grpc: rename internal/grpc to pkg/grpc (#1010)

* grpc: rename internal/grpc to pkg/grpc

* don't ignore pkg dir

* remove debug line

.gitignore

@@ -36,7 +36,6 @@ _testmain.go
 
 # Other dirs
 /bin/
-/pkg/
 
 # Without this, the *.[568vq] above ignores this folder.
 !**/graphrbac/1.6

.pre-commit-config.yaml

@@ -18,3 +18,4 @@ repos:
         entry: make
         args: ["lint"]
         types: ["go"]
+        pass_filenames: false

authenticate/authenticate.go

@@ -19,10 +19,6 @@ import (
 	"github.com/pomerium/pomerium/internal/encoding/ecjson"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/frontend"
-	"github.com/pomerium/pomerium/internal/grpc"
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/session"
-	"github.com/pomerium/pomerium/internal/grpc/user"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/internal/identity/oauth"
@@ -32,6 +28,10 @@ import (
 	"github.com/pomerium/pomerium/internal/sessions/header"
 	"github.com/pomerium/pomerium/internal/sessions/queryparam"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/grpc"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 // ValidateOptions checks that configuration are complete and valid.

authenticate/handlers.go

@@ -20,9 +20,6 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/pomerium/pomerium/internal/cryptutil"
-	"github.com/pomerium/pomerium/internal/grpc/directory"
-	"github.com/pomerium/pomerium/internal/grpc/session"
-	"github.com/pomerium/pomerium/internal/grpc/user"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/identity/manager"
 	"github.com/pomerium/pomerium/internal/identity/oidc"
@@ -31,6 +28,9 @@ import (
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 // Handler returns the authenticate service's handler chain.

authenticate/handlers_test.go

@@ -19,8 +19,6 @@ import (
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/encoding/mock"
 	"github.com/pomerium/pomerium/internal/frontend"
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/session"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/internal/identity/oidc"
@@ -28,6 +26,8 @@ import (
 	"github.com/pomerium/pomerium/internal/sessions/cookie"
 	mstore "github.com/pomerium/pomerium/internal/sessions/mock"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
 
 	"github.com/golang/mock/gomock"
 	"github.com/golang/protobuf/ptypes"

authorize/authorize.go

@@ -2,8 +2,6 @@
 // if a given request should be authorized (AuthZ).
 package authorize
 
-//go:generate ../scripts/protoc -I ../internal/grpc/authorize/ --go_out=plugins=grpc:../internal/grpc/authorize/ ../internal/grpc/authorize/authorize.proto
-
 import (
 	"context"
 	"fmt"
@@ -17,12 +15,12 @@ import (
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/frontend"
-	"github.com/pomerium/pomerium/internal/grpc"
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/telemetry/metrics"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/grpc"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
 type atomicOptions struct {

authorize/evaluator/evaluator.go

@@ -24,10 +24,10 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/cryptutil"
 	"github.com/pomerium/pomerium/internal/directory"
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/session"
-	"github.com/pomerium/pomerium/internal/grpc/user"
 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 const (

authorize/evaluator/evaluator_test.go

@@ -14,10 +14,10 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/pomerium/pomerium/config"
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/directory"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
-	"github.com/pomerium/pomerium/internal/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
-	"github.com/pomerium/pomerium/internal/grpc/user"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 func TestJSONMarshal(t *testing.T) {

authorize/evaluator/mock_evaluator/mock.go

@@ -1,64 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/pomerium/pomerium/authorize/evaluator (interfaces: Evaluator)
-
-// Package mock_evaluator is a generated GoMock package.
-package mock_evaluator
-
-import (
-	context "context"
-	gomock "github.com/golang/mock/gomock"
-	authorize "github.com/pomerium/pomerium/internal/grpc/authorize"
-	reflect "reflect"
-)
-
-// MockEvaluator is a mock of Evaluator interface
-type MockEvaluator struct {
-	ctrl     *gomock.Controller
-	recorder *MockEvaluatorMockRecorder
-}
-
-// MockEvaluatorMockRecorder is the mock recorder for MockEvaluator
-type MockEvaluatorMockRecorder struct {
-	mock *MockEvaluator
-}
-
-// NewMockEvaluator creates a new mock instance
-func NewMockEvaluator(ctrl *gomock.Controller) *MockEvaluator {
-	mock := &MockEvaluator{ctrl: ctrl}
-	mock.recorder = &MockEvaluatorMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockEvaluator) EXPECT() *MockEvaluatorMockRecorder {
-	return m.recorder
-}
-
-// IsAuthorized mocks base method
-func (m *MockEvaluator) IsAuthorized(arg0 context.Context, arg1 interface{}) (*authorize.IsAuthorizedReply, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "IsAuthorized", arg0, arg1)
-	ret0, _ := ret[0].(*authorize.IsAuthorizedReply)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// IsAuthorized indicates an expected call of IsAuthorized
-func (mr *MockEvaluatorMockRecorder) IsAuthorized(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsAuthorized", reflect.TypeOf((*MockEvaluator)(nil).IsAuthorized), arg0, arg1)
-}
-
-// PutData mocks base method
-func (m *MockEvaluator) PutData(arg0 context.Context, arg1 map[string]interface{}) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "PutData", arg0, arg1)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// PutData indicates an expected call of PutData
-func (mr *MockEvaluatorMockRecorder) PutData(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PutData", reflect.TypeOf((*MockEvaluator)(nil).PutData), arg0, arg1)
-}

authorize/grpc.go

@@ -11,14 +11,14 @@ import (
 	"github.com/rs/zerolog"
 
 	"github.com/pomerium/pomerium/authorize/evaluator"
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/session"
-	"github.com/pomerium/pomerium/internal/grpc/user"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/telemetry/requestid"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 
 	envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
 	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"

authorize/run.go

@@ -11,8 +11,8 @@ import (
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/protobuf/types/known/emptypb"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
 // Run runs the authorize server.

cache/cache.go

@@ -14,13 +14,13 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/cryptutil"
 	"github.com/pomerium/pomerium/internal/directory"
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/session"
-	"github.com/pomerium/pomerium/internal/grpc/user"
 	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/internal/identity/manager"
 	"github.com/pomerium/pomerium/internal/telemetry"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 // Cache represents the cache service. The cache service is a simple interface

cache/databroker.go

@@ -4,7 +4,7 @@ import (
 	"google.golang.org/grpc"
 
 	"github.com/pomerium/pomerium/internal/databroker/memory"
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
 // A DataBrokerServer implements the data broker service interface.

cache/session.go

@@ -7,10 +7,10 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/emptypb"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/session"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
 )
 
 // SessionServer implements the session service interface for adding and syncing sessions.

