Skip to content

Commit

Permalink
[v17] SSO MFA - fail gracefully when the Proxy is down (#48757)
Browse files Browse the repository at this point in the history
* Allow SSO MFA to fail gracefully on the client when the Proxy is down.

* Update api/mfa/ceremony.go

Co-authored-by: Marco Dinis <[email protected]>

---------

Co-authored-by: Marco Dinis <[email protected]>
  • Loading branch information
Joerger and marcoandredinis authored Nov 12, 2024
1 parent 7adada0 commit af029b6
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 6 deletions.
13 changes: 8 additions & 5 deletions api/mfa/ceremony.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package mfa

import (
"context"
"log/slog"
"slices"

"github.com/gravitational/trace"
Expand Down Expand Up @@ -72,12 +73,14 @@ func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallen
if c.SSOMFACeremonyConstructor != nil {
ssoMFACeremony, err := c.SSOMFACeremonyConstructor(ctx)
if err != nil {
return nil, trace.Wrap(err, "failed to handle SSO MFA ceremony")
// We may fail to start the SSO MFA flow in cases where the Proxy is down or broken. Fall
// back to skipping SSO MFA, especially since SSO MFA may not even be allowed on the server.
slog.DebugContext(ctx, "Failed to attempt SSO MFA, continuing with other MFA methods", "error", err)
} else {
defer ssoMFACeremony.Close()
req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL()
promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony))
}
defer ssoMFACeremony.Close()

req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL()
promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony))
}

chal, err := c.CreateAuthenticateChallenge(ctx, req)
Expand Down
2 changes: 1 addition & 1 deletion lib/client/mfa.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ func (tc *TeleportClient) NewSSOMFACeremony(ctx context.Context) (mfa.SSOMFACere

rd, err := sso.NewRedirector(rdConfig)
if err != nil {
return nil, trace.Wrap(err)
return nil, trace.Wrap(err, "failed to create a redirector for SSO MFA")
}

return sso.NewCLIMFACeremony(rd), nil
Expand Down

0 comments on commit af029b6

Please sign in to comment.