Replace final usage of GetSecondFactor in ping response.

api/types/authentication.go

@@ -71,12 +71,8 @@ type AuthPreference interface {
 	// SetType sets the type of authentication: local, saml, or oidc.
 	SetType(string)
 
-	// GetSecondFactor gets the type of second factor.
-	// Deprecated: use GetSecondFactors
-	GetSecondFactor() constants.SecondFactorType
 	// SetSecondFactor sets the type of second factor.
-	// Deprecated: use SetSecondFactor outside of setting the deprecated
-	// off/optional values for tests.
+	// Deprecated: only used in tests to set the deprecated off/optional values.
 	SetSecondFactor(constants.SecondFactorType)
 	// GetSecondFactors gets a list of supported second factors.
 	GetSecondFactors() []SecondFactorType
@@ -324,16 +320,6 @@ func (c *AuthPreferenceV2) SetType(s string) {
 	c.Spec.Type = s
 }
 
-// GetSecondFactor returns the type of second factor.
-func (c *AuthPreferenceV2) GetSecondFactor() constants.SecondFactorType {
-	// SecondFactors takes priority if set.
-	if len(c.Spec.SecondFactors) > 0 {
-		return legacySecondFactorFromSecondFactors(c.Spec.SecondFactors)
-	}
-
-	return c.Spec.SecondFactor
-}
-
 // SetSecondFactor sets the type of second factor.
 func (c *AuthPreferenceV2) SetSecondFactor(s constants.SecondFactorType) {
 	c.Spec.SecondFactor = s

api/types/second_factor.go

@@ -18,30 +18,12 @@ package types
 
 import (
 	"encoding/json"
-	"slices"
 
 	"github.com/gravitational/trace"
 
 	"github.com/gravitational/teleport/api/constants"
 )
 
-// legacySecondFactorFromSecondFactors returns a suitable legacy second factor for the given list of second factors.
-func legacySecondFactorFromSecondFactors(secondFactors []SecondFactorType) constants.SecondFactorType {
-	hasOTP := slices.Contains(secondFactors, SecondFactorType_SECOND_FACTOR_TYPE_OTP)
-	hasWebAuthn := slices.Contains(secondFactors, SecondFactorType_SECOND_FACTOR_TYPE_WEBAUTHN)
-
-	switch {
-	case hasOTP && hasWebAuthn:
-		return constants.SecondFactorOn
-	case hasWebAuthn:
-		return constants.SecondFactorWebauthn
-	case hasOTP:
-		return constants.SecondFactorOTP
-	default:
-		return constants.SecondFactorOff
-	}
-}
-
 // secondFactorsFromLegacySecondFactor returns the list of SecondFactorTypes supported by the given second factor type.
 func secondFactorsFromLegacySecondFactor(sf constants.SecondFactorType) []SecondFactorType {
 	switch sf {

lib/web/apiserver.go

@@ -1235,10 +1235,33 @@ func (h *Handler) AccessGraphAddr() utils.NetAddr {
 	return h.cfg.AccessGraphAddr
 }
 
+// legacySecondFactorFromSecondFactors returns a suitable legacy second factor for the given list of second factors.
+func legacySecondFactorFromSecondFactors(secondFactors []types.SecondFactorType) constants.SecondFactorType {
+	hasOTP := slices.Contains(secondFactors, types.SecondFactorType_SECOND_FACTOR_TYPE_OTP)
+	hasWebAuthn := slices.Contains(secondFactors, types.SecondFactorType_SECOND_FACTOR_TYPE_WEBAUTHN)
+	hasSSO := slices.Contains(secondFactors, types.SecondFactorType_SECOND_FACTOR_TYPE_SSO)
+
+	switch {
+	case hasSSO:
+		// In the WebUI, we can treat exclusive SSO MFA as disabled. In practice this means
+		// things like the add MFA device is disabled, but SSO MFA prompts will still work.
+		// TODO(Joerger): Ensure that SSO MFA flows work in the WebUI with this change, once implemented.
+		return constants.SecondFactorOff
+	case hasOTP && hasWebAuthn:
+		return constants.SecondFactorOn
+	case hasWebAuthn:
+		return constants.SecondFactorWebauthn
+	case hasOTP:
+		return constants.SecondFactorOTP
+	default:
+		return constants.SecondFactorOff
+	}
+}
+
 func localSettings(cap types.AuthPreference) (webclient.AuthenticationSettings, error) {
 	as := webclient.AuthenticationSettings{
 		Type:                    constants.Local,
-		SecondFactor:            cap.GetSecondFactor(),
+		SecondFactor:            legacySecondFactorFromSecondFactors(cap.GetSecondFactors()),
 		PreferredLocalMFA:       cap.GetPreferredLocalMFA(),
 		AllowPasswordless:       cap.GetAllowPasswordless(),
 		AllowHeadless:           cap.GetAllowHeadless(),
@@ -1283,7 +1306,7 @@ func oidcSettings(connector types.OIDCConnector, cap types.AuthPreference) webcl
 			Display: connector.GetDisplay(),
 		},
 		// Local fallback / MFA.
-		SecondFactor:            cap.GetSecondFactor(),
+		SecondFactor:            legacySecondFactorFromSecondFactors(cap.GetSecondFactors()),
 		PreferredLocalMFA:       cap.GetPreferredLocalMFA(),
 		PrivateKeyPolicy:        cap.GetPrivateKeyPolicy(),
 		PIVSlot:                 cap.GetPIVSlot(),
@@ -1301,7 +1324,7 @@ func samlSettings(connector types.SAMLConnector, cap types.AuthPreference) webcl
 			SingleLogoutEnabled: connector.GetSingleLogoutURL() != "",
 		},
 		// Local fallback / MFA.
-		SecondFactor:            cap.GetSecondFactor(),
+		SecondFactor:            legacySecondFactorFromSecondFactors(cap.GetSecondFactors()),
 		PreferredLocalMFA:       cap.GetPreferredLocalMFA(),
 		PrivateKeyPolicy:        cap.GetPrivateKeyPolicy(),
 		PIVSlot:                 cap.GetPIVSlot(),
@@ -1318,7 +1341,7 @@ func githubSettings(connector types.GithubConnector, cap types.AuthPreference) w
 			Display: connector.GetDisplay(),
 		},
 		// Local fallback / MFA.
-		SecondFactor:            cap.GetSecondFactor(),
+		SecondFactor:            legacySecondFactorFromSecondFactors(cap.GetSecondFactors()),
 		PreferredLocalMFA:       cap.GetPreferredLocalMFA(),
 		PrivateKeyPolicy:        cap.GetPrivateKeyPolicy(),
 		PIVSlot:                 cap.GetPIVSlot(),
@@ -1720,7 +1743,7 @@ func (h *Handler) getWebConfig(w http.ResponseWriter, r *http.Request, p httprou
 
 		authSettings = webclient.WebConfigAuthSettings{
 			Providers:          authProviders,
-			SecondFactor:       cap.GetSecondFactor(),
+			SecondFactor:       legacySecondFactorFromSecondFactors(cap.GetSecondFactors()),
 			LocalAuthEnabled:   cap.GetAllowLocalAuth(),
 			AllowPasswordless:  cap.GetAllowPasswordless(),
 			AuthType:           authType,