Ability to influence the state parameter in oauth requests


We have a setup where we’re running one Grafana instance per K8S cluster and we run many K8S clusters, adding and removing clusters all the time.

Each Grafana instance is exposed to the outside work via a unique url

We’d like our users to be able to login to the Grafana instance in each cluster through (Google) oAuth.

But, afaics in order to do that, the oAuth redirect url, which would be unique for each Grafana instance needs to be added to the oAuth client registered with our oAuth provider (Google).

In general the way people deal with this in oAuth is to have a generic, intermediate redirect url registered on the client at the oAuth provider and then to encode something that is specific to the instance in the state parameter of the oAuth request. The logic that hosts/runs the generic intermediate redirect url can then look at the state parameter and redirect to the appropriate instance.

For example:
redirectUrl: redirect.example.com
oAuth request from grafana1.example.com: ...?redirect_url=redirect.example.com&state=grafana1:someRandomValue
redirect from provider: redirect.example.com?state=grafana1:someRandomValue&code=...
redirect by generic intermediate url: grafana1.example.com?state=grafana1:someRandomValue&code=...

So, my question is: is there any way to achieve the above or is there some other way I haven’t figured out yet to solve the problem?



Looking into this more I think I answered my own question: it’s not possible atm.

Created a case and Pr to make it possible: