grafana graphs not displaying inline when using CAS Auth.

[afernique]

Hi,
Just upgraded to OMD-LABS 5.30
we're behind a reverse proxy with multiple auth schemes separated using url (as monitoring, monitoring-ldap, monitoring-cas)
We've activated double graphing with original pnp4nagios & grafana a year back since pnp graphs were due to crash with newer php releases.
Seems the 5.30 release under bookworm still work flawlessly trough.
Since we now have more than a year worth of influxdb graph we were planning on switching action urls from pnp to grafana.
This works flawlessly when authenticating trhough apache basic auth or LDAP.
But when authenticating with mod_cas (with external auth via our shibboleth IdP) grafana graphs shows no data

looking in logs cas auth show no uname and public access whille basic auth show uname & api/live access (logs below)
if i "open" the graph just once by clicking it while authenticated through CAS they start showing again and logs with api/live but still no uname appearing in grafana.log

any clue would be welcomed. Seamless SSO is greatly appreciated by our users who dont want to connect when accessing each apps.

Logs with CAS.
logger=context userId=3 orgId=1 uname=(null) t=2024-02-16T09:52:12.399669867+01:00 level=info msg="Request Completed" method=GET path=/public/build/4782.236645f6d771deeee7c8.js.map status=404 remote_addr=10.0.105.58 time_ms=7 duration=7.416093ms size=52117 referer= handler=public-assets

with basic auth or ldap
logger=context userId=2 orgId=1 uname=fernique t=2024-02-16T09:52:42.042552167+01:00 level=info msg="Request Completed" method=GET path=/api/live/ws status=400 remote_addr=10.0.105.58 time_ms=3 duration=3.346731ms size=12 referer= handler=/api/live/ws

[sni]

I've never seen or heard of mod_cas before. What's the actual issue with OMD here?

[afernique]

HI Sven,
mod-auth-cas is an apache module used to connect via a CAS server (https://github.com/apereo/mod_auth_cas)
When used with OMD/thruk with embedded graphs modern navigator redirect frames to the authentication server which access seems blocked by X-FRAME-OPTIONS/csp headers.

Direct url access still works nicely while using pnp4nagios.
But not grafana URL (ex: "https://mysite/grafana/dashboard/script/histou.js?host=...") which won't directly load unless I first autoconnect once by using url "https://mysite/grafana" (where sso works flawlessly)

My best guess would be a frame-ancestors problem.
I thought there may be a specific kown configuration in OMD to reslove this kind of issues.
But since everything still works fine with pnp4nagios you may just close the issue if not.

[sni]

i see. You could have a look at
etc/apache/conf.d/grafana.conf which sets the CSP for grafana. But it looks pretty permissive already.
You also might look into etc/apache/conf.d/thruk.conf which sets a CSP for Thruk.