[Browser MFA] Add browser MFA path to MFA finish flow#64523
Conversation
danielashare
added
no-changelog
| auditEvent.Code = events.ValidateMFAAuthResponseCode | ||
| auditEvent.Success = true | ||
| deviceMetadata := mfaDeviceEventMetadata(authData.Device) | ||
| deviceMetadata.MFAViaBrowser = authData.MFAViaBrowser |
There was a problem hiding this comment.
I don't love that I set the MFAViaBrowser field here. But, to add this field to the event via mfaDeviceEventMetadata I would have to add proto to MFADevice that isn't really related to an MFA device, or I could change mfaDeviceEventMetadata to accept authData and change everywhere that uses this function. Any strong opinions on this?
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e3c7c2746d
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8ce7262614
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
danielashare
force-pushed
the
danielashare/browser-mfa-login-finish
branch
from
8ce7262 to
84589cd
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7dabf4b777
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
danielashare
force-pushed
the
danielashare/browser-mfa-client-mfa-receive
branch
2 times, most recently
from
8d6f4eb to
d8311c3
Compare
danielashare
force-pushed
the
danielashare/browser-mfa-login-finish
branch
from
7dabf4b to
c9a119c
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c9a119cc7c
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b33fdd2ee3
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4fa72ee04b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
danielashare
force-pushed
the
danielashare/browser-mfa-client-mfa-receive
branch
from
f3b8de7 to
f540b6f
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f9fa43310b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
danielashare
force-pushed
the
danielashare/browser-mfa-client-mfa-receive
branch
2 times, most recently
from
8fc32c9 to
c9fe8ce
Compare
danielashare
force-pushed
the
danielashare/browser-mfa-login-finish
branch
from
f9fa433 to
bdcba07
Compare
| } | ||
|
|
||
| // Verify this is a Browser MFA session and not an SSO MFA session. | ||
| if mfaSess.TSHRedirectURL == "" || mfaSess.ConnectorType != constants.BrowserMFA { |
There was a problem hiding this comment.
Should we add this same check in VerifySSOMFASession?
public-teleport-github-review-bot
Bot
removed request for
ryanclark and
tigrato
public-teleport-github-review-bot
Bot
removed the request for review
from rudream
danielashare
force-pushed
the
danielashare/browser-mfa-login-finish
branch
from
5ff3627 to
a12fb73
Compare
|
@danielashare See the table below for backport results.
|
[Browser MFA] Add protobuf and config (#63831) [Browser MFA] Add proto for Browser MFA feature (#64048) [Browser MFA] Add CompleteBrowserMFAChallenge gRPC (#63873) [Browser MFA] Rename browser mfa config name (#64980) [Browser MFA] Add BrowserMFARequestID to CreateAuthenticateChallenge (#63945) [Browser MFA] Add Browser MFA to challenge request flow (#63936) [Browser MFA] Add initial requests for browser MFA process to client tools (#64301) [Browser MFA] Add tsh callback handling for webauthn response (#64461) [Browser MFA] Add Browser MFA to presence checks (#65052) [Browser MFA] Add browser MFA path to MFA finish flow (#64523) [Browser MFA] Add Browser MFA to Connect (#64887) [Browser MFA] Add Browser MFA UI (#64692) [Browser MFA] Fix formatting in moderated sessions (#65236) [Browser MFA] Add Browser MFA ceremony tests
[Browser MFA] Add protobuf and config (gravitational#63831) [Browser MFA] Add proto for Browser MFA feature (gravitational#64048) [Browser MFA] Add CompleteBrowserMFAChallenge gRPC (gravitational#63873) [Browser MFA] Rename browser mfa config name (gravitational#64980) [Browser MFA] Add BrowserMFARequestID to CreateAuthenticateChallenge (gravitational#63945) [Browser MFA] Add Browser MFA to challenge request flow (gravitational#63936) [Browser MFA] Add initial requests for browser MFA process to client tools (gravitational#64301) [Browser MFA] Add tsh callback handling for webauthn response (gravitational#64461) [Browser MFA] Add Browser MFA to presence checks (gravitational#65052) [Browser MFA] Add browser MFA path to MFA finish flow (gravitational#64523) [Browser MFA] Add Browser MFA to Connect (gravitational#64887) [Browser MFA] Add Browser MFA UI (gravitational#64692) [Browser MFA] Fix formatting in moderated sessions (gravitational#65236) [Browser MFA] Add Browser MFA ceremony tests
3 participants
This PR adds the Browser MFA path to
/webapi/mfa/login/finishto finish the authentication flow fortsh. The RFD for this feature can be found here. Tracking issue here.These changes address this part of the flow from the above RFD:
sequenceDiagram participant tsh participant browser as Browser participant proxy as Proxy participant auth as Auth tsh->>proxy: POST /webapi/mfa/login/finish proxy->>auth: AuthenticateSSHUser auth->>auth: ValidateMFAAuthResponse() auth->>auth: Generate SSH certificates auth-->>proxy: SSH Login Response proxy-->>tsh: Return certificatesManual Test Plan
Test Environment
Running branch locally that has this feature with PoC code to enable starting the Browser MFA flow. Per-session being tested by connecting back to my Mac through Teleport.
Test Cases
mfa_via_browserlogged for Browser MFA