[Browser MFA] Add CLI tool callback handling for webauthn response by danielashare · Pull Request #64461 · gravitational/teleport

danielashare · 2026-03-10T07:08:27Z

This PR adds the functionality for tsh and tctl to receive authorisation via the Browser MFA flow to login/ssh/admin action. The request portion of this feature can be found at #64301. The RFD for Browser MFA can be found here. Tracking issue here.

These changes address this part of the flow from the above RFD:

sequenceDiagram
    participant tsh
    participant browser as Browser
    participant proxy as Proxy

    browser->>tsh: Redirect to callback URL<br/>http://127.0.0.1:port/callback?response={encrypted_webauthn}
    tsh->>tsh: Decrypt response with secret_key<br/>Extract WebAuthn response
    tsh-->>browser: Display success page
    tsh->>proxy: POST /webapi/mfa/login/finish

Manual tests:

tsh login with Browser MFA to PoC branch
tsh ssh with Browser MFA to PoC branch
tctl edit cap with Browser MFA to PoC branch
tsh login with SSO
tsh ssh with SSO MFA
tctl edit cap with SSO MFA

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8442df866f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8d6f4ebe95

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d8311c3079

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1d5e063415

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 35e4ad063c

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

backport-bot-workflows · 2026-03-27T08:01:07Z

@danielashare See the table below for backport results.

Branch	Result
branch/v18	Failed

[Browser MFA] Add protobuf and config (#63831) [Browser MFA] Add proto for Browser MFA feature (#64048) [Browser MFA] Add CompleteBrowserMFAChallenge gRPC (#63873) [Browser MFA] Rename browser mfa config name (#64980) [Browser MFA] Add BrowserMFARequestID to CreateAuthenticateChallenge (#63945) [Browser MFA] Add Browser MFA to challenge request flow (#63936) [Browser MFA] Add initial requests for browser MFA process to client tools (#64301) [Browser MFA] Add tsh callback handling for webauthn response (#64461) [Browser MFA] Add Browser MFA to presence checks (#65052) [Browser MFA] Add browser MFA path to MFA finish flow (#64523) [Browser MFA] Add Browser MFA to Connect (#64887) [Browser MFA] Add Browser MFA UI (#64692) [Browser MFA] Fix formatting in moderated sessions (#65236) [Browser MFA] Add Browser MFA ceremony tests

[Browser MFA] Add protobuf and config (gravitational#63831) [Browser MFA] Add proto for Browser MFA feature (gravitational#64048) [Browser MFA] Add CompleteBrowserMFAChallenge gRPC (gravitational#63873) [Browser MFA] Rename browser mfa config name (gravitational#64980) [Browser MFA] Add BrowserMFARequestID to CreateAuthenticateChallenge (gravitational#63945) [Browser MFA] Add Browser MFA to challenge request flow (gravitational#63936) [Browser MFA] Add initial requests for browser MFA process to client tools (gravitational#64301) [Browser MFA] Add tsh callback handling for webauthn response (gravitational#64461) [Browser MFA] Add Browser MFA to presence checks (gravitational#65052) [Browser MFA] Add browser MFA path to MFA finish flow (gravitational#64523) [Browser MFA] Add Browser MFA to Connect (gravitational#64887) [Browser MFA] Add Browser MFA UI (gravitational#64692) [Browser MFA] Fix formatting in moderated sessions (gravitational#65236) [Browser MFA] Add Browser MFA ceremony tests

danielashare self-assigned this Mar 10, 2026

danielashare added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v18 labels Mar 10, 2026

github-actions Bot added the size/sm label Mar 10, 2026

github-actions Bot requested review from Tener and tcsc March 10, 2026 07:09

chatgpt-codex-connector Bot reviewed Mar 10, 2026

View reviewed changes

Comment thread lib/client/weblogin.go

danielashare mentioned this pull request Mar 10, 2026

Browser MFA Feature #63987

Open

danielashare changed the title ~~[Browser MFA] Add tsh callback handling for webauthn response~~ [Browser MFA] Add CLI tool callback handling for webauthn response Mar 10, 2026

danielashare mentioned this pull request Mar 13, 2026

[Browser MFA] Add initial requests for browser MFA process to client tools #64301

