Teleport Connect should not replace AccessDenied error messages with generic "access denied"

[stevenGravy]

Expected behavior:

Users would receive the same message in Web UI, tsh and Teleport Connect for login failures.

Current behavior:

Teleport Connect gives 7 PERMISSION_DENIED: access denied vs invalid credentials. This is potentially confusing to users that they're denied access vs they have invalid credentials.

Bug details:

• Teleport version: 14.0.0
• Recreation steps

Attempt a local login with invalid password in Teleport connect, Web UI and tsh.

[ravicious]

This is because the gRPC middleware in the tsh daemon is hardcoded to always return just "access denied" on trace.IsAccessDenied.

teleport/lib/teleterm/apiserver/middleware.go

Lines 39 to 41 in 818d9ed

	// do not return a full error stack on access denied errors
	if trace.IsAccessDenied(err) {
	return resp, trail.ToGRPC(trace.AccessDenied("access denied"))

I'm not sure why this was done, I don't think any of our clients has similar behavior. Since error classes & gRPC status codes are not persisted by the time this error is processed by the UI, perhaps it was a workaround to be able to detect access denied errors in the UI code.

Fixing this would require addressing #30753 and returning a custom wrapper for errors so that we can inspect status codes. Otherwise we won't have a reliable way to detect access denied errors, which we do have today because of that hardcoded "access denied" string.

[ravicious]

With the MFA support for kube access and administrative actions, when an incorrect TOTP is entered, the backend returns access denied with a message about TOTP being incorrect. But because Connect completely removes messages from access denied errors, the user will simply see "Access Denied" instead of a meaningful message.

---

Trying to approve an access request with second factor set to optional. #36664 (comment)