Addressing authentication for shared frames

We have an app that links to our Grafana and also embeds Grafana panel frames within it. The authentication is a shared OIDC auth for both our app and Grafana, so if you are logged into one, you’re logged into the other automatically. :handshake:

Opening Grafana after opening our app redirects to Grafana’s login page, which redirects to our Dex OIDC provider, then to Microsoft Azure’s login, which redirects again back to Grafana. That workflow happens in a second and works great. :+1:

The only challenging part is that Azure’s login rejects being inside a frame. Therefore the previous paragraph does not work inside an iframe. So if someone opens our app, but not Grafana itself, the frames are all blank! You have to manually visit Grafana and then come back.

So I’m exploring possible solutions:

  1. Our Grafana instance is also behind a reverse-proxy that we control. If it is possible to use the X-WEBAUTH-USER feature in combination with the oauth authentication, then we could add it automatically in a frame context, where the user doesn’t matter too much, if we set it to an admin.

  2. Last resort: Use x-webauth-user and implement the user/group mapping all by ourselves in the reverse-proxy (which is written by us, and has access to the OIDC claims, it’s not nginx or whatnot). From the docs:

# Example `headers = Name:X-WEBAUTH-NAME Email:X-WEBAUTH-EMAIL Groups:X-WEBAUTH-GROUPS`
  1. Something else?

Any suggestions welcome! We can’t be the only ones to have encountered this use-case. :slight_smile: