From 0a67be8b3d6d4ddac14c945fa2063eefb949bbd1 Mon Sep 17 00:00:00 2001
From: joerger <bjoerger@goteleport.com>
Date: Fri, 8 Nov 2024 18:11:49 -0800
Subject: [PATCH] Cleanup.

---
 api/mfa/ceremony.go    | 15 +++++++++------
 lib/client/presence.go |  9 +--------
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/api/mfa/ceremony.go b/api/mfa/ceremony.go
index 78dc1a1cc48bb..64d0b75fc850d 100644
--- a/api/mfa/ceremony.go
+++ b/api/mfa/ceremony.go
@@ -56,13 +56,8 @@ type CreateAuthenticateChallengeFunc func(ctx context.Context, req *proto.Create
 // req may be nil if ceremony.CreateAuthenticateChallenge does not require it, e.g. in
 // the moderated session mfa ceremony which uses a custom stream rpc to create challenges.
 func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error) {
-	switch {
-	case c.CreateAuthenticateChallenge == nil:
+	if c.CreateAuthenticateChallenge == nil {
 		return nil, trace.BadParameter("mfa ceremony must have CreateAuthenticateChallenge set in order to begin")
-	case req.ChallengeExtensions == nil:
-		return nil, trace.BadParameter("missing challenge extensions")
-	case req.ChallengeExtensions.Scope == mfav1.ChallengeScope_CHALLENGE_SCOPE_UNSPECIFIED:
-		return nil, trace.BadParameter("mfa challenge scope must be specified")
 	}
 
 	// If available, prepare an SSO MFA ceremony and set the client redirect URL in the challenge
@@ -75,6 +70,14 @@ func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallen
 			slog.DebugContext(ctx, "Failed to attempt SSO MFA, continuing with other MFA methods", "error", err)
 		} else {
 			defer ssoMFACeremony.Close()
+
+			// req may be nil in cases where the ceremony's CreateAuthenticateChallenge sources
+			// its own req or uses a different e.g. login. We should still provide the sso client
+			// redirect URL in case the custom CreateAuthenticateChallenge handles it.
+			if req == nil {
+				req = new(proto.CreateAuthenticateChallengeRequest)
+			}
+
 			req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL()
 			promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony))
 		}
diff --git a/lib/client/presence.go b/lib/client/presence.go
index 2c2da72072a43..b699d2119665e 100644
--- a/lib/client/presence.go
+++ b/lib/client/presence.go
@@ -28,7 +28,6 @@ import (
 	"github.com/jonboulle/clockwork"
 
 	"github.com/gravitational/teleport/api/client/proto"
-	mfav1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/mfa/v1"
 	"github.com/gravitational/teleport/api/mfa"
 )
 
@@ -126,13 +125,7 @@ func RunPresenceTask(ctx context.Context, term io.Writer, maintainer PresenceMai
 	for {
 		select {
 		case <-ticker.Chan():
-			mfaResp, err := presenceCeremony.Run(ctx, &proto.CreateAuthenticateChallengeRequest{
-				// With the custom CreateAuthenticateChallenge method above, we don't actually
-				// need to provide the extensions here, but the ceremony expects it.
-				ChallengeExtensions: &mfav1.ChallengeExtensions{
-					Scope: mfav1.ChallengeScope_CHALLENGE_SCOPE_USER_SESSION,
-				},
-			})
+			mfaResp, err := presenceCeremony.Run(ctx, &proto.CreateAuthenticateChallengeRequest{})
 			if err != nil {
 				return trace.Wrap(err)
 			}