cache/user.go

@@ -7,10 +7,10 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/emptypb"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/user"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 // UserServer implements the user service interface for syncing users.

docs/configuration/readme.md

@@ -796,11 +796,11 @@ The data broker service URL points to a data broker which is responsible for sto
 
 To create your own data broker, implement the following gRPC interface:
 
-- [internal/grpc/databroker/databroker.proto](https://github.com/pomerium/pomerium/blob/master/internal/grpc/databroker/databroker.proto)
+- [pkg/grpc/databroker/databroker.proto](https://github.com/pomerium/pomerium/blob/master/pkg/grpc/databroker/databroker.proto)
 
 For an example implementation, the in-memory database used by the cache service can be found here:
 
-- [internal/databroker/memory](https://github.com/pomerium/pomerium/tree/master/internal/databroker/memory)
+- [pkg/databroker/memory](https://github.com/pomerium/pomerium/tree/master/pkg/databroker/memory)
 
 ## Policy
 

docs/docs/upgrading.md

@@ -24,7 +24,7 @@ more than one instance of the cache service is no longer supported, and restarti
 users having to re-login.
 
 If high availability or persistence is needed, there's a new
-[databroker gRPC interface](https://github.com/pomerium/pomerium/blob/master/internal/grpc/databroker/databroker.proto)
+[databroker gRPC interface](https://github.com/pomerium/pomerium/blob/master/pkg/grpc/databroker/databroker.proto)
 and `databroker_url` configuration option. For an example implementation, the in-memory database used by the cache
 service can be found here: [internal/databroker/memory](https://github.com/pomerium/pomerium/tree/master/internal/databroker/memory).
 

internal/databroker/memory/db.go

@@ -11,7 +11,7 @@ import (
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
 type byIDRecord struct {

internal/databroker/memory/server.go

@@ -15,9 +15,9 @@ import (
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
 // Server implements the databroker service using an in memory database.

internal/directory/azure/azure.go

@@ -15,8 +15,8 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/directory"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
 )
 
 // Name is the provider name.

internal/directory/azure/azure_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/go-chi/chi/middleware"
 	"github.com/stretchr/testify/assert"
 
-	"github.com/pomerium/pomerium/internal/grpc/directory"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
 )
 
 type M = map[string]interface{}

internal/directory/github/github.go

@@ -15,9 +15,9 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/tomnomnom/linkheader"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/directory"
 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
 )
 
 // Name is the provider name.

internal/directory/gitlab/gitlab.go

@@ -13,9 +13,9 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/tomnomnom/linkheader"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/directory"
 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
 )
 
 // Name is the provider name.

internal/directory/google/google.go

@@ -14,9 +14,9 @@ import (
 	admin "google.golang.org/api/admin/directory/v1"
 	"google.golang.org/api/option"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/directory"
 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
 )
 
 // Name is the provider name.

internal/directory/okta/okta.go

@@ -13,9 +13,9 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/tomnomnom/linkheader"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/directory"
 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
 )
 
 // Name is the provider name.

internal/directory/okta/okta_test.go

@@ -14,7 +14,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/tomnomnom/linkheader"
 
-	"github.com/pomerium/pomerium/internal/grpc/directory"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
 )
 
 type M = map[string]interface{}

internal/directory/onelogin/onelogin.go

@@ -16,9 +16,9 @@ import (
 	"github.com/rs/zerolog"
 	"golang.org/x/oauth2"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/directory"
 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
 )
 
 // Name is the provider name.

internal/directory/onelogin/onelogin_test.go

@@ -15,7 +15,7 @@ import (
 	"github.com/go-chi/chi/middleware"
 	"github.com/stretchr/testify/assert"
 
-	"github.com/pomerium/pomerium/internal/grpc/directory"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
 )
 
 type M = map[string]interface{}

internal/directory/provider.go

@@ -12,8 +12,8 @@ import (
 	"github.com/pomerium/pomerium/internal/directory/google"
 	"github.com/pomerium/pomerium/internal/directory/okta"
 	"github.com/pomerium/pomerium/internal/directory/onelogin"
-	"github.com/pomerium/pomerium/internal/grpc/directory"
 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
 )
 
 // A User is a directory User.

