fix: Return friendly error message when MFA is required but the user has no devices enrolled 🐛

[cthach]

What?

Fixes the cluster client library and Apps connections handler so that they return a friendly error message when MFA is required and the user has no MFA devices enrolled. This is consistent with how the rest of the product handles this edge case (e.g., SSH, Kubernetes, Desktop, etc).

changelog: Improve error message when a User without any MFA devices enrolled attempts to access a resource that requires MFA.

Why?

Resolves the following issues:

1. Lack of MFA device should prompt user to add MFA when required #57114
2. Improve error message when user does not have an MFA device registered #48328

After testing the SSH, Desktop, Kubernetes, DB, etc product features, it was found that only CLIs and Apps features do not properly handle this edge case.

Once this PR is merged, the product should handle this MFA-UX edge case in a consistent way

Screenshots

When accessing an SSH host through tsh and the user does not have a MFA device enrolled:

When accessing an App through the UI and the user does not have a MFA device enrolled:

How was this tested?

1. Deployed Teleport with GitHub SSO integration to replicate a non-local User without a MFA device enrolled
2. Configured Teleport to require Session MFA for all connections
3. Verified connecting via ./tsh ssh root@Mac using the GitHub SSO user produces the expected error
4. Verified connecting via the Web UI using the GitHub SSO user produces the expected error

TODOs

• Fix tsh in v19
• Test for whether backports are needed for prior releases of tsh
• Fix web UI (RCA'd, see notes, awaiting feedback)
• Test client tctl admin actions
• Create backport PRs after this PR is merged

Backport?

Yes, testing in progress and I'll fill this affected versions matrix as I figure out the extent of this bug. Backport PRs will be created and linked for all affected versions.

	v19-dev	v18.1.4	v17.7.1	v16.5.9
v19-dev	🐛	🐛	🙈	🙈
v18.1.4	🙈	🐛	🐛	🙈
v17.7.1	🙈	🙈	🐛	🐛
v16.5.9	🙈	🙈	🙈	🐛

Legend

X axis: Teleport client version
Y axis: Teleport server version

Intersection meanings:

❓ = Untested, results coming 🔜
🐛 = Bug affects this Teleport server and client versions
☺️ = Bug does not affect this Teleport server and client versions
🙈 = Server-client versions are not supported so will not be tested

[cthach]

Open to feedback on how this should be worded. I did try to follow the existing pattern established but wanted to provide a little more detail. Copied from

teleport/lib/auth/authclient/clt.go

Line 86 in c71b3f9

Message: "MFA is required to access this resource but user has no MFA devices; see Account Settings in the Web UI or use 'tsh mfa add' to register MFA devices",

for more consistency in product messaging.

[rosstimothy]

What do you think about unifying all of our error messaging for this scenario? Right now tsh will result in MFA is required to access this resource but user has no MFA devices; see Account Settings in the Web UI or use 'tsh mfa add' to register MFA devices and the web ui will give you some form of only WebAuthn and SSO MFA methods are supported on the web terminal, please register a supported mfa method to connect to this server.

Maybe something similar to the following?

Multi-factor authentication is required to access this resource but the current user has no MFA devices enrolled; see Account Settings in the Web UI or use 'tsh mfa add' to register an MFA device.

@zmb3 any thoughts on this?

[zmb3]

SGTM.

[cthach]

Love the the suggestion! Will unify messaging

[cthach]

Updated in 2d9c589. I also updated the screenshots in the PR description. I opted to reuse the custom error ErrNoMFADevices instead of copy-pasting the same message throughout.

I also opted to wrap the error with additional context in the case of accessing via the Web UI since we only support a subset of MFA methods that a user might have added (WebAuthn and SSO MFA).

Thoughts?

[rosstimothy]

I think I'd remove the error wrapping to keep the error messaging more concise and consistent.

[cthach]

Yes, I agree!

Added in #57909 and updated screenshots in PR desc

[rosstimothy]

For consistency with the other error messages?

Suggested change

	text = `Multi-factor authentication (MFA) is required to access this resource but the current user has no supported MFA devices enrolled; see Account Settings in the Web UI or use 'tsh mfa add' to register an MFA device.
	See https://goteleport.com/docs/zero-trust-access/access-controls/guides/per-session-mfa/ for help.
	`
	text = authclient.ErrNoMFADevices.Error()

[cthach]

Done in #57909

[cthach]

@rosstimothy @nklaassen

I appreciate the reviews! I just pushed a commit cb8c839 updating the unit tests after you submitted your approvals. It's passing locally for me.

Can you please give that look before we merge?

[backport-bot-workflows]

@cthach See the table below for backport results.

Branch	Result
branch/v16	Failed
branch/v17	Create PR
branch/v18	Create PR