Task: Deep Link to MCP with no permission in workspace should work

[In-Ko]

Understand the Task

Description
When I get a deep link (a link that links to an mcp view) and i have the following permission scenario:
permission on the MCP but no permission in the workspace, the user should see the resources that are loaded from the MCP (managed resources, gitops, etc.)

Background
The MCP View loads data from the onboarding api (enabled components with version): this could not be loaded due to missing permissions. From the MCP itself the managed resources, provider, provider configs etc. are loaded, the user has permission to load this.

So what should happen:
The user can view the mcp view with the data that is provided from the mcp. The data from the onboarding api shows a permission error.

What happens right now
When the user has no session, the login redirect flow redirects to the main page (we therefore need to store the url before doing the signin redirect flow and redirect to that again). If the user visits a deeplink while having. a session, a full screen error occurs. I assume if one of the onboarding api calls fails, the whole view shows an error even if the other requests would work.

Done Criteria

• Sign-In flow redirects to the previous page (in this case to the deep linked mcp view but should also work on a project view)
• the UI should load all parts that uses data from the MCP
• the parts that require data from the onboarding api should show an error explaining that the permissions to the workspace are missing and an info on how to grant this permission
• If completly logged out, forward to signing and then redirect to intended deep-link

Open Question - @enrico-kaack-comp - Techadvide needed

• Add test that verifies this behavior for customer-added IDP - next to default one??
• put into url? we might not get this from onboarding API

Any further valuable resources.

No response

What is required to accept the Task as done.

Done Criteria

• ...
• Code has been reviewed by other team members
• Internal technical Documentation created/updated
• New / changed code is documented
• Unit Tests created for new code or existing Unit Tests updated
• Integration Test Suite updated
• Enduser Documentation updated (if applicable)
• Successful demonstration in Review

[In-Ko]

Original comment by @enrico-kaack-comp:
Follow up on techadvice:
As the information for what IDP are available are part of the kubeconfig and therefore mcp resource in the workspace, the user would not know about this. In discussion with @ValentinGerlach we suggest that it is not possible to access with the UI and we only allow MCP UI access when there is workspace access.

To make it work, we would need to encode the relevant data in the url that is shared. The kubeconfig SHOULD not include sensible data like client-secret but we cant be sure about this, so we suggest to not allow this.
If there is high user demand for this flow, we might have to reconsider this.

[In-Ko]

As outlined above, for now too complex to implement (due to current design of the UI flow).
If we get a lot of user requests for this, we should rethink and make it work.