From c269639fc2386779f35099efeebd1aaf06051b83 Mon Sep 17 00:00:00 2001 From: joerger Date: Thu, 7 Nov 2024 15:13:16 -0800 Subject: [PATCH 1/2] Allow SSO MFA to fail gracefully on the client when the Proxy is down. --- api/mfa/ceremony.go | 13 ++++++++----- lib/client/mfa.go | 2 +- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/api/mfa/ceremony.go b/api/mfa/ceremony.go index 3b28162e62164..db5c8aa5c34d0 100644 --- a/api/mfa/ceremony.go +++ b/api/mfa/ceremony.go @@ -18,6 +18,7 @@ package mfa import ( "context" + "log/slog" "slices" "github.com/gravitational/trace" @@ -72,12 +73,14 @@ func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallen if c.SSOMFACeremonyConstructor != nil { ssoMFACeremony, err := c.SSOMFACeremonyConstructor(ctx) if err != nil { - return nil, trace.Wrap(err, "failed to handle SSO MFA ceremony") + // We may fail to start the SSO MFA flow in cases where the Proxy is down or broken. Fall + // back to skipping SSO MFA, especially since SSO MFA may not even be allowed on the server. + slog.DebugContext(ctx, "Failed to attempt SSO MFA, continuing with other MFA methods.", "error", err) + } else { + defer ssoMFACeremony.Close() + req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL() + promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony)) } - defer ssoMFACeremony.Close() - - req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL() - promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony)) } chal, err := c.CreateAuthenticateChallenge(ctx, req) diff --git a/lib/client/mfa.go b/lib/client/mfa.go index ff261950604a1..67e9b30f6417a 100644 --- a/lib/client/mfa.go +++ b/lib/client/mfa.go @@ -95,7 +95,7 @@ func (tc *TeleportClient) NewSSOMFACeremony(ctx context.Context) (mfa.SSOMFACere rd, err := sso.NewRedirector(rdConfig) if err != nil { - return nil, trace.Wrap(err) + return nil, trace.Wrap(err, "failed to create a redirector for SSO MFA") } return sso.NewCLIMFACeremony(rd), nil From aec083bb9fb309e430f7d56f17e89f932c8d0ec9 Mon Sep 17 00:00:00 2001 From: Brian Joerger Date: Fri, 8 Nov 2024 17:51:45 -0800 Subject: [PATCH 2/2] Update api/mfa/ceremony.go Co-authored-by: Marco Dinis --- api/mfa/ceremony.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/mfa/ceremony.go b/api/mfa/ceremony.go index db5c8aa5c34d0..9ae0bf4374495 100644 --- a/api/mfa/ceremony.go +++ b/api/mfa/ceremony.go @@ -75,7 +75,7 @@ func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallen if err != nil { // We may fail to start the SSO MFA flow in cases where the Proxy is down or broken. Fall // back to skipping SSO MFA, especially since SSO MFA may not even be allowed on the server. - slog.DebugContext(ctx, "Failed to attempt SSO MFA, continuing with other MFA methods.", "error", err) + slog.DebugContext(ctx, "Failed to attempt SSO MFA, continuing with other MFA methods", "error", err) } else { defer ssoMFACeremony.Close() req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL()