo code-review and QA.

But the good new is it will not require a new installer for the ShotGrid Desktop, which will expedite the release of the new tk-core with my fix.

Sorry again,

-Patrick

patrick-hubert-adsk · July 19, 2021, 3:59pm

Hi @DirkJanMi,

A new version of tk-core is now available : tk-core v0.20.3

That version includes the fixes made to allow using the old login/password method (on the console and with Qt) to authenticate against an Autodesk Identity-using ShotGrid site. A PAT must have been defined for that user.

Hoping this unblocks your development.

-Patrick