Merged

8 tasks

danielashare force-pushed the danielashare/browser-mfa-client-mfa-begin branch from aa535dc to 9a24357 Compare March 22, 2026 08:54

danielashare requested review from Joerger, codingllama and zmb3 March 22, 2026 09:00

danielashare force-pushed the danielashare/browser-mfa-client-mfa-receive branch from a8d4d22 to 8d6f4eb Compare March 22, 2026 10:04

chatgpt-codex-connector Bot reviewed Mar 22, 2026

View reviewed changes

Comment thread lib/client/sso/ceremony.go

danielashare force-pushed the danielashare/browser-mfa-client-mfa-receive branch from 8d6f4eb to d8311c3 Compare March 23, 2026 15:06

chatgpt-codex-connector Bot reviewed Mar 23, 2026

View reviewed changes

Comment thread lib/client/sso/ceremony.go Outdated

Comment thread lib/client/sso/ceremony.go

zmb3 approved these changes Mar 24, 2026

View reviewed changes

Comment thread lib/client/sso/ceremony.go Outdated

Tener approved these changes Mar 25, 2026

View reviewed changes

Comment thread lib/client/sso/ceremony.go Outdated

public-teleport-github-review-bot Bot removed request for Joerger, codingllama and tcsc March 25, 2026 10:56

danielashare force-pushed the danielashare/browser-mfa-client-mfa-receive branch from f3b8de7 to f540b6f Compare March 25, 2026 15:24

danielashare force-pushed the danielashare/browser-mfa-client-mfa-begin branch 4 times, most recently from ebfb00a to ab64815 Compare March 26, 2026 16:00

chatgpt-codex-connector Bot reviewed Mar 26, 2026

View reviewed changes

Comment thread lib/auth/grpcserver.go

Comment thread lib/client/mfa/cli.go Outdated

danielashare force-pushed the danielashare/browser-mfa-client-mfa-begin branch from ab64815 to 5d7ccee Compare March 26, 2026 20:08

chatgpt-codex-connector Bot reviewed Mar 26, 2026

View reviewed changes

Comment thread lib/client/mfa/cli.go

Base automatically changed from danielashare/browser-mfa-client-mfa-begin to master March 26, 2026 20:50

danielashare force-pushed the danielashare/browser-mfa-client-mfa-receive branch from 35e4ad0 to 8fc32c9 Compare March 26, 2026 22:01

[Browser MFA] Add tsh callback handling for webauthn response

c9fe8ce

danielashare force-pushed the danielashare/browser-mfa-client-mfa-receive branch from 8fc32c9 to c9fe8ce Compare March 26, 2026 22:04

danielashare added this pull request to the merge queue Mar 27, 2026

Merged via the queue into master with commit e745e0d Mar 27, 2026
42 of 43 checks passed

danielashare deleted the danielashare/browser-mfa-client-mfa-receive branch March 27, 2026 07:59

danielashare added a commit that referenced this pull request Mar 31, 2026

[Browser MFA] Add tsh callback handling for webauthn response (#64461)

8c5e347

danielashare added a commit that referenced this pull request Apr 2, 2026

[Browser MFA] Add tsh callback handling for webauthn response (#64461)

6fa095f

danielashare added a commit that referenced this pull request Apr 7, 2026

[Browser MFA] Add tsh callback handling for webauthn response (#64461)

324d816

danielashare added a commit that referenced this pull request Apr 17, 2026

[Browser MFA] Add tsh callback handling for webauthn response (#64461)

4477f5d

mmcallister pushed a commit that referenced this pull request Apr 24, 2026

[Browser MFA] Add tsh callback handling for webauthn response (#64461)

c98a26e

mmcallister pushed a commit that referenced this pull request Apr 28, 2026

[Browser MFA] Add tsh callback handling for webauthn response (#64461)

1bf28cc

danielashare added a commit that referenced this pull request Apr 30, 2026

[Browser MFA] Add tsh callback handling for webauthn response (#64461)

220a7df

danielashare added a commit that referenced this pull request May 5, 2026

[Browser MFA] Add tsh callback handling for webauthn response (#64461)

b4e9adb

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Browser MFA] Add CLI tool callback handling for webauthn response#64461

[Browser MFA] Add CLI tool callback handling for webauthn response#64461
danielashare merged 1 commit into
masterfrom
danielashare/browser-mfa-client-mfa-receive

danielashare commented Mar 10, 2026 •

edited

Loading

Uh oh!

chatgpt-codex-connector Bot left a comment

Uh oh!

Uh oh!

chatgpt-codex-connector Bot left a comment

Uh oh!

Uh oh!

chatgpt-codex-connector Bot left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chatgpt-codex-connector Bot left a comment

Uh oh!

Uh oh!

Uh oh!

chatgpt-codex-connector Bot left a comment

Uh oh!

Uh oh!

Uh oh!

backport-bot-workflows Bot commented Mar 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

danielashare commented Mar 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

Uh oh!

backport-bot-workflows Bot commented Mar 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

danielashare commented Mar 10, 2026 •

edited

Loading