From af16a58c25ca1e68d5ae721d54324ea925cf7be7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joel=20Wejdenst=C3=A5l?= <jwejdenstal@icloud.com>
Date: Wed, 6 Apr 2022 17:26:30 +0200
Subject: [PATCH] make comment clearer

---
 lib/auth/auth.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/auth/auth.go b/lib/auth/auth.go
index e6024b9f63617..9782741208952 100644
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@@ -1042,13 +1042,17 @@ func (a *Server) generateUserCert(req certRequest) (*proto.Certs, error) {
 		return nil, trace.Wrap(err)
 	}
 
+	// Add the special join-only principal used for joining sessions.
+	// All users have access to this and join RBAC rules are checked after the connection is established.
+	allowedLogins = append(allowedLogins, "-teleport-internal-join")
+
 	params := services.UserCertParams{
 		CASigner:              caSigner,
 		CASigningAlg:          sshutils.GetSigningAlgName(userCA),
 		PublicUserKey:         req.publicKey,
 		Username:              req.user.GetName(),
 		Impersonator:          req.impersonator,
-		AllowedLogins:         append(allowedLogins, "-teleport-internal-join"),
+		AllowedLogins:         allowedLogins,
 		TTL:                   sessionTTL,
 		Roles:                 req.checker.RoleNames(),
 		CertificateFormat:     certificateFormat,