add ssoChallenge to mfa requests/responses

web/packages/teleport/src/lib/tdp/client.ts

@@ -24,7 +24,7 @@ import init, {
 } from 'teleport/ironrdp/pkg/ironrdp';
 
 import { WebsocketCloseCode, TermEvent } from 'teleport/lib/term/enums';
-import { EventEmitterWebAuthnSender } from 'teleport/lib/EventEmitterWebAuthnSender';
+import { EventEmitterMfaSender } from 'teleport/lib/EventEmitterMfaSender';
 import { AuthenticatedWebSocket } from 'teleport/lib/AuthenticatedWebSocket';
 
 import Codec, {
@@ -93,7 +93,7 @@ export enum LogType {
 // sending client commands, and receiving and processing server messages. Its creator is responsible for
 // ensuring the websocket gets closed and all of its event listeners cleaned up when it is no longer in use.
 // For convenience, this can be done in one fell swoop by calling Client.shutdown().
-export default class Client extends EventEmitterWebAuthnSender {
+export default class Client extends EventEmitterMfaSender {
   protected codec: Codec;
   protected socket: AuthenticatedWebSocket | undefined;
   private socketAddr: string;

web/packages/teleport/src/lib/term/tty.ts

@@ -18,7 +18,7 @@
 
 import Logger from 'shared/libs/logger';
 
-import { EventEmitterWebAuthnSender } from 'teleport/lib/EventEmitterWebAuthnSender';
+import { EventEmitterMfaSender } from 'teleport/lib/EventEmitterMfaSender';
 import { WebauthnAssertionResponse } from 'teleport/services/auth';
 import { AuthenticatedWebSocket } from 'teleport/lib/AuthenticatedWebSocket';
 
@@ -31,7 +31,7 @@ const defaultOptions = {
   buffered: true,
 };
 
-class Tty extends EventEmitterWebAuthnSender {
+class Tty extends EventEmitterMfaSender {
   socket = null;
 
   _buffered = true;

web/packages/teleport/src/services/auth/makeMfa.ts

@@ -50,12 +50,15 @@ export function makeMfaRegistrationChallenge(json): MfaRegistrationChallenge {
 }
 
 // makeMfaAuthenticateChallenge formats fetched authenticate challenge JSON.
-// Webauthn challange contains Base64URL(byte) fields that needs to
+// Webauthn challenge contains Base64URL(byte) fields that needs to
 // be converted to ArrayBuffer expected by navigator.credentials.get:
 // - challenge
 // - allowCredentials[i].id
 export function makeMfaAuthenticateChallenge(json): MfaAuthenticateChallenge {
-  const webauthnPublicKey = json.webauthn_challenge?.publicKey;
+  const challenge = typeof json === 'string' ? JSON.parse(json) : json;
+  const { sso_challenge, webauthn_challenge } = challenge;
+
+  const webauthnPublicKey = webauthn_challenge?.publicKey;
   if (webauthnPublicKey) {
     const challenge = webauthnPublicKey.challenge || '';
     const allowCredentials = webauthnPublicKey.allowCredentials || [];
@@ -70,6 +73,12 @@ export function makeMfaAuthenticateChallenge(json): MfaAuthenticateChallenge {
   }
 
   return {
+    ssoChallenge: sso_challenge
+      ? {
+          redirectUrl: sso_challenge.redirect_url,
+          requestId: sso_challenge.request_id,
+        }
+      : null,
     totpChallenge: json.totp_challenge,
     webauthnPublicKey: webauthnPublicKey,
   };

web/packages/teleport/src/services/auth/types.ts

@@ -32,7 +32,13 @@ export type AuthnChallengeRequest = {
   userCred: UserCredentials;
 };
 
+export type SSOChallenge = {
+  redirectUrl: string;
+  requestId: string;
+};
+
 export type MfaAuthenticateChallenge = {
+  ssoChallenge: SSOChallenge;
   totpChallenge: boolean;
   webauthnPublicKey: PublicKeyCredentialRequestOptions;
 };