Authorizing web session doesn't work when a users's role has short TTL

[gzdunek]

Expected behavior:
Web session is authorized with device trust.

Current behavior:
Web session is not authorized when the user has short TTL set on a role.

Bug details:

• Teleport version
  17.0.2
• Recreation steps

1. Enable device trust requirement for the user and enroll a device.
2. Add a new role and assign it to the user:

kind: role
metadata:
  name: short_ttl
spec:
  allow: {}
  deny: {}
  options:
    max_session_ttl: 3m2s
version: v7

3. Try to authorize the web session by confirming the popup in Connect, it should work at this point.
4. Now, change max_session_ttl to 3m1s, logout in Web UI, and try to authorize the web session again.
5. It should fail (you should see a yellow shied in the top right corner).

• Debug logs
  In the audit log there is a following entry:

{
  "cluster_name": "main",
  "code": "TV009I",
  "device": {
    "device_id": "<device-id>",
    "web_authentication_id": "<authentication-id>"
  },
  "ei": 0,
  "event": "device.authenticate.confirm",
  "message": "token move check failed",
  "success": false,
  "time": "2024-12-02T13:28:55.617Z",
  "uid": "ae2e8b0d-cd8c-4cc9-87f1-356f54f175c2",
  "user": "testuser"
}

[codingllama]

What is happening here is that, because the max TTL is so small, the session is renewed almost immediately by the Web UI. The token move check wants to see a confirmation in the same session that created the token, sees the new session and fails.

teleport/web/packages/teleport/src/services/websession/websession.ts

Line 31 in 911f3e3

const RENEW_TOKEN_TIME = 180 * 1000;

I'll see what we can do.

[codingllama]

After spending some time looking at alternatives I don't think this is a device trust per-se, so I've lowered the renewal interval for sessions with TTL <=3m instead.

[zmb3]

@codingllama are we good to close this one?

[codingllama]

Yes, we can! Thanks.