We've recently introduced (in Iaf77445ba ) the ability to "log in" from a grafana.w.o dashboard and get redirected into grafana-rw.w.o.
However this mechanism doesn't always seem to work properly, as experienced and reported by @aborrero. Namely if idp/cas has to renew/refresh the session then the user isn't redirected to grafana-rw but to grafana.w.o with an extra ticket in the query string!
Example:
- Dashboard at https://grafana.wikimedia.org/d/000000579/wmcs-openstack-eqiad1?orgId=1
- Click 'sign in', links to https://grafana.wikimedia.org/d/000000579/wmcs-openstack-eqiad1?orgId=1&refresh=1m&forceLogin=true
- The link above 302s to /login i.e. https://grafana.wikimedia.org/login
- The link above 302s to https://grafana-rw.wikimedia.org/d/000000579/wmcs-openstack-eqiad1?orgId=1&refresh=1m (based on referrer, our change above)
At this point if idp/cas don't need a new ticket all is well. However if there is indeed a need for a new ticket then:
- The link above 302s to https://idp.wikimedia.org/login?service=https%3a%2f%2fgrafana-rw.wikimedia.org%2fd%2f000000579%2fwmcs-openstack-eqiad1%3forgId%3d1%26refresh%3d1m
- I'm already logged in so no need to ask for credentials, a new ticket is issued
- The link above 302s to https://grafana-rw.wikimedia.org/d/000000579/wmcs-openstack-eqiad1?orgId=1&refresh=1m&ticket=<ticket>-idp1001
- At this point the request is considered like an non-logged-in user trying to browse a sso-protected dashboard.
- Thus (our own rules) the link gets 302 again to the public grafana.w.o version, i.e. https://grafana.wikimedia.org/d/000000579/wmcs-openstack-eqiad1?orgId=1&refresh=1m&ticket=<ticket>-idp1001