Allow SSO MFA to fail gracefully on the client when the Proxy is down.

gravitational · Nov 9, 2024 · c269639 · c269639
1 parent 5151b35
commit c269639
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 6 deletions.
diff --git a/api/mfa/ceremony.go b/api/mfa/ceremony.go
@@ -18,6 +18,7 @@ package mfa
 
 import (
 	"context"
+	"log/slog"
 	"slices"
 
 	"github.com/gravitational/trace"
@@ -72,12 +73,14 @@ func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallen
 	if c.SSOMFACeremonyConstructor != nil {
 		ssoMFACeremony, err := c.SSOMFACeremonyConstructor(ctx)
 		if err != nil {
-			return nil, trace.Wrap(err, "failed to handle SSO MFA ceremony")
+			// We may fail to start the SSO MFA flow in cases where the Proxy is down or broken. Fall
+			// back to skipping SSO MFA, especially since SSO MFA may not even be allowed on the server.
+			slog.DebugContext(ctx, "Failed to attempt SSO MFA, continuing with other MFA methods.", "error", err)
+		} else {
+			defer ssoMFACeremony.Close()
+			req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL()
+			promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony))
 		}
-		defer ssoMFACeremony.Close()
-
-		req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL()
-		promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony))
 	}
 
 	chal, err := c.CreateAuthenticateChallenge(ctx, req)

diff --git a/lib/client/mfa.go b/lib/client/mfa.go
@@ -95,7 +95,7 @@ func (tc *TeleportClient) NewSSOMFACeremony(ctx context.Context) (mfa.SSOMFACere
 
 	rd, err := sso.NewRedirector(rdConfig)
 	if err != nil {
-		return nil, trace.Wrap(err)
+		return nil, trace.Wrap(err, "failed to create a redirector for SSO MFA")
 	}
 
 	return sso.NewCLIMFACeremony(rd), nil