Allow SSO users to delete their last passwordless device (#46520)

* Allow SSO users to delete their last passwordless device. * Add test.
gravitational · Sep 30, 2024 · a7b157a · a7b157a
1 parent 0870fb0
commit a7b157a
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/lib/auth/auth.go b/lib/auth/auth.go
@@ -3903,6 +3903,12 @@ func (a *Server) deleteMFADeviceSafely(ctx context.Context, user, deviceName str
 		if err != nil {
 			return false, trace.Wrap(err)
 		}
+
+		// SSO users can always login through their SSO provider.
+		if u.GetUserType() == types.UserTypeSSO {
+			return true, nil
+		}
+
 		if u.GetPasswordState() != types.PasswordState_PASSWORD_STATE_SET {
 			return false, nil
 		}

diff --git a/lib/auth/grpcserver_test.go b/lib/auth/grpcserver_test.go
@@ -492,6 +492,22 @@ func TestDeletingLastPasswordlessDevice(t *testing.T) {
 			},
 			checkErr: require.NoError,
 		},
+		{
+			name: "succeeds when the user is an SSO user",
+			setup: func(t *testing.T, username string, userClient *authclient.Client, pwdlessDev *TestDevice) {
+				user, err := authServer.GetUser(ctx, username, false)
+				require.NoError(t, err, "GetUser")
+				user.SetCreatedBy(types.CreatedBy{
+					Connector: &types.ConnectorRef{},
+				})
+				_, err = authServer.UpsertUser(ctx, user)
+				require.NoError(t, err, "UpsertUser")
+				_, err = RegisterTestDevice(
+					ctx, userClient, "another-dev", proto.DeviceType_DEVICE_TYPE_TOTP, pwdlessDev, WithTestDeviceClock(clock))
+				require.NoError(t, err, "RegisterTestDevice")
+			},
+			checkErr: require.NoError,
+		},
 		{
 			name: "fails even if there is password, but no other MFAs",
 			setup: func(t *testing.T, username string, userClient *authclient.Client, pwdlessDev *TestDevice) {