Add display name to SSO MFA device; Add SSO MFA device to SSO challenge.

gravitational · Oct 23, 2024 · d5f2687 · d5f2687
1 parent bc5f610
commit d5f2687
Show file tree

Hide file tree

Showing 10 changed files with 2,584 additions and 2,433 deletions.
diff --git a/api/client/proto/authservice.pb.go b/api/client/proto/authservice.pb.go
diff --git a/api/proto/teleport/legacy/client/proto/authservice.proto b/api/proto/teleport/legacy/client/proto/authservice.proto
@@ -1251,6 +1251,8 @@ message SSOChallenge {
   string request_id = 1;
   // RedirectUrl is an IdP redirect URL to initate the SSO MFA flow.
   string redirect_url = 2;
+  // Device is the SSO device corresponding to the challenge.
+  types.SSOMFADevice device = 3;
 }
 
 // SSOResponse is a response to SSOChallenge.

diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -3808,6 +3808,8 @@ message SSOMFADevice {
   string connector_id = 1;
   // connector_type is the type of the SSO connector.
   string connector_type = 2;
+  // display_name is the display name of the SSO connector
+  string display_name = 3;
 }
 
 // WebauthnLocalAuth holds settings necessary for local webauthn use.

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/lib/auth/sso_mfa.go b/lib/auth/sso_mfa.go
@@ -34,7 +34,10 @@ import (
 
 // beginSSOMFAChallenge creates a new SSO MFA auth request and session data for the given user and sso device.
 func (a *Server) beginSSOMFAChallenge(ctx context.Context, user string, sso *types.SSOMFADevice, ssoClientRedirectURL string, ext *mfav1.ChallengeExtensions) (*proto.SSOChallenge, error) {
-	chal := new(proto.SSOChallenge)
+	chal := &proto.SSOChallenge{
+		Device: sso,
+	}
+
 	switch sso.ConnectorType {
 	case constants.SAML:
 		resp, err := a.CreateSAMLAuthRequestForMFA(ctx, types.SAMLAuthRequest{

diff --git a/lib/client/weblogin.go b/lib/client/weblogin.go
@@ -112,7 +112,13 @@ type MFAChallengeResponse struct {
 	// WebauthnResponse is a response from a webauthn device.
 	WebauthnResponse *wantypes.CredentialAssertionResponse `json:"webauthn_response,omitempty"`
 	// SSOResponse is a response from an SSO MFA flow.
-	SSOResponse *proto.SSOResponse `json:"sso_response,omitempty"`
+	SSOResponse *SSOResponse `json:"sso_response"`
+}
+
+// SSOResponse is a json compatible [proto.SSOResponse].
+type SSOResponse struct {
+	RequestID string `json:"request_id,omitempty"`
+	Token     string `json:"token,omitempty"`
 }
 
 // GetOptionalMFAResponseProtoReq converts response to a type proto.MFAAuthenticateResponse,
@@ -460,7 +466,33 @@ type MFAAuthenticateChallenge struct {
 	// TOTPChallenge specifies whether TOTP is supported for this user.
 	TOTPChallenge bool `json:"totp_challenge"`
 	// SSOChallenge is an SSO MFA challenge.
-	SSOChallenge *proto.SSOChallenge `json:"sso_challenge"`
+	SSOChallenge *SSOChallenge `json:"sso_challenge"`
+}
+
+// SSOChallenge is a json compatible [proto.SSOChallenge].
+type SSOChallenge struct {
+	RequestID   string        `json:"request_id,omitempty"`
+	RedirectURL string        `json:"redirect_url,omitempty"`
+	Device      *SSOMFADevice `json:"device"`
+}
+
+// SSOMFADevice is a json compatible [proto.SSOMFADevice].
+type SSOMFADevice struct {
+	ConnectorID   string `json:"connector_id,omitempty"`
+	ConnectorType string `json:"connector_type,omitempty"`
+	DisplayName   string `json:"display_name,omitempty"`
+}
+
+func SSOChallengeFromProto(ssoChal *proto.SSOChallenge) *SSOChallenge {
+	return &SSOChallenge{
+		RequestID:   ssoChal.RequestId,
+		RedirectURL: ssoChal.RedirectUrl,
+		Device: &SSOMFADevice{
+			ConnectorID:   ssoChal.Device.ConnectorId,
+			ConnectorType: ssoChal.Device.ConnectorType,
+			DisplayName:   ssoChal.Device.DisplayName,
+		},
+	}
 }
 
 // MFARegisterChallenge is an MFA register challenge sent on new MFA register.

diff --git a/lib/services/local/users.go b/lib/services/local/users.go
@@ -1489,6 +1489,7 @@ func (s *IdentityService) getSSOMFADevice(ctx context.Context, user string) (*ty
 		Sso: &types.SSOMFADevice{
 			ConnectorId:   cb.Connector.ID,
 			ConnectorType: cb.Connector.Type,
+			DisplayName:   mfaConnector.GetDisplay(),
 		},
 	})
 }

diff --git a/lib/web/mfa.go b/lib/web/mfa.go
@@ -488,7 +488,7 @@ func makeAuthenticateChallenge(protoChal *proto.MFAAuthenticateChallenge) *clien
 		chal.WebauthnChallenge = wantypes.CredentialAssertionFromProto(protoChal.WebauthnChallenge)
 	}
 	if protoChal.GetSSOChallenge() != nil {
-		chal.SSOChallenge = protoChal.GetSSOChallenge()
+		chal.SSOChallenge = client.SSOChallengeFromProto(protoChal.GetSSOChallenge())
 	}
 	return chal
 }
diff --git a/lib/web/mfajson/mfajson.go b/lib/web/mfajson/mfajson.go
@@ -61,7 +61,10 @@ func Decode(b []byte, typ string) (*authproto.MFAAuthenticateResponse, error) {
 	case resp.SSOResponse != nil:
 		return &authproto.MFAAuthenticateResponse{
 			Response: &authproto.MFAAuthenticateResponse_SSO{
-				SSO: resp.SSOResponse,
+				SSO: &authproto.SSOResponse{
+					RequestId: resp.SSOResponse.RequestID,
+					Token:     resp.SSOResponse.Token,
+				},
 			},
 		}, nil
 	case resp.TOTPCode != "":

diff --git a/lib/web/terminal.go b/lib/web/terminal.go
@@ -632,7 +632,7 @@ func newMFAPrompt(stream *terminal.WSStream) mfa.Prompt {
 			challenge.WebauthnChallenge = wantypes.CredentialAssertionFromProto(chal.WebauthnChallenge)
 		}
 		if chal.SSOChallenge != nil {
-			challenge.SSOChallenge = chal.SSOChallenge
+			challenge.SSOChallenge = client.SSOChallengeFromProto(chal.SSOChallenge)
 		}
 
 		if chal.WebauthnChallenge == nil && chal.SSOChallenge == nil {