Added origin configuration to authc providers. Changed login form to filter available providers based on the origin configuration and the current browser window origin. Also filtered available providers based on the origin header and the configured provider origin properties

Author: rgodfrey-elastic

docs/reference/configuration-reference/security-settings.md

@@ -74,6 +74,9 @@ xpack.security.authc.providers.<provider-type>.<provider-name>.hint ![logo cloud
 xpack.security.authc.providers.<provider-type>.<provider-name>.icon ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ech}}")
 :   Custom icon for the provider entry displayed on the Login Selector UI.
 
+xpack.security.authc.providers.<provider-type>.<provider-name>.origin ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ech}}")
+:   TODO
+
 xpack.security.authc.providers.<provider-type>.<provider-name>.showInSelector ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ech}}")
 :   Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to `false` doesn’t remove the provider from the authentication chain.
 

x-pack/platform/plugins/shared/security/common/login_state.ts

@@ -15,6 +15,7 @@ export interface LoginSelectorProvider {
   description?: string;
   hint?: string;
   icon?: string;
+  origin?: string | string[];
 }
 
 export interface LoginSelector {

x-pack/platform/plugins/shared/security/public/authentication/login/components/login_form/login_form.tsx

@@ -133,6 +133,11 @@ const assistanceCss = (theme: UseEuiTheme) => css`
 export class LoginForm extends Component<LoginFormProps, State> {
   private readonly validator: LoginValidator;
 
+  /**
+   * Available providers that match the current origin.
+   */
+  private readonly availableProviders: LoginSelectorProvider[];
+
   /**
    * Optional provider that was suggested by the `auth_provider_hint={providerName}` query string parameter. If provider
    * doesn't require Kibana native login form then login process is triggered automatically, otherwise Login Selector
@@ -142,10 +147,15 @@ export class LoginForm extends Component<LoginFormProps, State> {
 
   constructor(props: LoginFormProps) {
     super(props);
+
+    this.availableProviders = this.props.selector.providers.filter((provider) =>
+      this.providerMatchesOrigin(provider)
+    );
+
     this.validator = new LoginValidator({ shouldValidate: false });
 
     this.suggestedProvider = this.props.authProviderHint
-      ? this.props.selector.providers.find(({ name }) => name === this.props.authProviderHint)
+      ? this.availableProviders.find(({ name }) => name === this.props.authProviderHint)
       : undefined;
 
     // Switch to the Form mode right away if provider from the hint requires it.
@@ -158,7 +168,14 @@ export class LoginForm extends Component<LoginFormProps, State> {
       loadingState: { type: LoadingStateType.None },
       username: '',
       password: '',
-      message: this.props.message || { type: MessageType.None },
+      message:
+        this.props.message ??
+        (this.availableProviders.length === 0
+          ? {
+              type: MessageType.Danger,
+              content: 'No authentication providers have been configured for this domain.',
+            }
+          : { type: MessageType.None }),
       mode,
       previousMode: mode,
     };
@@ -236,6 +253,10 @@ export class LoginForm extends Component<LoginFormProps, State> {
   };
 
   public renderContent() {
+    if (this.availableProviders.length === 0) {
+      return;
+    }
+
     switch (this.state.mode) {
       case PageMode.Form:
         return this.renderLoginForm();
@@ -339,7 +360,8 @@ export class LoginForm extends Component<LoginFormProps, State> {
   };
 
   private renderSelector = () => {
-    const providers = this.props.selector.providers.filter((p) => p.showInSelector);
+    const providers = this.availableProviders.filter((p) => p.showInSelector);
+
     return (
       <EuiPanel data-test-subj="loginSelector" paddingSize="none">
         {providers.map((provider) => {
@@ -513,9 +535,7 @@ export class LoginForm extends Component<LoginFormProps, State> {
     });
 
     // We try to log in with the provider that uses login form and has the lowest order.
-    const providerToLoginWith = this.props.selector.providers.find(
-      (provider) => provider.usesLoginForm
-    )!;
+    const providerToLoginWith = this.availableProviders.find((provider) => provider.usesLoginForm)!;
 
     try {
       const { location } = await this.props.http.post<{ location: string }>(
@@ -603,9 +623,17 @@ export class LoginForm extends Component<LoginFormProps, State> {
   private showLoginSelector() {
     return (
       this.props.selector.enabled &&
-      this.props.selector.providers.some(
-        (provider) => !provider.usesLoginForm && provider.showInSelector
-      )
+      this.availableProviders.some((provider) => !provider.usesLoginForm && provider.showInSelector)
+    );
+  }
+
+  private providerMatchesOrigin(provider: LoginSelectorProvider): boolean {
+    const { origin } = window.location;
+    return (
+      !provider.origin ||
+      (Array.isArray(provider.origin)
+        ? provider.origin.includes(origin)
+        : provider.origin === origin)
     );
   }
 }

