Skip to content

Scoped Webauthn Challenges#35277

Closed
Joerger wants to merge 9 commits intomasterfrom
joerger/scoped-webauthn-credentials
Closed

Scoped Webauthn Challenges#35277
Joerger wants to merge 9 commits intomasterfrom
joerger/scoped-webauthn-credentials

Conversation

@Joerger
Copy link
Copy Markdown
Contributor

@Joerger Joerger commented Dec 1, 2023
edited
Loading

Implements scoped Webauthn challenges as described in RFD 155.

Follow up PRs:

  • e PR
  • Add audit events and product metrics
  • Prompt for reusable MFA when needed to avoid redundant mfa prompts (tctl users add, tctl create muliple-resources.yaml, etc.`)

@Joerger Joerger added the no-changelog Indicates that a PR does not require a changelog entry label Dec 1, 2023
@Joerger Joerger mentioned this pull request Dec 1, 2023
Closed
@Joerger Joerger mentioned this pull request Dec 12, 2023
Merged
@Joerger Joerger force-pushed the joerger/scoped-webauthn-credentials branch from 57ae78c to 76a504f Compare December 19, 2023 02:32
@Joerger Joerger marked this pull request as ready for review December 19, 2023 02:32
@github-actions github-actions Bot added size/md tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Dec 19, 2023
@Joerger Joerger requested a review from rosstimothy December 19, 2023 02:35
@Joerger Joerger force-pushed the joerger/scoped-webauthn-credentials branch 2 times, most recently from a85f6ff to 56ca351 Compare December 20, 2023 18:32
rosstimothy
rosstimothy approved these changes Dec 20, 2023
View reviewed changes
Comment thread lib/web/mfa.go Outdated
@Joerger Joerger marked this pull request as draft December 20, 2023 19:58
@Joerger
Copy link
Copy Markdown
Contributor Author

Joerger commented Dec 20, 2023

Sorry @rosstimothy and other reviewers, I ran into some issues during implementation of the reuse logic and need to revert/refactor some of this. I'm going to include the reuse implementation in this PR and reopen it once it's ready. It should be a simpler change overall after this.

@Joerger Joerger force-pushed the joerger/scoped-webauthn-credentials branch 2 times, most recently from 240083e to 372f45f Compare December 21, 2023 02:56
@Joerger Joerger requested a review from rosstimothy December 21, 2023 02:57
@Joerger Joerger marked this pull request as ready for review December 21, 2023 02:57
@Joerger Joerger force-pushed the joerger/scoped-webauthn-credentials branch 2 times, most recently from a9cdb5e to 37379b1 Compare December 22, 2023 02:32
@Joerger Joerger removed the request for review from flyinghermit January 8, 2024 17:36
@Joerger
Copy link
Copy Markdown
Contributor Author

Joerger commented Jan 9, 2024

@rosstimothy @codingllama @gabrielcorado this is ready for review when you get a chance

@Joerger Joerger force-pushed the joerger/scoped-webauthn-credentials branch from 37379b1 to aa8451b Compare January 9, 2024 19:53
@Joerger Joerger force-pushed the joerger/scoped-webauthn-credentials branch from aa8451b to 825fe86 Compare January 9, 2024 20:01
@Joerger
Copy link
Copy Markdown
Contributor Author

Joerger commented Jan 10, 2024

Did some more testing and found some issues. Propagating the scope and AllowReuse through the full client->server->client->server MFA flow is problematic for backwards compatibility and differences in the Web MFA flow.

I have some MFA refactors under way that should significantly reduce the complexity of this part of the change. I will close this and open a new series of PRs once it's ready.

@Joerger Joerger closed this Jan 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codingllama codingllama Awaiting requested review from codingllama

@gabrielcorado gabrielcorado Awaiting requested review from gabrielcorado

@rosstimothy rosstimothy Awaiting requested review from rosstimothy

Assignees

No one assigned

Labels

no-changelog Indicates that a PR does not require a changelog entry size/md tsh tsh - Teleport's command line tool for logging into nodes running Teleport.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Joerger @rosstimothy