RFD and implementation: Better SSO flow

[klizhentas]

What

Current Teleport SSO protocol relies on redirects and encryption too much. As a result of that it is quite fragile (large redirects break).

We can borrrow from WebAuthn and use the fact that Teleport 7.0 will have SNI access to GRPC endpoints through web proxy. Once it's ready we can switch protocol to be server side:

• Client initiates the login procedure and registers the public key the client wishes to sign over GRPC
• Server returns the challenge to sign
• Client initiates the login through UI, or CLI presenting the signed challenge ID as the reference to the server
• If authentication is successfull, the server updates internal state by signing the cert
• Client can retrieve the certificate using GPRC

This flow does not require any custom encryption or redirects and closer resembles WebAuthn. It might integrate better with WebAuthn as well.

How

• Prototype a design locally using local connection with GRPC
• Write RFD and go through security design review
• Implement new SSO flow
• Ship alongside @smallinsky implementation of SNI proxy feature post 7.0. #7280

Why

This feature is required for Desktop app to work better, improves SSO redirect flow to be more lightweight and not pass data in redriects.

Workaround

If a workaround exists, please include it.

Flow

Diagram generated with

https://www.planttext.com/

@startuml

desktop_server <- desktop_web_ui: mTLS GRPC login acme.com
desktop_server -> acme.com_web_ui: HTTPS POST /login public key
acme.com_web_ui -> acme.com_server: Create registration attempt (public key)
acme.com_server -> acme.com_web_ui: 32 byte crypto random challenge, attempt id
acme.com_web_ui -> desktop_server: 32 byte crypto random challenge, attempt id
desktop_server -> desktop_web_ui: attempt=signed(public key, challenge, attempt id)
desktop_web_ui -> acme.com_web_ui: redirect /web/login?=attempt
desktop_web_ui -> acme.com_web_ui: POST /web/login (attempt, username, password)
acme.com_web_ui -> acme.com_server: POST /web/login (attempt, username, password)
acme.com_server -> acme.com_web_ui: OK certificate
acme.com_web_ui -> desktop_web_ui: redicrect certificate
desktop_web_ui -> desktop_server: OK certificate
@enduml

[klizhentas]

@codingllama I have chatted with @russjones about that, that would be the next issue for you to hack on after the #6478 issue. @russjones will provide more details.