x-pack/platform/plugins/shared/security/server/authentication/authenticator.ts

@@ -273,6 +273,7 @@ export class Authenticator {
               name,
               logger: options.loggers.get(type, name),
               urls: { loggedOut: (request: KibanaRequest) => this.getLoggedOutURL(request, type) },
+              origin: this.options.config.authc.providers[type]?.[name].origin,
             }),
             this.options.config.authc.providers[type]?.[name]
           ),
@@ -336,7 +337,32 @@ export class Authenticator {
       return AuthenticationResult.notHandled();
     }
 
-    for (const [providerName, provider] of providers) {
+    const { origin: originHeader } = request.headers;
+
+    const filteredProviders = providers.filter(([name, provider]) => {
+      const providerOrigin = provider.getOrigin();
+
+      return (
+        !originHeader ||
+        !providerOrigin ||
+        (Array.isArray(providerOrigin)
+          ? providerOrigin.includes(originHeader as string)
+          : providerOrigin === originHeader)
+      );
+    });
+
+    if (filteredProviders.length === 0) {
+      this.logger.warn(
+        `Login attempt for provider with ${
+          isLoginAttemptWithProviderName(attempt)
+            ? `name ${attempt.provider.name}`
+            : `type "${(attempt.provider as Record<string, string>).type}"`
+        } is detected, but originated from an invalid origin.`
+      );
+      return AuthenticationResult.notHandled();
+    }
+
+    for (const [providerName, provider] of filteredProviders) {
       // Check if current session has been set by this provider.
       const ownsSession =
         existingSessionValue?.provider.name === providerName &&

x-pack/platform/plugins/shared/security/server/authentication/providers/base.ts

@@ -41,6 +41,7 @@ export interface AuthenticationProviderOptions {
     loggedOut: (request: KibanaRequest) => string;
   };
   isElasticCloudDeployment: () => boolean;
+  origin?: string | string[];
 }
 
 /**
@@ -147,4 +148,11 @@ export abstract class BaseAuthenticationProvider {
         authenticationInfo.authentication_realm.name === ELASTIC_CLOUD_SSO_REALM_NAME,
     } as AuthenticatedUser);
   }
+
+  /**
+   * Returns the origin option associated with the provider.
+   */
+  getOrigin(): string | string[] | undefined {
+    return this.options.origin;
+  }
 }

x-pack/platform/plugins/shared/security/server/config.ts

@@ -28,6 +28,7 @@ interface ProvidersCommonConfigType {
   description?: Type<string>;
   hint?: Type<string>;
   icon?: Type<string>;
+  origin?: Type<string[] | string>;
   session?: Type<{ idleTimeout?: Duration | null; lifespan?: Duration | null }>;
 }
 
@@ -49,6 +50,7 @@ function getCommonProviderSchemaProperties(overrides: Partial<ProvidersCommonCon
     description: schema.maybe(schema.string()),
     hint: schema.maybe(schema.string()),
     icon: schema.maybe(schema.string()),
+    origin: schema.maybe(schema.oneOf([schema.uri(), schema.arrayOf(schema.uri())])),
     accessAgreement: schema.maybe(schema.object({ message: schema.string() })),
     session: schema.object({
       idleTimeout: schema.maybe(schema.oneOf([schema.duration(), schema.literal(null)])),

x-pack/platform/plugins/shared/security/server/routes/views/login.ts

@@ -85,7 +85,9 @@ export function defineLoginRoutes({
       const providers = sortedProviders.map(({ type, name }) => {
         // Since `config.authc.sortedProviders` is based on `config.authc.providers` config we can
         // be sure that config is present for every provider in `config.authc.sortedProviders`.
-        const { showInSelector, description, hint, icon } = config.authc.providers[type]?.[name]!;
+
+        const { showInSelector, description, hint, icon, origin } =
+          config.authc.providers[type]?.[name]!;
         const usesLoginForm = shouldProviderUseLoginForm(type);
         return {
           type,
@@ -95,6 +97,7 @@ export function defineLoginRoutes({
           description,
           hint,
           icon,
+          origin,
         };
       });