internal/grpc/authorize/authorize.pb.go

@@ -1,613 +0,0 @@
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// versions:
-// 	protoc-gen-go v1.24.0
-// 	protoc        v3.12.1
-// source: authorize.proto
-
-package authorize
-
-import (
-	context "context"
-	proto "github.com/golang/protobuf/proto"
-	grpc "google.golang.org/grpc"
-	codes "google.golang.org/grpc/codes"
-	status "google.golang.org/grpc/status"
-	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
-	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
-	reflect "reflect"
-	sync "sync"
-)
-
-const (
-	// Verify that this generated code is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
-	// Verify that runtime/protoimpl is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
-)
-
-// This is a compile-time assertion that a sufficiently up-to-date version
-// of the legacy proto package is being used.
-const _ = proto.ProtoPackageIsVersion4
-
-type IsAuthorizedRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// User Context
-	//
-	UserToken string `protobuf:"bytes,1,opt,name=user_token,json=userToken,proto3" json:"user_token,omitempty"`
-	// Request Context
-	//
-	// Method specifies the HTTP method (GET, POST, PUT, etc.).
-	RequestMethod string `protobuf:"bytes,2,opt,name=request_method,json=requestMethod,proto3" json:"request_method,omitempty"`
-	// URL specifies either the URI being requested
-	RequestUrl string `protobuf:"bytes,3,opt,name=request_url,json=requestUrl,proto3" json:"request_url,omitempty"`
-	// host specifies the host on which the URL per RFC 7230, section 5.4
-	RequestHost string `protobuf:"bytes,4,opt,name=request_host,json=requestHost,proto3" json:"request_host,omitempty"`
-	// request_uri is the unmodified request-target of the
-	// Request-Line (RFC 7230, Section 3.1.1) as sent by the client
-	RequestRequestUri string `protobuf:"bytes,5,opt,name=request_request_uri,json=requestRequestUri,proto3" json:"request_request_uri,omitempty"`
-	// RemoteAddr allows HTTP servers and other software to record
-	// the network address that sent the request, usually for
-	RequestRemoteAddr string                                  `protobuf:"bytes,6,opt,name=request_remote_addr,json=requestRemoteAddr,proto3" json:"request_remote_addr,omitempty"`
-	RequestHeaders    map[string]*IsAuthorizedRequest_Headers `protobuf:"bytes,7,rep,name=request_headers,json=requestHeaders,proto3" json:"request_headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-}
-
-func (x *IsAuthorizedRequest) Reset() {
-	*x = IsAuthorizedRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_authorize_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *IsAuthorizedRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*IsAuthorizedRequest) ProtoMessage() {}
-
-func (x *IsAuthorizedRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_authorize_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use IsAuthorizedRequest.ProtoReflect.Descriptor instead.
-func (*IsAuthorizedRequest) Descriptor() ([]byte, []int) {
-	return file_authorize_proto_rawDescGZIP(), []int{0}
-}
-
-func (x *IsAuthorizedRequest) GetUserToken() string {
-	if x != nil {
-		return x.UserToken
-	}
-	return ""
-}
-
-func (x *IsAuthorizedRequest) GetRequestMethod() string {
-	if x != nil {
-		return x.RequestMethod
-	}
-	return ""
-}
-
-func (x *IsAuthorizedRequest) GetRequestUrl() string {
-	if x != nil {
-		return x.RequestUrl
-	}
-	return ""
-}
-
-func (x *IsAuthorizedRequest) GetRequestHost() string {
-	if x != nil {
-		return x.RequestHost
-	}
-	return ""
-}
-
-func (x *IsAuthorizedRequest) GetRequestRequestUri() string {
-	if x != nil {
-		return x.RequestRequestUri
-	}
-	return ""
-}
-
-func (x *IsAuthorizedRequest) GetRequestRemoteAddr() string {
-	if x != nil {
-		return x.RequestRemoteAddr
-	}
-	return ""
-}
-
-func (x *IsAuthorizedRequest) GetRequestHeaders() map[string]*IsAuthorizedRequest_Headers {
-	if x != nil {
-		return x.RequestHeaders
-	}
-	return nil
-}
-
-type IsAuthorizedReply struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Allow          bool        `protobuf:"varint,1,opt,name=allow,proto3" json:"allow,omitempty"`
-	SessionExpired bool        `protobuf:"varint,2,opt,name=session_expired,json=sessionExpired,proto3" json:"session_expired,omitempty"` // special case
-	DenyReasons    []string    `protobuf:"bytes,3,rep,name=deny_reasons,json=denyReasons,proto3" json:"deny_reasons,omitempty"`
-	SignedJwt      string      `protobuf:"bytes,4,opt,name=signed_jwt,json=signedJwt,proto3" json:"signed_jwt,omitempty"`
-	User           string      `protobuf:"bytes,5,opt,name=user,proto3" json:"user,omitempty"`
-	Email          string      `protobuf:"bytes,6,opt,name=email,proto3" json:"email,omitempty"`
-	Groups         []string    `protobuf:"bytes,7,rep,name=groups,proto3" json:"groups,omitempty"`
-	HttpStatus     *HTTPStatus `protobuf:"bytes,8,opt,name=http_status,json=httpStatus,proto3" json:"http_status,omitempty"`
-}
-
-func (x *IsAuthorizedReply) Reset() {
-	*x = IsAuthorizedReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_authorize_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *IsAuthorizedReply) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*IsAuthorizedReply) ProtoMessage() {}
-
-func (x *IsAuthorizedReply) ProtoReflect() protoreflect.Message {
-	mi := &file_authorize_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use IsAuthorizedReply.ProtoReflect.Descriptor instead.
-func (*IsAuthorizedReply) Descriptor() ([]byte, []int) {
-	return file_authorize_proto_rawDescGZIP(), []int{1}
-}
-
-func (x *IsAuthorizedReply) GetAllow() bool {
-	if x != nil {
-		return x.Allow
-	}
-	return false
-}
-
-func (x *IsAuthorizedReply) GetSessionExpired() bool {
-	if x != nil {
-		return x.SessionExpired
-	}
-	return false
-}
-
-func (x *IsAuthorizedReply) GetDenyReasons() []string {
-	if x != nil {
-		return x.DenyReasons
-	}
-	return nil
-}
-
-func (x *IsAuthorizedReply) GetSignedJwt() string {
-	if x != nil {
-		return x.SignedJwt
-	}
-	return ""
-}
-
-func (x *IsAuthorizedReply) GetUser() string {
-	if x != nil {
-		return x.User
-	}
-	return ""
-}
-
-func (x *IsAuthorizedReply) GetEmail() string {
-	if x != nil {
-		return x.Email
-	}
-	return ""
-}
-
-func (x *IsAuthorizedReply) GetGroups() []string {
-	if x != nil {
-		return x.Groups
-	}
-	return nil
-}
-
-func (x *IsAuthorizedReply) GetHttpStatus() *HTTPStatus {
-	if x != nil {
-		return x.HttpStatus
-	}
-	return nil
-}
-
-type HTTPStatus struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Code    int32             `protobuf:"varint,1,opt,name=code,proto3" json:"code,omitempty"`
-	Message string            `protobuf:"bytes,2,opt,name=message,proto3" json:"message,omitempty"`
-	Headers map[string]string `protobuf:"bytes,3,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-}
-
-func (x *HTTPStatus) Reset() {
-	*x = HTTPStatus{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_authorize_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *HTTPStatus) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*HTTPStatus) ProtoMessage() {}
-
-func (x *HTTPStatus) ProtoReflect() protoreflect.Message {
-	mi := &file_authorize_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use HTTPStatus.ProtoReflect.Descriptor instead.
-func (*HTTPStatus) Descriptor() ([]byte, []int) {
-	return file_authorize_proto_rawDescGZIP(), []int{2}
-}
-
-func (x *HTTPStatus) GetCode() int32 {
-	if x != nil {
-		return x.Code
-	}
-	return 0
-}
-
-func (x *HTTPStatus) GetMessage() string {
-	if x != nil {
-		return x.Message
-	}
-	return ""
-}
-
-func (x *HTTPStatus) GetHeaders() map[string]string {
-	if x != nil {
-		return x.Headers
-	}
-	return nil
-}
-
-// headers represents key-value pairs in an HTTP header; map[string][]string
-type IsAuthorizedRequest_Headers struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Value []string `protobuf:"bytes,1,rep,name=value,proto3" json:"value,omitempty"`
-}
-
-func (x *IsAuthorizedRequest_Headers) Reset() {
-	*x = IsAuthorizedRequest_Headers{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_authorize_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *IsAuthorizedRequest_Headers) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*IsAuthorizedRequest_Headers) ProtoMessage() {}
-
-func (x *IsAuthorizedRequest_Headers) ProtoReflect() protoreflect.Message {
-	mi := &file_authorize_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use IsAuthorizedRequest_Headers.ProtoReflect.Descriptor instead.
-func (*IsAuthorizedRequest_Headers) Descriptor() ([]byte, []int) {
-	return file_authorize_proto_rawDescGZIP(), []int{0, 0}
-}
-
-func (x *IsAuthorizedRequest_Headers) GetValue() []string {
-	if x != nil {
-		return x.Value
-	}
-	return nil
-}
-
-var File_authorize_proto protoreflect.FileDescriptor
-
-var file_authorize_proto_rawDesc = []byte{
-	0x0a, 0x0f, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x12, 0x09, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x22, 0xe8, 0x03, 0x0a,
-	0x13, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x74, 0x6f, 0x6b,
-	0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x75, 0x73, 0x65, 0x72, 0x54, 0x6f,
-	0x6b, 0x65, 0x6e, 0x12, 0x25, 0x0a, 0x0e, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x6d,
-	0x65, 0x74, 0x68, 0x6f, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x72, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x72, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x0a, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x55, 0x72, 0x6c, 0x12, 0x21, 0x0a, 0x0c, 0x72,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0b, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x6f, 0x73, 0x74, 0x12, 0x2e,
-	0x0a, 0x13, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x72, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x55, 0x72, 0x69, 0x12, 0x2e,
-	0x0a, 0x13, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65,
-	0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x72, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x41, 0x64, 0x64, 0x72, 0x12, 0x5b,
-	0x0a, 0x0f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72,
-	0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72,
-	0x69, 0x7a, 0x65, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48,
-	0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0e, 0x72, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x1a, 0x1f, 0x0a, 0x07, 0x48,
-	0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18,
-	0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x1a, 0x69, 0x0a, 0x13,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x45, 0x6e,
-	0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x3c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65,
-	0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x52, 0x05, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x8e, 0x02, 0x0a, 0x11, 0x49, 0x73, 0x41, 0x75,
-	0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x14, 0x0a,
-	0x05, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x61, 0x6c,
-	0x6c, 0x6f, 0x77, 0x12, 0x27, 0x0a, 0x0f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x65,
-	0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x73, 0x65,
-	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x12, 0x21, 0x0a, 0x0c,
-	0x64, 0x65, 0x6e, 0x79, 0x5f, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x03,
-	0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x6e, 0x79, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x73, 0x12,
-	0x1d, 0x0a, 0x0a, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x6a, 0x77, 0x74, 0x18, 0x04, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x4a, 0x77, 0x74, 0x12, 0x12,
-	0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x73,
-	0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x06, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x67, 0x72, 0x6f, 0x75,
-	0x70, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73,
-	0x12, 0x36, 0x0a, 0x0b, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18,
-	0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a,
-	0x65, 0x2e, 0x48, 0x54, 0x54, 0x50, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x0a, 0x68, 0x74,
-	0x74, 0x70, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0xb4, 0x01, 0x0a, 0x0a, 0x48, 0x54, 0x54,
-	0x50, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65,
-	0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x3c, 0x0a, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73,
-	0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
-	0x7a, 0x65, 0x2e, 0x48, 0x54, 0x54, 0x50, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x2e, 0x48, 0x65,
-	0x61, 0x64, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x68, 0x65, 0x61, 0x64,
-	0x65, 0x72, 0x73, 0x1a, 0x3a, 0x0a, 0x0c, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x45, 0x6e,
-	0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x32,
-	0x5c, 0x0a, 0x0a, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x72, 0x12, 0x4e, 0x0a,
-	0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12, 0x1e, 0x2e,
-	0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68,
-	0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e,
-	0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68,
-	0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
-
-var (
-	file_authorize_proto_rawDescOnce sync.Once
-	file_authorize_proto_rawDescData = file_authorize_proto_rawDesc
-)
-
-func file_authorize_proto_rawDescGZIP() []byte {
-	file_authorize_proto_rawDescOnce.Do(func() {
-		file_authorize_proto_rawDescData = protoimpl.X.CompressGZIP(file_authorize_proto_rawDescData)
-	})
-	return file_authorize_proto_rawDescData
-}
-
-var file_authorize_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
-var file_authorize_proto_goTypes = []interface{}{
-	(*IsAuthorizedRequest)(nil),         // 0: authorize.IsAuthorizedRequest
-	(*IsAuthorizedReply)(nil),           // 1: authorize.IsAuthorizedReply
-	(*HTTPStatus)(nil),                  // 2: authorize.HTTPStatus
-	(*IsAuthorizedRequest_Headers)(nil), // 3: authorize.IsAuthorizedRequest.Headers
-	nil,                                 // 4: authorize.IsAuthorizedRequest.RequestHeadersEntry
-	nil,                                 // 5: authorize.HTTPStatus.HeadersEntry
-}
-var file_authorize_proto_depIdxs = []int32{
-	4, // 0: authorize.IsAuthorizedRequest.request_headers:type_name -> authorize.IsAuthorizedRequest.RequestHeadersEntry
-	2, // 1: authorize.IsAuthorizedReply.http_status:type_name -> authorize.HTTPStatus
-	5, // 2: authorize.HTTPStatus.headers:type_name -> authorize.HTTPStatus.HeadersEntry
-	3, // 3: authorize.IsAuthorizedRequest.RequestHeadersEntry.value:type_name -> authorize.IsAuthorizedRequest.Headers
-	0, // 4: authorize.Authorizer.IsAuthorized:input_type -> authorize.IsAuthorizedRequest
-	1, // 5: authorize.Authorizer.IsAuthorized:output_type -> authorize.IsAuthorizedReply
-	5, // [5:6] is the sub-list for method output_type
-	4, // [4:5] is the sub-list for method input_type
-	4, // [4:4] is the sub-list for extension type_name
-	4, // [4:4] is the sub-list for extension extendee
-	0, // [0:4] is the sub-list for field type_name
-}
-
-func init() { file_authorize_proto_init() }
-func file_authorize_proto_init() {
-	if File_authorize_proto != nil {
-		return
-	}
-	if !protoimpl.UnsafeEnabled {
-		file_authorize_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*IsAuthorizedRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_authorize_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*IsAuthorizedReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_authorize_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*HTTPStatus); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_authorize_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*IsAuthorizedRequest_Headers); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
-	type x struct{}
-	out := protoimpl.TypeBuilder{
-		File: protoimpl.DescBuilder{
-			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_authorize_proto_rawDesc,
-			NumEnums:      0,
-			NumMessages:   6,
-			NumExtensions: 0,
-			NumServices:   1,
-		},
-		GoTypes:           file_authorize_proto_goTypes,
-		DependencyIndexes: file_authorize_proto_depIdxs,
-		MessageInfos:      file_authorize_proto_msgTypes,
-	}.Build()
-	File_authorize_proto = out.File
-	file_authorize_proto_rawDesc = nil
-	file_authorize_proto_goTypes = nil
-	file_authorize_proto_depIdxs = nil
-}
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ context.Context
-var _ grpc.ClientConnInterface
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the grpc package it is being compiled against.
-const _ = grpc.SupportPackageIsVersion6
-
-// AuthorizerClient is the client API for Authorizer service.
-//
-// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
-type AuthorizerClient interface {
-	IsAuthorized(ctx context.Context, in *IsAuthorizedRequest, opts ...grpc.CallOption) (*IsAuthorizedReply, error)
-}
-
-type authorizerClient struct {
-	cc grpc.ClientConnInterface
-}
-
-func NewAuthorizerClient(cc grpc.ClientConnInterface) AuthorizerClient {
-	return &authorizerClient{cc}
-}
-
-func (c *authorizerClient) IsAuthorized(ctx context.Context, in *IsAuthorizedRequest, opts ...grpc.CallOption) (*IsAuthorizedReply, error) {
-	out := new(IsAuthorizedReply)
-	err := c.cc.Invoke(ctx, "/authorize.Authorizer/IsAuthorized", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-// AuthorizerServer is the server API for Authorizer service.
-type AuthorizerServer interface {
-	IsAuthorized(context.Context, *IsAuthorizedRequest) (*IsAuthorizedReply, error)
-}
-
-// UnimplementedAuthorizerServer can be embedded to have forward compatible implementations.
-type UnimplementedAuthorizerServer struct {
-}
-
-func (*UnimplementedAuthorizerServer) IsAuthorized(context.Context, *IsAuthorizedRequest) (*IsAuthorizedReply, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method IsAuthorized not implemented")
-}
-
-func RegisterAuthorizerServer(s *grpc.Server, srv AuthorizerServer) {
-	s.RegisterService(&_Authorizer_serviceDesc, srv)
-}
-
-func _Authorizer_IsAuthorized_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(IsAuthorizedRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(AuthorizerServer).IsAuthorized(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/authorize.Authorizer/IsAuthorized",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(AuthorizerServer).IsAuthorized(ctx, req.(*IsAuthorizedRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-var _Authorizer_serviceDesc = grpc.ServiceDesc{
-	ServiceName: "authorize.Authorizer",
-	HandlerType: (*AuthorizerServer)(nil),
-	Methods: []grpc.MethodDesc{
-		{
-			MethodName: "IsAuthorized",
-			Handler:    _Authorizer_IsAuthorized_Handler,
-		},
-	},
-	Streams:  []grpc.StreamDesc{},
-	Metadata: "authorize.proto",
-}

