[Browser MFA] Add ValidateBrowserMFAChallenge gRPC

[danielashare]

This PR adds the ValidateBrowserMFAChallenge gRPC endpoint. The RFD for this addition can be found here. Needs to be merged after #63978.

These changes address this part of the flow:

sequenceDiagram
    proxy->>auth: rpc ValidateBrowserMFAChallenge
    auth->>auth: ValidateMFAResponse()
    auth->>auth: Encrypt WebAuthn response<br/>with secret_key
    auth-->>proxy: Return http://127.0.0.1:port/callback?response={encrypted_webauthn}
    proxy-->>browser: HTTP 200 with redirect URL

Loading

I would like to draw particular attention to login.go. In order to validate the WebAuthn response from the browser without consuming it, I had to split the validation logic out of login.go's finish function in to its own function. I want to avoid consuming it because in the full Browser MFA flow, the WebAuthn response is returned to tsh where it will exchange the response for certificates etc. I wonder if it is worth validating the MFA response from the browser before sending it back to tsh where it will then send the MFA response back to the server where it will have to be validated again anyway?

Manual tests:

• Login with OTP
• Login with WebAuthn
• Login with TouchID
• Login with YubiKey
• Passwordless login with TouchID
• Passwordless login with YubiKey
• Passwordless login with WebAuthn

[codingllama]

Reviewed a good chunk of it, but not all.

As stated in the proto PR, I think the RPC could be in the specialized MFAService instead.

This could also, potentially, be split into a few distinct smaller PRs: lib/webauthn changes, browser MFA encrypt/decrypt, and the RPC itself. Once we add tests in various layers it'll likely grow.

[codingllama]

I'm confused, why is this field in SSHLoginResponse?

[danielashare]

The redirect handler in tsh expects a SSHLoginResponse containing an MFAToken for SSO MFA. I had a look at returning a plain string from encryptBrowserMFAResponse and modifying tsh's [callback](https://github.com/gravitational/teleport/blob/master/lib/client/sso/redirector.go#L422) handler to guess if the decrypted response was a SSHLoginResponse or a WebAuthn JSON, but it wasn't very confidence inspiring. Or it would require adding a new set of callback handlers or starting up two callback servers, which would be quite a large change.

I think it would be simpler to implement and maintain if we kept BrowserMFAWebauthnResponse as part of SSHLoginResponse, WDYT?

[codingllama]

No wonder I'm confused, it's quite the indirect relationship.

I think a bit more context in the godoc is useful. Eg:

	// BrowserMFAWebauthnResponse is a webauthn response for the browser MFA flow.
	// Exists in SSHLoginResponse as this is the payload used by the SSO redirector
	// (lib/client/sso.Redirector).

I would also consider a similar comment, or a type alias, for encryptBrowserMFAResponse:

// Payload required by lib/client/sso.Redirector.
type ssoRedirectorResponse = authclient.SSHLoginResponse

func encryptBrowserMFAResponse(redirectURL *url.URL, webauthnResponse *wantypes.CredentialAssertionResponse) (string, error) { 
	consoleResponse := ssoRedirectorResponse{ 
		BrowserMFAWebauthnResponse: webauthnResponse,
	}
	// (...)
}

The type alias could live inside lib/client/sso, but I'm not sure it's best touching that now (or in this PR).

[danielashare]

Added those for clarity

[codingllama]

Let's test this as well, as it should touch all layers.

[danielashare]

Moved to MFA Service and added tests

[codingllama]

I don't see the move to MFAService, did you push?

[danielashare]

Not yet, sorry, still separating in to different PRs

[codingllama]

Add a godoc?

[codingllama]

Let's include authz in the gRPC tests.

[codingllama]

I'd be tempted to pass the request proto down all the way instead of unwrapping it here. If we change the request this will break.

[codingllama]

(1) I wonder if we should let this all happen, but retain the data for exactly one following Finish call. (Maybe with caveats for reuse?)

Maybe:

a. Finish(retainData=true) - (update counter, update device, retain session data)
b. Finish() - (noop, update device, delete session data)

---

(2) If you take the suggestion from (1), let's first refactor Finish to it takes a struct as input. It'll be too many parameters and we'll have to touch all callers anyway.

Eg: Finish(context.Context, FinishParams) (*LoginData, error)

Let's do that in a separate PR, with only the refactor and nothing else.

---

(3) I was checking the RFD and found this:

After successful validation, the WebAuthn response is encrypted with the secret key from the client redirect URL and returned to be sent to tsh. The SSOMFASession is deleted to prevent reuse attacks.

https://github.com/gravitational/teleport/blob/master/rfd/0233-tsh-browser-mfa.md#rpc-validatebrowsermfachallenge

So it looks like we are deviating by retaining the session data?

[danielashare]

I think it would be best to keep the two functions separate from a DX point of view. I think it's clearer what each function does.

Hmm, yeah, that part of the RFD needs updating because session data is retained if Reuse=true.

[codingllama]

I keep a separate open branch where I collect RFD changes/corrections, so I can mail it the end. Maybe do something like that so you don't lose track of it?

[danielashare]

Apologies @codingllama, your comments have lost their context since I split out the webauthn changes

[codingllama]

Apologies codingllama, your comments have lost their context since I split out the webauthn changes

No worries, give me a ping when this is good for another pass.