[server][auth][config] Add warning about cross-provider impersonation [#43]

server/internal/auth/auth.go

@@ -85,6 +85,16 @@ func Initialize(cfg Config, log zerolog.Logger) error {
 		}
 	}
 
+	methods := len(cfg.OpenID.Clients)
+	if passwordBackend != nil || magicLinksEnabled {
+		methods += 1
+	}
+
+	if methods > 1 && !cfg.SuppressMultiProviderWarning {
+		log.Warn().Msg("Using multiple login providers can lead to cross-provider impersonation " +
+			"if email addresses are not guaranteed to belong to the same user across the different providers")
+	}
+
 	return openid.Init(cfg.OpenID, log)
 }
 

server/internal/auth/config.go

@@ -7,10 +7,11 @@ import (
 )
 
 type Config struct {
-	AutoCreate []string       `koanf:"auto_create"`
-	Password   PasswordConfig `koanf:"password"`
-	MagicLinks bool           `koanf:"magic_links"`
-	OpenID     openid.Config  `koanf:"openid"`
+	AutoCreate                   []string       `koanf:"auto_create"`
+	SuppressMultiProviderWarning bool           `koanf:"suppress_multi_provider_warning"`
+	Password                     PasswordConfig `koanf:"password"`
+	MagicLinks                   bool           `koanf:"magic_links"`
+	OpenID                       openid.Config  `koanf:"openid"`
 }
 
 type PasswordConfig struct {

server/internal/command/config.defaults.yml

@@ -25,11 +25,18 @@ core:
         salt: 32
         key: 32
 
+## Warning: it is recommended to avoid using a combination of email-based
+## (password/magic links) and oidc login providers, or more than one
+## OIDC provider, as it can lead to impersonation if the email addresses
+## across all of these providers are not verified or are not guaranteed
+## to belong to the same user. Take a look at
+## https://pushsecurity.com/blog/cross-idp-impersonation/ for more details.
 auth:
   auto_create:
     # - "*@example.com"
     # - "user@example.com"
     # - "user*@example.com"
+  suppress_multi_provider_warning: false
   magic_links: true
   password:
     # backend is one of crypt, ldap, or none