[Browser MFA] Add protobuf and config#63831
Merged
Merged
Conversation
danielashare
added
the
no-changelog
danielashare
force-pushed
the
danielashare/browser-mfa-proto
branch
from
8e9cfa5 to
f5df2e4
Compare
7 tasks
bl-nero
reviewed
Feb 17, 2026
| message ValidateBrowserMFAChallengeResponse { | ||
| // tsh_redirect_url is the callback URL to tsh's local HTTP server with the encrypted WebAuthn response. | ||
| // Format: http://127.0.0.1:[random_port]/callback?response={encrypted_webauthn_response} | ||
| string tsh_redirect_url = 1; |
Contributor
There was a problem hiding this comment.
I don't think it was mentioned in the RFD, but will there be any protection against creating an open-redirect logic on the web frontend side?
Contributor
Author
There was a problem hiding this comment.
I wasn't planning on adding redirect validation on the web frontend because the redirect url is accepted once from the user at the start of the ceremony and validated by ValidateClientRedirect. The URL is then stored on the backend waiting for the user to MFA in the browser. After doing so, the auth server encrypts the WebAuthn response and adds it to the stored and validated redirect URL for returning to the browser.
Comment on lines
+2737
to
+2739
| // AllowBrowserAuthentication enables/disables browser-based authentication. | ||
| // When set to false, authentication flows that require a browser will be disabled. | ||
| // Defaults to true. |
Contributor
There was a problem hiding this comment.
The way it's phrased suggests that any kind of local login (including regular sign-ins to the web app) would be gated by this option. Is that the case? If not, the documentation should be a bit more clear that we're only talking about the browser MFA flow for tsh.
Contributor
Author
There was a problem hiding this comment.
That is not the case, this is only available to CLI tools. I'll make sure this is clearer in this comment and in documentation.
| string proxy_address_for_sso = 4; | ||
| // Used to construct the redirect URL for browser-based MFA flows. If the client supports browser MFA, this field | ||
| // should be set to the URL where the browser should redirect to tsh after completing the MFA challenge. | ||
| string browser_mfa_tsh_redirect_url = 5; |
Contributor
There was a problem hiding this comment.
Will this URL be validated by the auth server?
Contributor
Author
There was a problem hiding this comment.
Yes, this will also be validated by ValidateClientRedirect on the server side
| // per-session MFA but we may still need to know that the user has TOTP | ||
| // configured as an option. | ||
| bool per_session_mfa = 7; | ||
| BrowserMFAChallenge browser = 8; |
Contributor
There was a problem hiding this comment.
What's the role of this field? I also see it mentioned in the RFD, but I don't understand how this all relates to teleterm.
Contributor
Author
There was a problem hiding this comment.
When a user initiates a request in teleterm that requires MFA, a request is sent by tsh daemon to Teleport and Teleport replies with the available challenges. The daemon will then create this PromptMFARequest message and forward it to teleterm, which will then show a modal for the user to choose their method of MFA. So this field just lets teleterm know that Browser MFA is an MFA option
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
Contributor
|
Amplify deployment status
|
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
4 tasks
codingllama
reviewed
Feb 18, 2026
3 tasks
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
codingllama
reviewed
Feb 19, 2026
Comment on lines
+827
to
+832
| case c.Spec.AllowBrowserAuthentication == nil: | ||
| // Materialize AllowBrowserAuthentication to true if WebAuthn is enabled, | ||
| // otherwise leave it nil. | ||
| if hasWebauthn { | ||
| c.Spec.AllowBrowserAuthentication = NewBoolOption(true) | ||
| } |
Contributor
There was a problem hiding this comment.
Suggested change
| case c.Spec.AllowBrowserAuthentication == nil: | |
| // Materialize AllowBrowserAuthentication to true if WebAuthn is enabled, | |
| // otherwise leave it nil. | |
| if hasWebauthn { | |
| c.Spec.AllowBrowserAuthentication = NewBoolOption(true) | |
| } | |
| case hasWebauthn && c.Spec.AllowBrowserAuthentication == nil: | |
| // Materialize AllowBrowserAuthentication to true if WebAuthn is enabled, | |
| // otherwise leave it nil. | |
| c.Spec.AllowBrowserAuthentication = NewBoolOption(true) |
It also occurs to me that we could never materialize and always calculate on the fly. Maybe add a variant of GetAllowBrowserAuthentication() that does that, so the logic is all captured here.
Contributor
Author
There was a problem hiding this comment.
