From 3204b53b615ffab7067af37307b9b542b66ec886 Mon Sep 17 00:00:00 2001
From: Alan Parra <alan.parra@goteleport.com>
Date: Fri, 13 Jan 2023 18:02:01 -0300
Subject: [PATCH] fix: Always dial to root cluster for single-use certificates

---
 lib/web/terminal.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/web/terminal.go b/lib/web/terminal.go
index 9ad50cc12178a..bee4a29e9aba4 100644
--- a/lib/web/terminal.go
+++ b/lib/web/terminal.go
@@ -472,8 +472,10 @@ func (t *TerminalHandler) issueSessionMFACerts(ctx context.Context, tc *client.T
 	ctx, span := t.tracer.Start(ctx, "terminal/issueSessionMFACerts")
 	defer span.End()
 
+	// Always acquire single-use certificates from the root cluster, that's where
+	// both the user and their devices are registered.
 	log.Debug("Attempting to issue a single-use user certificate with an MFA check.")
-	stream, err := t.authProvider.GenerateUserSingleUseCerts(ctx)
+	stream, err := t.ctx.cfg.RootClient.GenerateUserSingleUseCerts(ctx)
 	if err != nil {
 		return trace.Wrap(err)
 	}