Current Teleport SSO protocol relies on redirects and encryption too much. As a result of that it is quite fragile (large redirects break).
We can borrrow from WebAuthn and use the fact that Teleport 7.0 will have SNI access to GRPC endpoints through web proxy.
Once it's ready we can switch protocol to be server side:
Client initiates the login procedure and registers the public key the client wishes to sign over GRPC
Server returns the challenge to sign
Client initiates the login through UI, or CLI presenting the signed challenge ID as the reference to the server
If authentication is successfull, the server updates internal state by signing the cert
Client can retrieve the certificate using GPRC
This flow does not require any custom encryption or redirects and closer resembles WebAuthn. It might integrate better with WebAuthn as well.
How
Prototype a design locally using local connection with GRPC
Write RFD and go through security design review
Implement new SSO flow
Ship alongside @smallinsky implementation of SNI proxy feature post 7.0. #7280
Why
This feature is required for Desktop app to work better, improves SSO redirect flow to be more lightweight and not pass data in redriects.
@codingllama I have chatted with @russjones about that, that would be the next issue for you to hack on after the #6478 issue. @russjones will provide more details.
What
Current Teleport SSO protocol relies on redirects and encryption too much. As a result of that it is quite fragile (large redirects break).
We can borrrow from WebAuthn and use the fact that Teleport 7.0 will have SNI access to GRPC endpoints through web proxy. Once it's ready we can switch protocol to be server side:
This flow does not require any custom encryption or redirects and closer resembles WebAuthn. It might integrate better with WebAuthn as well.
How
Why
This feature is required for Desktop app to work better, improves SSO redirect flow to be more lightweight and not pass data in redriects.
Workaround
If a workaround exists, please include it.
Flow
Diagram generated with
https://www.planttext.com/