Sounds good to me, left a validation check in CheckAndSetDefaults and calculate the rest on the fly in the getter
codingllama
reviewed
Feb 19, 2026
Contributor
|
Looks good, a few minor comments only. |
This was referenced Feb 19, 2026
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
codingllama
approved these changes
Feb 23, 2026
bl-nero
approved these changes
Feb 25, 2026
danielashare
force-pushed
the
danielashare/browser-mfa-proto
branch
from
e08f5d2 to
55869d8
Compare
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
public-teleport-github-review-bot
Bot
removed request for
Joerger and
ravicious
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
danielashare
force-pushed
the
danielashare/browser-mfa-proto
branch
from
2c63567 to
8ea0de0
Compare
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
danielashare
force-pushed
the
danielashare/browser-mfa-proto
branch
from
8ea0de0 to
0cb377a
Compare
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
Improve comments grpc, lint, test fix Update tf docs Update tf integration Fix login test Address comments Fix test Move ValidateBrowserMFAChallenge rpc to MFA service Fix service test Address comments Don't materialise browser authentication Remove browser auth materialisation in test Convert validate browser mfa to complete browser mfa
danielashare
force-pushed
the
danielashare/browser-mfa-proto
branch
from
0cb377a to
8a5561b
Compare
danielashare
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
Contributor
|
@danielashare See the table below for backport results.
|
danielashare
added a commit
that referenced
this pull request
Mar 31, 2026
danielashare
added a commit
that referenced
this pull request
Apr 2, 2026
danielashare
added a commit
that referenced
this pull request
Apr 7, 2026
danielashare
added a commit
that referenced
this pull request
Apr 17, 2026
mmcallister
pushed a commit
that referenced
this pull request
Apr 28, 2026
Improve comments grpc, lint, test fix Update tf docs Update tf integration Fix login test Address comments Fix test Move ValidateBrowserMFAChallenge rpc to MFA service Fix service test Address comments Don't materialise browser authentication Remove browser auth materialisation in test Convert validate browser mfa to complete browser mfa
danielashare
added a commit
that referenced
this pull request
Apr 30, 2026
danielashare
added a commit
that referenced
this pull request
May 5, 2026
danielashare
added a commit
that referenced
this pull request
May 6, 2026
[Browser MFA] Add protobuf and config (#63831) [Browser MFA] Add proto for Browser MFA feature (#64048) [Browser MFA] Add CompleteBrowserMFAChallenge gRPC (#63873) [Browser MFA] Rename browser mfa config name (#64980) [Browser MFA] Add BrowserMFARequestID to CreateAuthenticateChallenge (#63945) [Browser MFA] Add Browser MFA to challenge request flow (#63936) [Browser MFA] Add initial requests for browser MFA process to client tools (#64301) [Browser MFA] Add tsh callback handling for webauthn response (#64461) [Browser MFA] Add Browser MFA to presence checks (#65052) [Browser MFA] Add browser MFA path to MFA finish flow (#64523) [Browser MFA] Add Browser MFA to Connect (#64887) [Browser MFA] Add Browser MFA UI (#64692) [Browser MFA] Fix formatting in moderated sessions (#65236) [Browser MFA] Add Browser MFA ceremony tests
ivan-bax
pushed a commit
to ivan-bax/teleport
that referenced
this pull request
May 22, 2026
[Browser MFA] Add protobuf and config (gravitational#63831) [Browser MFA] Add proto for Browser MFA feature (gravitational#64048) [Browser MFA] Add CompleteBrowserMFAChallenge gRPC (gravitational#63873) [Browser MFA] Rename browser mfa config name (gravitational#64980) [Browser MFA] Add BrowserMFARequestID to CreateAuthenticateChallenge (gravitational#63945) [Browser MFA] Add Browser MFA to challenge request flow (gravitational#63936) [Browser MFA] Add initial requests for browser MFA process to client tools (gravitational#64301) [Browser MFA] Add tsh callback handling for webauthn response (gravitational#64461) [Browser MFA] Add Browser MFA to presence checks (gravitational#65052) [Browser MFA] Add browser MFA path to MFA finish flow (gravitational#64523) [Browser MFA] Add Browser MFA to Connect (gravitational#64887) [Browser MFA] Add Browser MFA UI (gravitational#64692) [Browser MFA] Fix formatting in moderated sessions (gravitational#65236) [Browser MFA] Add Browser MFA ceremony tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds protobuf and the configuration for enabling Browser MFA. The RFD for these additions can be found here.
Manual tests: