Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SSO MFA prompt for WebUI MFA flows #49794

Merged
merged 20 commits into from
Dec 20, 2024
Merged

Add SSO MFA prompt for WebUI MFA flows #49794

merged 20 commits into from
Dec 20, 2024
+1,043 −602

Conversation

Joerger
Copy link
Contributor

@Joerger Joerger commented Dec 4, 2024
edited
Loading

Changelog: Add full SSO MFA support for the WebUI.

Extends SSO MFA support for:

Note: per-session SSO MFA for Node, Kube, and Desktop was already supported.

Depends on #49680

@Joerger Joerger requested a review from avatus December 4, 2024 21:19
@Joerger Joerger mentioned this pull request Dec 4, 2024
Open
@Joerger Joerger force-pushed the joerger/refactor-reauthenticate branch 4 times, most recently from 4abf873 to 42ba430 Compare December 6, 2024 00:11
@Joerger Joerger force-pushed the joerger/sso-mfa-method branch 2 times, most recently from 5911b85 to 672dddb Compare December 9, 2024 22:11
@Joerger Joerger force-pushed the joerger/refactor-reauthenticate branch from ea8e8eb to 40336ed Compare December 9, 2024 22:26
@Joerger Joerger force-pushed the joerger/refactor-reauthenticate branch 2 times, most recently from af41a4e to bdd69ca Compare December 10, 2024 01:04
@Joerger Joerger force-pushed the joerger/sso-mfa-method branch from 672dddb to 9ad6250 Compare December 10, 2024 01:18
@Joerger Joerger force-pushed the joerger/refactor-reauthenticate branch from e60ec3d to 428e745 Compare December 11, 2024 02:41
@Joerger Joerger force-pushed the joerger/sso-mfa-method branch from 9ad6250 to 213322c Compare December 11, 2024 02:42
@Joerger Joerger marked this pull request as ready for review December 11, 2024 02:42
@github-actions github-actions bot requested a review from kiosion December 11, 2024 02:43
@avatus avatus requested a review from bl-nero December 12, 2024 17:06
@Joerger Joerger force-pushed the joerger/refactor-reauthenticate branch 2 times, most recently from 8e2fb35 to 9e8ad10 Compare December 14, 2024 01:18
@Joerger Joerger force-pushed the joerger/sso-mfa-method branch from 213322c to fb8c772 Compare December 14, 2024 02:16
bl-nero
bl-nero reviewed Dec 16, 2024
View reviewed changes
lib/client/weblogin.go Outdated Show resolved Hide resolved
lib/client/weblogin.go Outdated Show resolved Hide resolved
lib/web/mfa.go Outdated Show resolved Hide resolved
web/packages/teleport/src/Console/DocumentSsh/DocumentSsh.tsx Outdated Show resolved Hide resolved
web/packages/teleport/src/Console/DocumentSsh/DocumentSsh.tsx Outdated
submitAttempt={ft.submitMfaAttempt}
onCancel={ft.clearMfaChallenge}
/>
)}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a scenario where we can get an mfaChallenge on both mfa and ft?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, the mfa authndialog will always be handled and complete before we get to the ft authndialog. In the new updated code it would be easy to reuse the same mfa state if you're concerned about it though.

