gravitational · Joerger · Nov 28, 2023 · Dec 1, 2023 · Dec 20, 2023 · Jan 11, 2024
diff --git a/api/client/client.go b/api/client/client.go
@@ -479,7 +479,7 @@ func (c *Client) dialGRPC(ctx context.Context, addr string) error {
 			otelUnaryClientInterceptor(),
 			metadata.UnaryClientInterceptor,
 			interceptors.GRPCClientUnaryErrorInterceptor,
-			interceptors.WithMFAUnaryInterceptor(c.performMFACeremony),
+			interceptors.WithMFAUnaryInterceptor(c.performAdminActionMFACeremony),
 			breaker.UnaryClientInterceptor(cb),
 		),
 		grpc.WithChainStreamInterceptor(

diff --git a/api/client/mfa.go b/api/client/mfa.go
@@ -23,17 +23,19 @@ import (
 
 	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/mfa"
+	webauthnpb "github.com/gravitational/teleport/api/types/webauthn"
 )
 
-// performMFACeremony retrieves an MFA challenge from the server, prompts the
-// user to answer the challenge, and returns the resulting MFA response.
-func (c *Client) performMFACeremony(ctx context.Context, promptOpts ...mfa.PromptOpt) (*proto.MFAAuthenticateResponse, error) {
+// performAdminActionMFACeremony retrieves an MFA challenge from the server,
+// prompts the user to answer the challenge, and returns the resulting MFA response.
+func (c *Client) performAdminActionMFACeremony(ctx context.Context, promptOpts ...mfa.PromptOpt) (*proto.MFAAuthenticateResponse, error) {
 	if c.c.MFAPromptConstructor == nil {
 		return nil, trace.BadParameter("missing PromptAdminRequestMFA field, client cannot perform MFA ceremony")
 	}
 
 	chal, err := c.CreateAuthenticateChallenge(ctx, &proto.CreateAuthenticateChallengeRequest{
 		Request: &proto.CreateAuthenticateChallengeRequest_ContextUser{},
+		Scope:   webauthnpb.ChallengeScope_CHALLENGE_SCOPE_ADMIN_ACTION,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)

diff --git a/api/client/mfa_test.go b/api/client/mfa_test.go
@@ -70,7 +70,7 @@ func TestPerformMFACeremony(t *testing.T) {
 	clt, err := New(ctx, cfg)
 	require.NoError(t, err)
 
-	resp, err := clt.performMFACeremony(ctx)
+	resp, err := clt.performAdminActionMFACeremony(ctx)
 	require.NoError(t, err)
 	require.Equal(t, mfaTestResp.Response, resp.Response)
 }

diff --git a/api/client/proto/authservice.pb.go b/api/client/proto/authservice.pb.go
diff --git a/api/proto/teleport/legacy/client/proto/authservice.proto b/api/proto/teleport/legacy/client/proto/authservice.proto
@@ -1147,6 +1147,15 @@ message MFAAuthenticateChallenge {
   // communications, in case of streaming RPCs. It may also return empty
   // challenges for all other fields.
   MFARequired MFARequired = 4;
+  // Scope is an authorization scope for this MFA challenge.
+  // Required. Only applies to webauthn challenges.
+  webauthn.ChallengeScope Scope = 5 [(gogoproto.jsontag) = "scope,omitempty"];
+  // AllowReuse means webauthn credentials resolved from this challenge can be
+  // reused for a short span of time before the challenge expires.
+  //
+  // Reuse is only permitted for specific actions by the discretion of the server.
+  // See the server implementation for details.
+  bool AllowReuse = 6 [(gogoproto.jsontag) = "allow_reuse,omitempty"];
 }
 
 // MFAAuthenticateResponse is a response to MFAAuthenticateChallenge using one
@@ -1841,6 +1850,15 @@ message CreateAuthenticateChallengeRequest {
   // If you are issuing challenges from the root cluster, but accessing a leaf,
   // call [AuthService.IsMFARequired] in the leaf instead of setting this field.
   IsMFARequiredRequest MFARequiredCheck = 5 [(gogoproto.jsontag) = "mfa_required_check,omitempty"];
+  // Scope is an authorization scope for this MFA challenge.
+  // Required. Only applies to webauthn challenges.
+  webauthn.ChallengeScope Scope = 6 [(gogoproto.jsontag) = "scope,omitempty"];
+  // AllowReuse means webauthn credentials resolved from this challenge can be
+  // reused for a short span of time before the challenge expires.
+  //
+  // Reuse is only permitted for specific actions by the discretion of the server.
+  // See the server implementation for details.
+  bool AllowReuse = 7 [(gogoproto.jsontag) = "allow_reuse,omitempty"];
 }
 
 // CreatePrivilegeTokenRequest defines a request to obtain a privilege token.

diff --git a/api/proto/teleport/legacy/types/webauthn/webauthn.proto b/api/proto/teleport/legacy/types/webauthn/webauthn.proto
@@ -56,6 +56,36 @@ message SessionData {
   // "required".
   // An empty value is treated equivalently to "discouraged".
   string user_verification = 5 [(gogoproto.jsontag) = "userVerification,omitempty"];
+  // Scope authorized by this webauthn session.
+  ChallengeScope scope = 6 [(gogoproto.jsontag) = "scope,omitempty"];
+  // AllowReuse indicates that this session can be used multiple times for
+  // authentication, until the session expires.
+  bool allow_reuse = 7 [(gogoproto.jsontag) = "allow_reuse,omitempty"];
+}
+
+// ChallengeScope is a scope authorized by a webauthn challenge's resolution.
+enum ChallengeScope {
+  // Invalid, scope should always be specified.
+  CHALLENGE_SCOPE_UNSPECIFIED = 0;
+  // Standard webauthn login.
+  CHALLENGE_SCOPE_LOGIN = 1;
+  // Passwordless webauthn login.
+  CHALLENGE_SCOPE_PASSWORDLESS_LOGIN = 2;
+  // MFA device management.
+  CHALLENGE_SCOPE_MANAGE_DEVICES = 3;
+  // Account recovery.
+  CHALLENGE_SCOPE_RECOVERY = 4;
+  // Used for per-session MFA and moderated session presence checks.
+  CHALLENGE_SCOPE_SESSION = 5;
+  // Headless login approval.
+  CHALLENGE_SCOPE_HEADLESS = 6;
+  // Used for various administrative actions, such as adding, updating, or
+  // deleting administrative resources (users, roles, etc.).
+  //
+  // Note: this scope should not be used for new MFA capabilities that have
+  // more precise scope. Instead, new scopes should be added. This scope may
+  // also be split into multiple smaller scopes in the future.
+  CHALLENGE_SCOPE_ADMIN_ACTION = 7;
 }
 
 // User represents a WebAuthn user.