internal/grpc/authorize/authorize.proto

@@ -1,47 +0,0 @@
-syntax = "proto3";
-
-package authorize;
-
-service Authorizer {
-  rpc IsAuthorized(IsAuthorizedRequest) returns (IsAuthorizedReply) {}
-}
-
-message IsAuthorizedRequest {
-  // User Context
-  //
-  string user_token = 1;
-  // Request Context
-  //
-  // Method specifies the HTTP method (GET, POST, PUT, etc.).
-  string request_method = 2;
-  // URL specifies either the URI being requested
-  string request_url = 3;
-  // host specifies the host on which the URL per RFC 7230, section 5.4
-  string request_host = 4;
-  // request_uri is the unmodified request-target of the
-  // Request-Line (RFC 7230, Section 3.1.1) as sent by the client
-  string request_request_uri = 5;
-  // RemoteAddr allows HTTP servers and other software to record
-  // the network address that sent the request, usually for
-  string request_remote_addr = 6;
-  // headers represents key-value pairs in an HTTP header; map[string][]string
-  message Headers { repeated string value = 1; }
-  map<string, Headers> request_headers = 7;
-}
-
-message IsAuthorizedReply {
-  bool allow = 1;
-  bool session_expired = 2; // special case
-  repeated string deny_reasons = 3;
-  string signed_jwt = 4;
-  string user = 5;
-  string email = 6;
-  repeated string groups = 7;
-  HTTPStatus http_status = 8;
-}
-
-message HTTPStatus {
-  int32 code = 1;
-  string message = 2;
-  map<string, string> headers = 3;
-}

internal/grpc/authorize/client/authorize_client.go

@@ -1,67 +0,0 @@
-// Package client implements a gRPC client for the authorization service.
-package client
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/pomerium/pomerium/internal/grpc/authorize"
-	pb "github.com/pomerium/pomerium/internal/grpc/authorize"
-	"github.com/pomerium/pomerium/internal/telemetry/trace"
-
-	"google.golang.org/grpc"
-)
-
-// Authorizer provides the authorize service interface
-type Authorizer interface {
-	// Authorize takes a route and user session and returns whether the
-	// request is valid per access policy
-	Authorize(ctx context.Context, user string, r *http.Request) (*pb.IsAuthorizedReply, error)
-	// Close closes the auth connection if any.
-	Close() error
-}
-
-// Client is a gRPC implementation of an authenticator (authorize client)
-type Client struct {
-	conn   *grpc.ClientConn
-	client pb.AuthorizerClient
-}
-
-// New returns a new authorize service client.
-func New(conn *grpc.ClientConn) (p *Client, err error) {
-	return &Client{conn: conn, client: pb.NewAuthorizerClient(conn)}, nil
-}
-
-// Authorize takes a route and user session and returns whether the
-// request is valid per access policy
-func (c *Client) Authorize(ctx context.Context, user string, r *http.Request) (*pb.IsAuthorizedReply, error) {
-	ctx, span := trace.StartSpan(ctx, "grpc.authorize.client.Authorize")
-	defer span.End()
-	in := &pb.IsAuthorizedRequest{
-		UserToken:         user,
-		RequestHost:       r.Host,
-		RequestMethod:     r.Method,
-		RequestHeaders:    cloneHeaders(r.Header),
-		RequestRemoteAddr: r.RemoteAddr,
-		RequestRequestUri: r.RequestURI,
-		RequestUrl:        r.URL.String(),
-	}
-	return c.client.IsAuthorized(ctx, in)
-}
-
-// Close tears down the ClientConn and all underlying connections.
-func (c *Client) Close() error {
-	return c.conn.Close()
-}
-
-type protoHeader map[string]*authorize.IsAuthorizedRequest_Headers
-
-func cloneHeaders(in http.Header) protoHeader {
-	out := make(protoHeader, len(in))
-	for key, values := range in {
-		newValues := make([]string, len(values))
-		copy(newValues, values)
-		out[key] = &authorize.IsAuthorizedRequest_Headers{Value: newValues}
-	}
-	return out
-}

internal/grpc/authorize/client/mock.go

@@ -1,27 +0,0 @@
-package client
-
-import (
-	"context"
-	"net/http"
-
-	pb "github.com/pomerium/pomerium/internal/grpc/authorize"
-)
-
-var _ Authorizer = &MockAuthorize{}
-
-// MockAuthorize provides a mocked implementation of the authorizer interface.
-type MockAuthorize struct {
-	AuthorizeResponse *pb.IsAuthorizedReply
-	AuthorizeError    error
-	IsAdminResponse   bool
-	IsAdminError      error
-	CloseError        error
-}
-
-// Close is a mocked authorizer client function.
-func (a MockAuthorize) Close() error { return a.CloseError }
-
-// Authorize is a mocked authorizer client function.
-func (a MockAuthorize) Authorize(ctx context.Context, user string, r *http.Request) (*pb.IsAuthorizedReply, error) {
-	return a.AuthorizeResponse, a.AuthorizeError
-}

internal/identity/manager/data.go

@@ -8,8 +8,8 @@ import (
 	"github.com/google/btree"
 	"google.golang.org/protobuf/types/known/anypb"
 