web/packages/teleport/src/Console/DocumentSsh/useFileTransfer.ts Outdated Show resolved Hide resolved
web/packages/teleport/src/lib/useMfa.ts Outdated Show resolved Hide resolved
web/packages/teleport/src/DesktopSession/DesktopSession.tsx Outdated Show resolved Hide resolved
web/packages/teleport/src/lib/useMfa.ts Outdated Show resolved Hide resolved
web/packages/teleport/src/lib/useMfa.ts Outdated Show resolved Hide resolved
@Joerger Joerger force-pushed the joerger/sso-mfa-method branch from 4182ae3 to e3c7edf Compare December 16, 2024 22:12
@Joerger Joerger force-pushed the joerger/refactor-reauthenticate branch from 5d0f08d to 89e4639 Compare December 16, 2024 22:17
@Joerger Joerger force-pushed the joerger/sso-mfa-method branch from e3c7edf to ff21791 Compare December 16, 2024 22:33
@Joerger Joerger requested review from bl-nero and ryanclark December 16, 2024 22:39
@Joerger Joerger force-pushed the joerger/sso-mfa-method branch from ff21791 to 99729ea Compare December 17, 2024 01:49
Joerger added 19 commits December 19, 2024 12:27
@Joerger
Handle SSO MFA challenges.
c5c7d11
@Joerger
Handle sso response in backend.
4edc5b8
@Joerger
Handle non-webauthn mfa response for file transfer, admin actions, an…
afad48d 
…d app session.
@Joerger
Simplify useMfa with new helpers.
7d751a0
@Joerger
Fix lint.
62e581d
@Joerger
Use AuthnDialog for file transfers; Fix json backend logic for file t…
7810238 
…ransfers.
@Joerger
Make useMfa and AuthnDialog more reusable and error proof.
0ccf73d
@Joerger
Use AuthnDialog for App sessions.
f86afc0
@Joerger
Resolve comments.
3fabcd1
@Joerger
Fix broken app launcher; improve mfaRequired logic in useMfa.
2de7955
@Joerger
Fix AuthnDialog test.
817dc3e
@Joerger
Fix merge conflict with Db web access.
7025781
@Joerger
fix stories.
61d18c4
@Joerger
Refactor mfa required logic.
1921b95
@Joerger
Address bl-nero's comments.
c96e18b
@Joerger
Address Ryan's comments.
c1438ba
@Joerger
Add useMfa unit test.
d3d473d
@Joerger
Fix story lint.
353ffe9
@Joerger
Replace Promise.withResolvers for compatiblity with older browers; Fi…
e103a1f 
…x bug where MFA couldn't be retried after a failed attempt; Add extra tests.
@Joerger Joerger force-pushed the joerger/sso-mfa-method branch from 5ee3d03 to e103a1f Compare December 19, 2024 20:28
@Joerger Joerger added this pull request to the merge queue Dec 20, 2024
Merged via the queue into master with commit 7269273 Dec 20, 2024
44 checks passed
@Joerger Joerger deleted the joerger/sso-mfa-method branch December 20, 2024 04:10
@public-teleport-github-review-bot
Copy link

@Joerger See the table below for backport results.

Branch Result
branch/v17 Failed

Joerger added a commit that referenced this pull request Dec 20, 2024
@Joerger
Add SSO MFA prompt for WebUI MFA flows (#49794)
b9adc43 
* Include sso channel ID in web mfa challenges.

* Handle SSO MFA challenges.

* Handle sso response in backend.

* Handle non-webauthn mfa response for file transfer, admin actions, and app session.

* Simplify useMfa with new helpers.

* Fix lint.

* Use AuthnDialog for file transfers; Fix json backend logic for file transfers.

* Make useMfa and AuthnDialog more reusable and error proof.

* Use AuthnDialog for App sessions.

* Resolve comments.

* Fix broken app launcher; improve mfaRequired logic in useMfa.

* Fix AuthnDialog test.

* Fix merge conflict with Db web access.

* fix stories.

* Refactor mfa required logic.

* Address bl-nero's comments.

* Address Ryan's comments.

* Add useMfa unit test.

* Fix story lint.

* Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.
@Joerger Joerger mentioned this pull request Dec 20, 2024
Open
zmb3
zmb3 reviewed Dec 23, 2024
View reviewed changes
web/packages/teleport/src/DesktopSession/useDesktopSession.tsx
@@ -22,7 +22,7 @@ import { useParams } from 'react-router';
import useAttempt from 'shared/hooks/useAttemptNext';

import { ButtonState } from 'teleport/lib/tdp';
import { useMfa } from 'teleport/lib/useMfa';
import { useMfaTty } from 'teleport/lib/useMfa';
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Joerger why is desktop session calling useMfaTty? There is no TTY for desktop sessions - this is SSH-only code, is it not?

@zmb3 zmb3 mentioned this pull request Dec 23, 2024
Open
@ravicious ravicious mentioned this pull request Dec 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmb3 zmb3 zmb3 left review comments

@bl-nero bl-nero bl-nero approved these changes

@ryanclark ryanclark ryanclark approved these changes

Assignees
No one assigned
Labels
backport/branch/v17 size/sm ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Joerger @zmb3 @ryanclark @bl-nero