Two Factor Auth error using REST API

I’m trying to login using the rest api and we have setup Two-Factor Authentication. How do i achieve this with the rest api. Currently i supply my username and password and when i execute it, i get the following error:

  1. responseText: “{“errors”:[{“id”:“61c00f3eff21913f78ce0c537e6b813c”,“status”:400,“code”:106,“title”:“Missing argument for 2FA login”,“source”:{“auth_token”:“missing for 2FA login”},“detail”:null,“meta”:null}]}”

Code:

function queryShotgun() {
    var headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Accept': 'application/json'
    };

    $.ajax({
        url: '####/api/v1/auth/access_token',
        method: 'POST',

        headers: headers,
        data: {
            grant_type: 'password',
            username: '####',
            password: '####'
        },
        success: function (data) {
            console.log(JSON.stringify(data));
            console.log(data);
            $('#accessOutput').html(data.access_token);
        },
        error: function (data) {
            console.log(data);
            $('#accessOutput').html(data.access_token);
        }
    })
}

window.onload = function(){
  queryShotgun();
};
1 Like

The reason i ask is because im working on a web application for the studio and we require everyone does two factor authentication, however in my web application im having users login with their shotgun credentials, and realizes the two factor login needs to also be implemented. So any help hear would be awesome. i assume it’s possible considering the python API is doing this some how.

I’m completely lost here on why this keeps saying the auth_token is not supplied when it’s clearly in the payload of the data being passed? I even went as far as to debug print how the python module is doing it. My params are the same and it doesn’t work. Any help is much appreciated. I’ve been at this for several days now with no headway. Not sure why :crazy_face:

{“errors”:[{“id”:“5bb378eacd42696f3b7a6a72aea0e860”,“status”:400,“code”:106,“title”:“Missing argument for 2FA login”,“source”:{“auth_token”:“missing for 2FA login”},“detail”:null,“meta”:null}]}

function checkUserLogin2FA() {    
    $.ajax({
        url: '#####/api/v1/auth/access_token',
        method: 'POST',

        headers: {
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept': 'application/json',
            'Connection': 'keep-alive'
        },
	    data: {
            grant_type: 'password',
            auth_token: '#####',
            username: '#####',
            password: '#####'
        },
        success: function (data) {
            console.log(JSON.stringify(data));
            console.log(data);
            $('#accessOutput2').html(data.access_token);
        },
        error: function (data) {
            console.log(data);
            $('#accessOutput2').html(data.responseText);
        }
    })
}

window.onload = function(){
  checkUserLogin2FA();
};

I’ve also attempted to do this with python just for the pure sake of making sure i wasn’t going insane and i get the same error and i have no idea why.

import json
import requests
import urllib

# Site URL
login_url = 'https://####.shotgunstudio.com/api/v1/auth/access_token'

# URL Encode for safety
url_credentials = urllib.urlencode({
    'username': '####',
    'password': '####',
    'grant_type': 'password',
    'auth_token': '####'
})
headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Accept': 'application/json',
    'Connection': 'keep-alive'
}

# Login using your script credentials
response = requests.post(login_url, data=url_credentials, headers=headers)
print vars(response)
if response.status_code == 200:
    # Get token type and access token from successful response
    _token_type = response.json()['token_type']
    _token = response.json()['access_token']
    token_string = '{0} {1}'.format(_token_type, _token)
    print token_string

Hi @JokerMartini,

First off I just want to say that I am not too acquainted with the SG 2FA flow. However, I do not believe it is possible to side-step the Two-factor Authentication. In general terms, the 2FA exists to prevent things such as script logins and is intended to be used by a human user at the time of login.

Also, auth_token is not a valid key for grant type: password. according to the docs

If I understand your situation correctly, you are trying implement authentication in your own custom site that hooks into the SG API for validating the username/password?

If this is the case then it would be fair to assume that you need the user’s login for contextual filtering etc. Depending on the size of your user base, you may just want to maintain a separate auth database (Perhaps you already have AD/LDAP etc) for authentication. Then once successfully authenticated, in your site you can setup a script user with client_credentials for querying relevant data from SG using the previously gained username. This should work out for you as long as the logins between your auth database and SG match.

I would recommend against disabling 2FA or sending a username/password combo to SG. The client_credentials grant_type and with Pipeline Scripts would I believe be the best way to move forward for you, though I will leave it up to an SG Admin to comment on best practices.

1 Like

I would imagine the rest api supports it somehow as this is done in their python tools. And after digging around in their python files I saw they were doing it almost identical to mine. I’m creating a web tool where I need a user to be able to login in order to use it.

The shotgun toolkit has users login via python and do it very similar with the TFA within the tool. Maybe there is a way. Otherwise that would be so sad.

These are the agruments the python implementation is using…

_http_request verb: POST
_http_request path: /api3/json
_http_request body: {“method_name”: “get_session_token”, “params”: [{“user_login”: “####”, “user_password”: “####”, “auth_token”: “####”}]}
_http_request headers: {‘connection’: ‘keep-alive’, ‘content-type’: ‘application/json; charset=utf-8’, ‘user-agent’: ‘shotgun-json (3.2.2); Python 2.7 (Windows); ssl OpenSSL 1.0.2k 26 Jan 2017 (validate)’}
_http_request url: https://###.shotgunstudio.com/api3/json
_http_request scheme: https
_http_request server: ###.shotgunstudio.com
_http_request path: /api3/json

Did anyone have any suggestions on how to do this in javascript? We are trying to get users setup from home with user logins, however we need the TFA to work from.

1 Like

Hi @JokerMartini,

This seemed pretty simple to me but I couldn’t figure what you were doing wrong. I tried writing my own version of this in Python and went down the rabbit hole of debugging it. Turns out, we’ve got a bug (which I’ve now ticketed up for the engineering team) where the auth_token isn’t being forwarded properly and causing this issue.

Long story short, I’m sorry to say this is a bug on our side.

I’m not sure if you have an alternate authentication source as @Sreenathan_Nair was suggesting. As he said, you could authenticate against that alternate source and assuming there’s a mapping between the alternate source and Shotgun’s logins you could use a script name/key and sudo functionality in your web app’s backend.

3 Likes

Hey Bouchep,
Thanks for looking at this. Does this mean the dev team will add the auth_token support into the rest api since it currently is not a supported parameter when trying to use login credentials?

Secondly, is there a public ticketing board or way of me following the ticket to know when its addressed so I could implement this?

The way we have things structure on this custom site it would be more work developing something new, vs waiting for this to be fixed so users can simply login using their shotgun usernames.

I’m glad we found the bug though and hope we can resolve it. :slight_smile:

3 Likes

Our bug tracker isn’t publicly available, but you can track the release notes for the current version and the release notes category.

When we address the issue, it’ll show up there as SG-16940.

I can’t give you an ETA but the issue has been prioritized really close to the top of the pile. :wink:

4 Likes

Good evening,

The latest version of Shotgun, released today, contains support for the auth_token.

The online doc, at https://developer.shotgunsoftware.com/rest-api/#password-credentials, have been updated to reflect that fact.

Happy coding,

-Patrick

3 Likes