[Browser MFA] Add BrowserMFARequestID to CreateAuthenticateChallenge#63945
Merged
danielashare merged 1 commit intoMar 26, 2026
Merged
Conversation
danielashare
added
no-changelog
codingllama
reviewed
Feb 19, 2026
codingllama
reviewed
Feb 20, 2026
danielashare
force-pushed
the
danielashare/browser-mfa-proto
branch
4 times, most recently
from
0cb377a to
8a5561b
Compare
danielashare
force-pushed
the
danielashare/browser-mfa-auth-chal-with-req-id
branch
from
3d30faf to
e9e925e
Compare
nicholasmarais1158
approved these changes
Mar 4, 2026
Contributor
nicholasmarais1158
left a comment
nicholasmarais1158
left a comment
There was a problem hiding this comment.
I didn't manual test, but code looks good.
codingllama
reviewed
Mar 5, 2026
Joerger
reviewed
Mar 6, 2026
Joerger
approved these changes
Mar 25, 2026
codingllama
reviewed
Mar 25, 2026
Contributor
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3dd7938fa2
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
codingllama
reviewed
Mar 25, 2026
Contributor
codingllama
left a comment
codingllama
left a comment
There was a problem hiding this comment.
Please resolve merge conflicts and address the codex review.
|
|
||
| // Replace the challenge extensions with the ones found in the SSO MFA object. | ||
| // These are the ones from the original tsh request. | ||
| challengeExtensions = mfatypes.ChallengeExtensionsToProto(chalExts) |
Contributor
There was a problem hiding this comment.
Should we make sure that SSO MFA sessions record all ChallengeExtensions fields as well? It appears we do not record UserVerificationRequirement:
Lines 158 to 161 in 6382ef5
OK if you want to follow up separately.
Contributor
Author
There was a problem hiding this comment.
Yes, I'll include this in an upstream PR, thanks
zmb3
approved these changes
Mar 25, 2026
danielashare
force-pushed
the
danielashare/browser-mfa-auth-chal-with-req-id
branch
from
3dd7938 to
d0542e9
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d0542e9d88
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Contributor
|
@danielashare See the table below for backport results.
|
danielashare
added a commit
that referenced
this pull request
Mar 31, 2026
danielashare
added a commit
that referenced
this pull request
Apr 2, 2026
danielashare
added a commit
that referenced
this pull request
Apr 7, 2026
danielashare
added a commit
that referenced
this pull request
Apr 17, 2026
mmcallister
pushed a commit
that referenced
this pull request
Apr 28, 2026
danielashare
added a commit
that referenced
this pull request
Apr 30, 2026
danielashare
added a commit
that referenced
this pull request
May 5, 2026
danielashare
added a commit
that referenced
this pull request
May 6, 2026
[Browser MFA] Add protobuf and config (#63831) [Browser MFA] Add proto for Browser MFA feature (#64048) [Browser MFA] Add CompleteBrowserMFAChallenge gRPC (#63873) [Browser MFA] Rename browser mfa config name (#64980) [Browser MFA] Add BrowserMFARequestID to CreateAuthenticateChallenge (#63945) [Browser MFA] Add Browser MFA to challenge request flow (#63936) [Browser MFA] Add initial requests for browser MFA process to client tools (#64301) [Browser MFA] Add tsh callback handling for webauthn response (#64461) [Browser MFA] Add Browser MFA to presence checks (#65052) [Browser MFA] Add browser MFA path to MFA finish flow (#64523) [Browser MFA] Add Browser MFA to Connect (#64887) [Browser MFA] Add Browser MFA UI (#64692) [Browser MFA] Fix formatting in moderated sessions (#65236) [Browser MFA] Add Browser MFA ceremony tests
ivan-bax
pushed a commit
to ivan-bax/teleport
that referenced
this pull request
May 22, 2026
[Browser MFA] Add protobuf and config (gravitational#63831) [Browser MFA] Add proto for Browser MFA feature (gravitational#64048) [Browser MFA] Add CompleteBrowserMFAChallenge gRPC (gravitational#63873) [Browser MFA] Rename browser mfa config name (gravitational#64980) [Browser MFA] Add BrowserMFARequestID to CreateAuthenticateChallenge (gravitational#63945) [Browser MFA] Add Browser MFA to challenge request flow (gravitational#63936) [Browser MFA] Add initial requests for browser MFA process to client tools (gravitational#64301) [Browser MFA] Add tsh callback handling for webauthn response (gravitational#64461) [Browser MFA] Add Browser MFA to presence checks (gravitational#65052) [Browser MFA] Add browser MFA path to MFA finish flow (gravitational#64523) [Browser MFA] Add Browser MFA to Connect (gravitational#64887) [Browser MFA] Add Browser MFA UI (gravitational#64692) [Browser MFA] Fix formatting in moderated sessions (gravitational#65236) [Browser MFA] Add Browser MFA ceremony tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds the
BrowserMFARequestIDfield to thePOST /webapi/mfa/authenticatechallengecall so that the correct challenge extensions can be set when requesting an MFA challenge through the browser. The RFD for this addition can be found here. Needs to be merged after #63831.These changes address this part of the flow from the above RFD:
sequenceDiagram participant browser as Browser participant proxy as Proxy participant auth as Auth browser->>proxy: POST /webapi/mfa/authenticatechallenge<br/>w/ browser_mfa_request_id proxy->>auth: rpc CreateAuthenticateChallenge<br/>w/ browser_mfa_request_id auth->>auth: Lookup SSOMFASession<br/>Get challenge extensions auth->>proxy: MFA Challenge proxy->>browser: MFA ChallengeManual tests: