Add SSO MFA prompt for WebUI MFA flows#49794
Merged
Conversation
Closed
Joerger
force-pushed
the
joerger/refactor-reauthenticate
branch
4 times, most recently
from
4abf873 to
42ba430
Compare
Joerger
force-pushed
the
joerger/sso-mfa-method
branch
2 times, most recently
from
5911b85 to
672dddb
Compare
Joerger
force-pushed
the
joerger/refactor-reauthenticate
branch
from
ea8e8eb to
40336ed
Compare
Joerger
force-pushed
the
joerger/refactor-reauthenticate
branch
2 times, most recently
from
af41a4e to
bdd69ca
Compare
Joerger
force-pushed
the
joerger/sso-mfa-method
branch
from
672dddb to
9ad6250
Compare
Joerger
force-pushed
the
joerger/refactor-reauthenticate
branch
from
e60ec3d to
428e745
Compare
Joerger
force-pushed
the
joerger/sso-mfa-method
branch
from
9ad6250 to
213322c
Compare
Joerger
force-pushed
the
joerger/refactor-reauthenticate
branch
2 times, most recently
from
8e2fb35 to
9e8ad10
Compare
Joerger
force-pushed
the
joerger/sso-mfa-method
branch
from
213322c to
fb8c772
Compare
bl-nero
reviewed
Dec 16, 2024
| submitAttempt={ft.submitMfaAttempt} | ||
| onCancel={ft.clearMfaChallenge} | ||
| /> | ||
| )} |
Contributor
There was a problem hiding this comment.
Is there a scenario where we can get an mfaChallenge on both mfa and ft?
Contributor
Author
There was a problem hiding this comment.
No, the mfa authndialog will always be handled and complete before we get to the ft authndialog. In the new updated code it would be easy to reuse the same mfa state if you're concerned about it though.
Joerger
force-pushed
the
joerger/sso-mfa-method
branch
from
4182ae3 to
e3c7edf
Compare
Joerger
force-pushed
the
joerger/refactor-reauthenticate
branch
from
5d0f08d to
89e4639
Compare
Joerger
force-pushed
the
joerger/sso-mfa-method
branch
from
e3c7edf to
ff21791
Compare
Joerger
force-pushed
the
joerger/sso-mfa-method
branch
from
ff21791 to
99729ea
Compare
…x bug where MFA couldn't be retried after a failed attempt; Add extra tests.
Joerger
force-pushed
the
joerger/sso-mfa-method
branch
from
5ee3d03 to
e103a1f
Compare
Joerger
added a commit
that referenced
this pull request
Dec 20, 2024
* Include sso channel ID in web mfa challenges. * Handle SSO MFA challenges. * Handle sso response in backend. * Handle non-webauthn mfa response for file transfer, admin actions, and app session. * Simplify useMfa with new helpers. * Fix lint. * Use AuthnDialog for file transfers; Fix json backend logic for file transfers. * Make useMfa and AuthnDialog more reusable and error proof. * Use AuthnDialog for App sessions. * Resolve comments. * Fix broken app launcher; improve mfaRequired logic in useMfa. * Fix AuthnDialog test. * Fix merge conflict with Db web access. * fix stories. * Refactor mfa required logic. * Address bl-nero's comments. * Address Ryan's comments. * Add useMfa unit test. * Fix story lint. * Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.
zmb3
reviewed
Dec 23, 2024
|
|
||
| import { ButtonState } from 'teleport/lib/tdp'; | ||
| import { useMfa } from 'teleport/lib/useMfa'; | ||
| import { useMfaTty } from 'teleport/lib/useMfa'; |
Collaborator
There was a problem hiding this comment.
@Joerger why is desktop session calling useMfaTty? There is no TTY for desktop sessions - this is SSH-only code, is it not?
Joerger
commented
Jan 8, 2025
Comment on lines
-627
to
-634
| sendWebAuthn(data: WebauthnAssertionResponse) { | ||
| const msg = this.codec.encodeMfaJson({ | ||
| mfaType: 'n', | ||
| jsonString: JSON.stringify(data), | ||
| }); | ||
| this.send(msg); | ||
| } | ||
|
|
Joerger
added a commit
that referenced
this pull request
Jan 13, 2025
* Include sso channel ID in web mfa challenges. * Handle SSO MFA challenges. * Handle sso response in backend. * Handle non-webauthn mfa response for file transfer, admin actions, and app session. * Simplify useMfa with new helpers. * Fix lint. * Use AuthnDialog for file transfers; Fix json backend logic for file transfers. * Make useMfa and AuthnDialog more reusable and error proof. * Use AuthnDialog for App sessions. * Resolve comments. * Fix broken app launcher; improve mfaRequired logic in useMfa. * Fix AuthnDialog test. * Fix merge conflict with Db web access. * fix stories. * Refactor mfa required logic. * Address bl-nero's comments. * Address Ryan's comments. * Add useMfa unit test. * Fix story lint. * Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.