-	"github.com/pomerium/pomerium/internal/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
-	"github.com/pomerium/pomerium/internal/grpc/user"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 // A User is a user managed by the Manager.

internal/identity/manager/data_test.go

@@ -11,7 +11,7 @@ import (
 	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/wrapperspb"
 
-	"github.com/pomerium/pomerium/internal/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
 )
 
 func TestUser_UnmarshalJSON(t *testing.T) {

internal/identity/manager/manager.go

@@ -15,11 +15,11 @@ import (
 	"gopkg.in/tomb.v2"
 
 	"github.com/pomerium/pomerium/internal/directory"
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
-	"github.com/pomerium/pomerium/internal/grpc/session"
-	"github.com/pomerium/pomerium/internal/grpc/user"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/scheduler"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 // Authenticator is an identity.Provider with only the methods needed by the manager.

internal/identity/manager/misc.go

@@ -10,7 +10,7 @@ import (
 	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/wrapperspb"
 
-	"github.com/pomerium/pomerium/internal/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
 )
 
 func toAny(value interface{}) (*anypb.Any, error) {

internal/sessions/state.go

@@ -9,7 +9,7 @@ import (
 
 	"gopkg.in/square/go-jose.v2/jwt"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
 // ErrMissingID is the error for a session state that has no ID set.

pkg/grpc/databroker/databroker.pb.go

@@ -783,11 +783,11 @@ var file_databroker_proto_rawDesc = []byte{
 	0x73, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1c, 0x2e, 0x64, 0x61, 0x74, 0x61,
 	0x62, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x2e, 0x47, 0x65, 0x74, 0x54, 0x79, 0x70, 0x65, 0x73, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x42, 0x37, 0x5a, 0x35, 0x67, 0x69, 0x74,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x42, 0x32, 0x5a, 0x30, 0x67, 0x69, 0x74,
 	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d,
-	0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e,
+	0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72,
-	0x61, 0x6c, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x64, 0x61, 0x74, 0x61, 0x62, 0x72, 0x6f, 0x6b,
+	0x70, 0x63, 0x2f, 0x64, 0x61, 0x74, 0x61, 0x62, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x62, 0x06, 0x70,
-	0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (

pkg/grpc/databroker/databroker.proto

@@ -1,7 +1,7 @@
 syntax = "proto3";
 
 package databroker;
-option go_package = "github.com/pomerium/pomerium/internal/grpc/databroker";
+option go_package = "github.com/pomerium/pomerium/pkg/grpc/databroker";
 
 import "google/protobuf/any.proto";
 import "google/protobuf/empty.proto";

pkg/grpc/directory/directory.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/golang/protobuf/ptypes"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
 // Get gets a directory user from the databroker.

pkg/grpc/directory/directory.pb.go

@@ -97,11 +97,11 @@ var file_directory_proto_rawDesc = []byte{
 	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x0e,
 	0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x16,
 	0x0a, 0x06, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06,
-	0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x42, 0x36, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
+	0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x42, 0x31, 0x5a, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
 	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f,
-	0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f,
+	0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f,
-	0x67, 0x72, 0x70, 0x63, 0x2f, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x62, 0x06,
+	0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x33,
 }
 
 var (

pkg/grpc/directory/directory.proto

@@ -1,7 +1,7 @@
 syntax = "proto3";
 
 package directory;
-option go_package = "github.com/pomerium/pomerium/internal/grpc/directory";
+option go_package = "github.com/pomerium/pomerium/pkg/grpc/directory";
 
 message User {
   string version = 1;

pkg/grpc/session/session.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/golang/protobuf/ptypes"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
 // Get gets a session from the databroker.

pkg/grpc/session/session.pb.go

@@ -504,11 +504,11 @@ var file_session_proto_rawDesc = []byte{
 	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x38, 0x0a, 0x06, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x12, 0x16,
 	0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52,
 	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x42, 0x34,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x42, 0x2f,
-	0x5a, 0x32, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d,
+	0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d,
-	0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x69,
+	0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70,
-	0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, 0x73,
+	0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x62,
-	0x73, 0x69, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (

pkg/grpc/session/session.proto

@@ -1,7 +1,7 @@
 syntax = "proto3";
 
 package session;
-option go_package = "github.com/pomerium/pomerium/internal/grpc/session";
+option go_package = "github.com/pomerium/pomerium/pkg/grpc/session";
 
 import "google/protobuf/any.proto";
 import "google/protobuf/empty.proto";

pkg/grpc/user/user.go

@@ -6,8 +6,8 @@ import (
 
 	"github.com/golang/protobuf/ptypes"
 
-	"github.com/pomerium/pomerium/internal/grpc/databroker"
 	"github.com/pomerium/pomerium/internal/protoutil"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
 // Get gets a user from the databroker.

pkg/grpc/user/user.pb.go

@@ -223,11 +223,10 @@ var file_user_proto_rawDesc = []byte{
 	0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x2f, 0x0a, 0x03, 0x41, 0x64, 0x64,
 	0x12, 0x10, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x2e, 0x41, 0x64, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65,
 	0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x42, 0x31, 0x5a, 0x2f, 0x67, 0x69,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x42, 0x2c, 0x5a, 0x2a, 0x67, 0x69,
 	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75,
-	0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72,
+	0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67,
-	0x6e, 0x61, 0x6c, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x62, 0x06, 0x70,
+	0x72, 0x70, 0x63, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (

pkg/grpc/user/user.proto

@@ -1,7 +1,7 @@
 syntax = "proto3";
 
 package user;
-option go_package = "github.com/pomerium/pomerium/internal/grpc/user";
+option go_package = "github.com/pomerium/pomerium/pkg/grpc/user";
 
 import "google/protobuf/any.proto";
 import "google/protobuf/empty.proto";

