[Federation] Workbench login chooser
If cluster B is configured to permit it, federated login allows an account on cluster A to use Workbench at cluster B. In that case, Workbench B should give an unauthenticated visitor the option to log in via cluster A.
An unauthenticated visitor to Workbench B is offered a "log in" button that initiates the login procedure for cluster B. If a cluster A user clicks it, they end up creating a new cluster B account, instead of using their existing cluster A account. After #11454 they can work around this by visiting Workbench A first and following a link from the multisite search page to Workbench B, but this is not obvious or convenient.
On a cluster with remote_hosts_via_dns enabled, the login button should come with a text box where the user can type a 5-letter cluster prefix.
On a cluster with specific remote_hosts defined, the login button should come with a selector widget so the user can choose one of the defined remotes.
If both configs are enabled, both widgets should be offered. If a user types an ID listed in remote_hosts, remote_hosts has precedence over remote_hosts_via_dns. Matching is case-insensitive.
When the user selects a remote cluster, the login URL should include the current cluster ID as the "remote" query parameter, which tells the login cluster to issue a salted token for the current cluster. See #14718.
If configured for a special "home" cluster, always redirect to the login endpoint of the "home" cluster, user will still be (eventually) returned to "remote" workbench. "Home" API server needs to know to send a salted token back to the remote workbench. This should also imply honoring the "is_active" flag.
If a user logs in to an identity_url that corresponds to a remote user, or has a
redirect_to_user_uuid to a remote user, results in a browser redirect to the user's home cluster for federated login.
Optional: Use LocalStorage to remember which cluster was chosen, and make that the default next time.
Visual/interactivity specifics. Note there is a big dialog-like login box, plus a login button in the top nav.
#5 Updated by Peter Amstutz about 1 year ago
Another way to approach this would be for the user to start at their home cluster, and then be able to click on a button to navigate to one of the federated workbench instances by providing a salted token. In fact, the multi-site search already does this, but there isn't a simple obvious page to visit that takes you to the dashboard of each cluster.