Joerger
added a commit
that referenced
this pull request
Jan 14, 2025
* Include sso channel ID in web mfa challenges. * Handle SSO MFA challenges. * Handle sso response in backend. * Handle non-webauthn mfa response for file transfer, admin actions, and app session. * Simplify useMfa with new helpers. * Fix lint. * Use AuthnDialog for file transfers; Fix json backend logic for file transfers. * Make useMfa and AuthnDialog more reusable and error proof. * Use AuthnDialog for App sessions. * Resolve comments. * Fix broken app launcher; improve mfaRequired logic in useMfa. * Fix AuthnDialog test. * Fix merge conflict with Db web access. * fix stories. * Refactor mfa required logic. * Address bl-nero's comments. * Address Ryan's comments. * Add useMfa unit test. * Fix story lint. * Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.
Joerger
added a commit
that referenced
this pull request
Jan 16, 2025
* Include sso channel ID in web mfa challenges. * Handle SSO MFA challenges. * Handle sso response in backend. * Handle non-webauthn mfa response for file transfer, admin actions, and app session. * Simplify useMfa with new helpers. * Fix lint. * Use AuthnDialog for file transfers; Fix json backend logic for file transfers. * Make useMfa and AuthnDialog more reusable and error proof. * Use AuthnDialog for App sessions. * Resolve comments. * Fix broken app launcher; improve mfaRequired logic in useMfa. * Fix AuthnDialog test. * Fix merge conflict with Db web access. * fix stories. * Refactor mfa required logic. * Address bl-nero's comments. * Address Ryan's comments. * Add useMfa unit test. * Fix story lint. * Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.
Joerger
added a commit
that referenced
this pull request
Jan 21, 2025
* Include sso channel ID in web mfa challenges. * Handle SSO MFA challenges. * Handle sso response in backend. * Handle non-webauthn mfa response for file transfer, admin actions, and app session. * Simplify useMfa with new helpers. * Fix lint. * Use AuthnDialog for file transfers; Fix json backend logic for file transfers. * Make useMfa and AuthnDialog more reusable and error proof. * Use AuthnDialog for App sessions. * Resolve comments. * Fix broken app launcher; improve mfaRequired logic in useMfa. * Fix AuthnDialog test. * Fix merge conflict with Db web access. * fix stories. * Refactor mfa required logic. * Address bl-nero's comments. * Address Ryan's comments. * Add useMfa unit test. * Fix story lint. * Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jan 21, 2025
* Add SSO MFA prompt for WebUI MFA flows (#49794) * Include sso channel ID in web mfa challenges. * Handle SSO MFA challenges. * Handle sso response in backend. * Handle non-webauthn mfa response for file transfer, admin actions, and app session. * Simplify useMfa with new helpers. * Fix lint. * Use AuthnDialog for file transfers; Fix json backend logic for file transfers. * Make useMfa and AuthnDialog more reusable and error proof. * Use AuthnDialog for App sessions. * Resolve comments. * Fix broken app launcher; improve mfaRequired logic in useMfa. * Fix AuthnDialog test. * Fix merge conflict with Db web access. * fix stories. * Refactor mfa required logic. * Address bl-nero's comments. * Address Ryan's comments. * Add useMfa unit test. * Fix story lint. * Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests. * Fix Per-session MFA for desktops (#50793) * Add sendChallengeResponse implementation for desktop sessions. * Rename useMfaTty to useMfaEmitter. * Remove unused code. * Fix `useMfa` error handling (#50844) * Fix useMfa cancel logic to avoid duplicate error messages across dialog layers. * Add MfaCanceledError and use promise.reject for mfa cancel. * Address comments. * Fix test. * Remove outdated comment. * Add comment; Simplify who dialog logic. --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com>
This was referenced Jan 31, 2025
carloscastrojumo
pushed a commit
to carloscastrojumo/teleport
that referenced
this pull request
Feb 19, 2025
* Include sso channel ID in web mfa challenges. * Handle SSO MFA challenges. * Handle sso response in backend. * Handle non-webauthn mfa response for file transfer, admin actions, and app session. * Simplify useMfa with new helpers. * Fix lint. * Use AuthnDialog for file transfers; Fix json backend logic for file transfers. * Make useMfa and AuthnDialog more reusable and error proof. * Use AuthnDialog for App sessions. * Resolve comments. * Fix broken app launcher; improve mfaRequired logic in useMfa. * Fix AuthnDialog test. * Fix merge conflict with Db web access. * fix stories. * Refactor mfa required logic. * Address bl-nero's comments. * Address Ryan's comments. * Add useMfa unit test. * Fix story lint. * Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changelog: Add full SSO MFA support for the WebUI.
Extends SSO MFA support for:
Reauthenticateflows (RefactorReauthenticatecomponents to handle generic MFA challenges. #49680)Note: per-session SSO MFA for Node, Kube, and Desktop was already supported.
Depends on #49680