proxy/handlers_test.go

@@ -17,8 +17,6 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/mock"
-	pb "github.com/pomerium/pomerium/internal/grpc/authorize"
-	"github.com/pomerium/pomerium/internal/grpc/authorize/client"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/urlutil"
@@ -133,16 +131,93 @@ func TestProxy_Callback(t *testing.T) {
 
 		cipher       encoding.MarshalUnmarshaler
 		sessionStore sessions.SessionStore
-		authorizer   client.Authorizer
 		wantStatus   int
 		wantBody     string
 	}{
-		{"good", opts, http.MethodGet, "http", "example.com", "/", nil, map[string]string{urlutil.QueryCallbackURI: "ok", urlutil.QuerySessionEncrypted: goodEncryptionString}, &mock.Encoder{MarshalResponse: []byte("x")}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusFound, ""},
+		{
-		{"good programmatic", opts, http.MethodGet, "http", "example.com", "/", nil, map[string]string{urlutil.QueryIsProgrammatic: "true", urlutil.QueryCallbackURI: "ok", urlutil.QuerySessionEncrypted: goodEncryptionString}, &mock.Encoder{MarshalResponse: []byte("x")}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusFound, ""},
+			"good",
-		{"bad decrypt", opts, http.MethodGet, "http", "example.com", "/", nil, map[string]string{urlutil.QuerySessionEncrypted: "KBEjQ9rnCxaAX-GOqexGw9ivEQURqts3zZ2mNGy0wnVa3SbtM399KlBq2nZ-9wM21FfsZX52er4jlmC7kPEKM3P7uZ41zR0zeys1-_74a5tQp-vsf1WXZfRsgVOuBcWPkMiWEoc379JFHxGDudp5VhU8B-dcQt4f3_PtLTHARkuH54io1Va2gNMq4Hiy8sQ1MPGCQeltH_JMzzdDpXdmdusWrXUvCGkba24muvAV06D8XRVJj6Iu9eK94qFnqcHc7wzziEbb8ADBues9dwbtb6jl8vMWz5rN6XvXqA5YpZv_MQZlsrO4oXFFQDevdgB84cX1tVbVu6qZvK_yQBZqzpOjWA9uIaoSENMytoXuWAlFO_sXjswfX8JTNdGwzB7qQRNPqxVG_sM_tzY3QhPm8zqwEzsXG5DokxZfVt2I5WJRUEovFDb4BnK9KFnnkEzLEdMudixVnXeGmTtycgJvoTeTCQRPfDYkcgJ7oKf4tGea-W7z5UAVa2RduJM9ZoM6YtJX7jgDm__PvvqcE0knJUF87XHBzdcOjoDF-CUze9xDJgNBlvPbJqVshKrwoqSYpePSDH9GUCNKxGequW3Ma8GvlFfhwd0rK6IZG-XWkyk0XSWQIGkDSjAvhB1wsOusCCguDjbpVZpaW5MMyTkmx68pl6qlIKT5UCcrVPl4ix5ZEj91mUDF0O1t04haD7VZuLVFXVGmqtFrBKI76sdYN-zkokaa1_chPRTyqMQFlqu_8LD6-RiK3UccGM-dEmnX72i91NP9F9OK0WJr9Cheup1C_P0mjqAO4Cb8oIHm0Oxz_mRqv5QbTGJtb3xwPLPuVjVCiE4gGBcuU2ixpSVf5HUF7y1KicVMCKiX9ATCBtg8sTdQZQnPEtHcHHAvdsnDVwev1LGfqA-Gdvg="}, &mock.Encoder{MarshalResponse: []byte("x")}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusBadRequest, ""},
+			opts,
-		{"bad save session", opts, http.MethodGet, "http", "example.com", "/", nil, map[string]string{urlutil.QuerySessionEncrypted: goodEncryptionString}, &mock.Encoder{MarshalResponse: []byte("x")}, &mstore.Store{SaveError: errors.New("hi")}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusBadRequest, ""},
+			http.MethodGet,
-		{"bad base64", opts, http.MethodGet, "http", "example.com", "/", nil, map[string]string{urlutil.QuerySessionEncrypted: "^"}, &mock.Encoder{MarshalResponse: []byte("x")}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusBadRequest, ""},
+			"http",
-		{"malformed redirect", opts, http.MethodGet, "http", "example.com", "/", nil, nil, &mock.Encoder{}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusBadRequest, ""},
+			"example.com",
+			"/",
+			nil,
+			map[string]string{urlutil.QueryCallbackURI: "ok", urlutil.QuerySessionEncrypted: goodEncryptionString},
+			&mock.Encoder{MarshalResponse: []byte("x")},
+			&mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}},
+			http.StatusFound,
+			"",
+		},
+		{
+			"good programmatic",
+			opts,
+			http.MethodGet,
+			"http",
+			"example.com",
+			"/",
+			nil,
+			map[string]string{urlutil.QueryIsProgrammatic: "true", urlutil.QueryCallbackURI: "ok", urlutil.QuerySessionEncrypted: goodEncryptionString},
+			&mock.Encoder{MarshalResponse: []byte("x")},
+			&mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}},
+			http.StatusFound,
+			"",
+		},
+		{
+			"bad decrypt",
+			opts,
+			http.MethodGet,
+			"http",
+			"example.com",
+			"/",
+			nil,
+			map[string]string{urlutil.QuerySessionEncrypted: "KBEjQ9rnCxaAX-GOqexGw9ivEQURqts3zZ2mNGy0wnVa3SbtM399KlBq2nZ-9wM21FfsZX52er4jlmC7kPEKM3P7uZ41zR0zeys1-_74a5tQp-vsf1WXZfRsgVOuBcWPkMiWEoc379JFHxGDudp5VhU8B-dcQt4f3_PtLTHARkuH54io1Va2gNMq4Hiy8sQ1MPGCQeltH_JMzzdDpXdmdusWrXUvCGkba24muvAV06D8XRVJj6Iu9eK94qFnqcHc7wzziEbb8ADBues9dwbtb6jl8vMWz5rN6XvXqA5YpZv_MQZlsrO4oXFFQDevdgB84cX1tVbVu6qZvK_yQBZqzpOjWA9uIaoSENMytoXuWAlFO_sXjswfX8JTNdGwzB7qQRNPqxVG_sM_tzY3QhPm8zqwEzsXG5DokxZfVt2I5WJRUEovFDb4BnK9KFnnkEzLEdMudixVnXeGmTtycgJvoTeTCQRPfDYkcgJ7oKf4tGea-W7z5UAVa2RduJM9ZoM6YtJX7jgDm__PvvqcE0knJUF87XHBzdcOjoDF-CUze9xDJgNBlvPbJqVshKrwoqSYpePSDH9GUCNKxGequW3Ma8GvlFfhwd0rK6IZG-XWkyk0XSWQIGkDSjAvhB1wsOusCCguDjbpVZpaW5MMyTkmx68pl6qlIKT5UCcrVPl4ix5ZEj91mUDF0O1t04haD7VZuLVFXVGmqtFrBKI76sdYN-zkokaa1_chPRTyqMQFlqu_8LD6-RiK3UccGM-dEmnX72i91NP9F9OK0WJr9Cheup1C_P0mjqAO4Cb8oIHm0Oxz_mRqv5QbTGJtb3xwPLPuVjVCiE4gGBcuU2ixpSVf5HUF7y1KicVMCKiX9ATCBtg8sTdQZQnPEtHcHHAvdsnDVwev1LGfqA-Gdvg="},
+			&mock.Encoder{MarshalResponse: []byte("x")},
+			&mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}},
+			http.StatusBadRequest,
+			"",
+		},
+		{
+			"bad save session",
+			opts,
+			http.MethodGet,
+			"http",
+			"example.com",
+			"/",
+			nil,
+			map[string]string{urlutil.QuerySessionEncrypted: goodEncryptionString},
+			&mock.Encoder{MarshalResponse: []byte("x")},
+			&mstore.Store{SaveError: errors.New("hi")},
+			http.StatusBadRequest,
+			"",
+		},
+		{
+			"bad base64",
+			opts,
+			http.MethodGet,
+			"http",
+			"example.com",
+			"/",
+			nil,
+			map[string]string{urlutil.QuerySessionEncrypted: "^"},
+			&mock.Encoder{MarshalResponse: []byte("x")},
+			&mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}},
+			http.StatusBadRequest,
+			"",
+		},
+		{
+			"malformed redirect",
+			opts,
+			http.MethodGet,
+			"http",
+			"example.com",
+			"/",
+			nil,
+			nil,
+			&mock.Encoder{},
+			&mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}},
+			http.StatusBadRequest,
+			"",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -273,16 +348,83 @@ func TestProxy_ProgrammaticCallback(t *testing.T) {
 
