-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSO MFA prompt for WebUI MFA flows #49794
Conversation
4abf873
to
42ba430
Compare
5911b85
to
672dddb
Compare
ea8e8eb
to
40336ed
Compare
af41a4e
to
bdd69ca
Compare
672dddb
to
9ad6250
Compare
e60ec3d
to
428e745
Compare
9ad6250
to
213322c
Compare
8e2fb35
to
9e8ad10
Compare
213322c
to
fb8c772
Compare
submitAttempt={ft.submitMfaAttempt} | ||
onCancel={ft.clearMfaChallenge} | ||
/> | ||
)} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a scenario where we can get an mfaChallenge
on both mfa
and ft
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, the mfa
authndialog will always be handled and complete before we get to the ft
authndialog. In the new updated code it would be easy to reuse the same mfa state if you're concerned about it though.
web/packages/teleport/src/Console/DocumentSsh/useFileTransfer.ts
Outdated
Show resolved
Hide resolved
4182ae3
to
e3c7edf
Compare
5d0f08d
to
89e4639
Compare
e3c7edf
to
ff21791
Compare
ff21791
to
99729ea
Compare
…x bug where MFA couldn't be retried after a failed attempt; Add extra tests.
5ee3d03
to
e103a1f
Compare
* Include sso channel ID in web mfa challenges. * Handle SSO MFA challenges. * Handle sso response in backend. * Handle non-webauthn mfa response for file transfer, admin actions, and app session. * Simplify useMfa with new helpers. * Fix lint. * Use AuthnDialog for file transfers; Fix json backend logic for file transfers. * Make useMfa and AuthnDialog more reusable and error proof. * Use AuthnDialog for App sessions. * Resolve comments. * Fix broken app launcher; improve mfaRequired logic in useMfa. * Fix AuthnDialog test. * Fix merge conflict with Db web access. * fix stories. * Refactor mfa required logic. * Address bl-nero's comments. * Address Ryan's comments. * Add useMfa unit test. * Fix story lint. * Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.
@@ -22,7 +22,7 @@ import { useParams } from 'react-router'; | |||
import useAttempt from 'shared/hooks/useAttemptNext'; | |||
|
|||
import { ButtonState } from 'teleport/lib/tdp'; | |||
import { useMfa } from 'teleport/lib/useMfa'; | |||
import { useMfaTty } from 'teleport/lib/useMfa'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Joerger why is desktop session calling useMfaTty
? There is no TTY for desktop sessions - this is SSH-only code, is it not?
sendWebAuthn(data: WebauthnAssertionResponse) { | ||
const msg = this.codec.encodeMfaJson({ | ||
mfaType: 'n', | ||
jsonString: JSON.stringify(data), | ||
}); | ||
this.send(msg); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mistakenly removed, restored by #50793
* Include sso channel ID in web mfa challenges. * Handle SSO MFA challenges. * Handle sso response in backend. * Handle non-webauthn mfa response for file transfer, admin actions, and app session. * Simplify useMfa with new helpers. * Fix lint. * Use AuthnDialog for file transfers; Fix json backend logic for file transfers. * Make useMfa and AuthnDialog more reusable and error proof. * Use AuthnDialog for App sessions. * Resolve comments. * Fix broken app launcher; improve mfaRequired logic in useMfa. * Fix AuthnDialog test. * Fix merge conflict with Db web access. * fix stories. * Refactor mfa required logic. * Address bl-nero's comments. * Address Ryan's comments. * Add useMfa unit test. * Fix story lint. * Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.
* Include sso channel ID in web mfa challenges. * Handle SSO MFA challenges. * Handle sso response in backend. * Handle non-webauthn mfa response for file transfer, admin actions, and app session. * Simplify useMfa with new helpers. * Fix lint. * Use AuthnDialog for file transfers; Fix json backend logic for file transfers. * Make useMfa and AuthnDialog more reusable and error proof. * Use AuthnDialog for App sessions. * Resolve comments. * Fix broken app launcher; improve mfaRequired logic in useMfa. * Fix AuthnDialog test. * Fix merge conflict with Db web access. * fix stories. * Refactor mfa required logic. * Address bl-nero's comments. * Address Ryan's comments. * Add useMfa unit test. * Fix story lint. * Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.
* Include sso channel ID in web mfa challenges. * Handle SSO MFA challenges. * Handle sso response in backend. * Handle non-webauthn mfa response for file transfer, admin actions, and app session. * Simplify useMfa with new helpers. * Fix lint. * Use AuthnDialog for file transfers; Fix json backend logic for file transfers. * Make useMfa and AuthnDialog more reusable and error proof. * Use AuthnDialog for App sessions. * Resolve comments. * Fix broken app launcher; improve mfaRequired logic in useMfa. * Fix AuthnDialog test. * Fix merge conflict with Db web access. * fix stories. * Refactor mfa required logic. * Address bl-nero's comments. * Address Ryan's comments. * Add useMfa unit test. * Fix story lint. * Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.
Changelog: Add full SSO MFA support for the WebUI.
Extends SSO MFA support for:
Reauthenticate
flows (RefactorReauthenticate
components to handle generic MFA challenges. #49680)Note: per-session SSO MFA for Node, Kube, and Desktop was already supported.
Depends on #49680