Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Per-session MFA for desktops is broken #50557

Open
zmb3 opened this issue Dec 23, 2024 · 0 comments
Open

Per-session MFA for desktops is broken #50557

zmb3 opened this issue Dec 23, 2024 · 0 comments
Assignees
Labels
bug desktop-access mfa Issues related to Multi Factor Authentication regression

Comments

@zmb3
Copy link
Collaborator

zmb3 commented Dec 23, 2024

When attempting to connect to a desktop where per-session MFA is required, I am correctly prompted for an MFA, but after tapping the webauthn device I never see the remote desktop - the UI just remains at the spinner.

Browser dev tools show the MFA challenge going out over websocket:

Image

Nothing super interesting in the Teleport logs (I suspect this is a web UI issue):

2024-12-23T11:18:59.639-07:00 DEBU [WEB]       Attempting to connect to desktop user:zac session:73d7 desktop_name:dynamic-standalone-2019 cluster_name:zac-local username:Administrator web/desktop.go:109
2024-12-23T11:18:59.639-07:00 DEBU [WEB]       Attempting to connect to desktop user:zac session:73d7 desktop_name:dynamic-standalone-2019 cluster_name:zac-local username:Administrator width:1497 height:1291 web/desktop.go:130
2024-12-23T11:18:59.644-07:00 INFO  emitting audit event event_type:mfa_auth_challenge.create fields:map[challenge_allow_reuse:false challenge_scope:CHALLENGE_SCOPE_USER_SESSION cluster_name:zac-local code:T1015I ei:0 event:mfa_auth_challenge.create time:2024-12-23T18:18:59.644Z trace.component:audit uid:dc40a423-a865-4ce2-96d4-1abdeb31faa2 user:zac user_kind:1] events/emitter.go:287
2024-12-23T11:19:51.575-07:00 DEBU [WEB]       Received non-MFA message, withholding msg_type:tdp.ClientScreenSpec trace_id:b08dbd3cdc5bbde818c7c12e2d9e5fed span_id:81934a26473a88cd web/desktop.go:424
2024-12-23T11:19:58.096-07:00 ERRO [WEB]       creating desktop connection failed user:zac session:73d7 desktop_name:dynamic-standalone-2019 cluster_name:zac-local error:[websocket: close sent] web/desktop.go:79

Questions:

  • why do we see two "attempting to connect to desktop" messages?

I confirmed that this brokenb behavior is present on master (d070ce0), but is not present on branch/v17 (909aca2), which suggests that #49794 (comment) is probably the culprit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug desktop-access mfa Issues related to Multi Factor Authentication regression
Projects
None yet
Development

No branches or pull requests

2 participants