 		cipher       encoding.MarshalUnmarshaler
 		sessionStore sessions.SessionStore
-		authorizer   client.Authorizer
 		wantStatus   int
 		wantBody     string
 	}{
-		{"good", opts, http.MethodGet, "http://pomerium.io/", nil, map[string]string{urlutil.QueryCallbackURI: "ok", urlutil.QuerySessionEncrypted: goodEncryptionString}, &mock.Encoder{MarshalResponse: []byte("x")}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusFound, ""},
+		{
-		{"good programmatic", opts, http.MethodGet, "http://pomerium.io/", nil, map[string]string{urlutil.QueryIsProgrammatic: "true", urlutil.QueryCallbackURI: "ok", urlutil.QuerySessionEncrypted: goodEncryptionString}, &mock.Encoder{MarshalResponse: []byte("x")}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusFound, ""},
+			"good",
-		{"bad decrypt", opts, http.MethodGet, "http://pomerium.io/", nil, map[string]string{urlutil.QuerySessionEncrypted: goodEncryptionString + cryptutil.NewBase64Key()}, &mock.Encoder{MarshalResponse: []byte("x")}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusBadRequest, ""},
+			opts,
-		{"bad save session", opts, http.MethodGet, "http://pomerium.io/", nil, map[string]string{urlutil.QuerySessionEncrypted: goodEncryptionString}, &mock.Encoder{MarshalResponse: []byte("x")}, &mstore.Store{SaveError: errors.New("hi")}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusBadRequest, ""},
+			http.MethodGet,
-		{"bad base64", opts, http.MethodGet, "http://pomerium.io/", nil, map[string]string{urlutil.QuerySessionEncrypted: "^"}, &mock.Encoder{MarshalResponse: []byte("x")}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusBadRequest, ""},
+			"http://pomerium.io/",
-		{"malformed redirect", opts, http.MethodGet, "http://pomerium.io/", nil, nil, &mock.Encoder{}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, client.MockAuthorize{AuthorizeResponse: &pb.IsAuthorizedReply{Allow: true}}, http.StatusBadRequest, ""},
+			nil,
+			map[string]string{urlutil.QueryCallbackURI: "ok", urlutil.QuerySessionEncrypted: goodEncryptionString},
+			&mock.Encoder{MarshalResponse: []byte("x")},
+			&mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}},
+			http.StatusFound,
+			"",
+		},
+		{
+			"good programmatic",
+			opts,
+			http.MethodGet,
+			"http://pomerium.io/",
+			nil,
+			map[string]string{urlutil.QueryIsProgrammatic: "true",
+				urlutil.QueryCallbackURI:      "ok",
+				urlutil.QuerySessionEncrypted: goodEncryptionString},
+			&mock.Encoder{MarshalResponse: []byte("x")},
+			&mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}},
+			http.StatusFound,
+			"",
+		},
+		{
+			"bad decrypt",
+			opts,
+			http.MethodGet,
+			"http://pomerium.io/",
+			nil,
+			map[string]string{urlutil.QuerySessionEncrypted: goodEncryptionString + cryptutil.NewBase64Key()},
+			&mock.Encoder{MarshalResponse: []byte("x")},
+			&mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}},
+			http.StatusBadRequest,
+			"",
+		},
+		{
+			"bad save session",
+			opts,
+			http.MethodGet,
+			"http://pomerium.io/",
+			nil,
+			map[string]string{urlutil.QuerySessionEncrypted: goodEncryptionString},
+			&mock.Encoder{MarshalResponse: []byte("x")},
+			&mstore.Store{SaveError: errors.New("hi")},
+			http.StatusBadRequest,
+			"",
+		},
+		{
+			"bad base64",
+			opts,
+			http.MethodGet,
+			"http://pomerium.io/",
+			nil,
+			map[string]string{urlutil.QuerySessionEncrypted: "^"},
+			&mock.Encoder{MarshalResponse: []byte("x")},
+			&mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}},
+			http.StatusBadRequest,
+			"",
+		},
+		{
+			"malformed redirect",
+			opts,
+			http.MethodGet,
+			"http://pomerium.io/",
+			nil,
+			nil,
+			&mock.Encoder{},
+			&mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}},
+			http.StatusBadRequest,
+			"",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

proxy/proxy.go

@@ -22,7 +22,6 @@ import (
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/frontend"
-	"github.com/pomerium/pomerium/internal/grpc"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sessions"
@@ -31,6 +30,7 @@ import (
 	"github.com/pomerium/pomerium/internal/sessions/queryparam"
 	"github.com/pomerium/pomerium/internal/telemetry/metrics"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/grpc"
 )
 
 const (