Merge remote-tracking branch 'remotes/origin/main' into wasaga/mcp-routes

2025-04-28 18:06:34 +02:00 · 2025-04-23 12:26:15 -04:00 · 2025-04-23 12:26:15 -04:00 · 227650ce3f
commit 227650ce3f
parent ca8d637d98 cb0e8aaf06
27 changed files with 895 additions and 472 deletions
--- a/authorize/authorize.go
+++ b/authorize/authorize.go
@ -11,7 +11,6 @@ import (
 	oteltrace "go.opentelemetry.io/otel/trace"
 	"golang.org/x/sync/errgroup"

-	"github.com/pomerium/datasource/pkg/directory"
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/authorize/internal/store"
 	"github.com/pomerium/pomerium/config"
@ -20,17 +19,15 @@ import (
 	"github.com/pomerium/pomerium/internal/telemetry/metrics"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
-	"github.com/pomerium/pomerium/pkg/storage"
 	"github.com/pomerium/pomerium/pkg/telemetry/trace"
 )

 // Authorize struct holds
 type Authorize struct {
-	state             *atomicutil.Value[*authorizeState]
-	store             *store.Store
-	currentConfig     *atomicutil.Value[*config.Config]
-	accessTracker     *AccessTracker
-	groupsCacheWarmer *cacheWarmer
+	state         *atomicutil.Value[*authorizeState]
+	store         *store.Store
+	currentConfig *atomicutil.Value[*config.Config]
+	accessTracker *AccessTracker

 	tracerProvider oteltrace.TracerProvider
 	tracer         oteltrace.Tracer
@ -41,20 +38,19 @@ func New(ctx context.Context, cfg *config.Config) (*Authorize, error) {
 	tracerProvider := trace.NewTracerProvider(ctx, "Authorize")
 	tracer := tracerProvider.Tracer(trace.PomeriumCoreTracer)
 	a := &Authorize{
-		currentConfig:  atomicutil.NewValue(&config.Config{Options: new(config.Options)}),
+		currentConfig:  atomicutil.NewValue(cfg),
 		store:          store.New(),
 		tracerProvider: tracerProvider,
 		tracer:         tracer,
 	}
 	a.accessTracker = NewAccessTracker(a, accessTrackerMaxSize, accessTrackerDebouncePeriod)

-	state, err := newAuthorizeStateFromConfig(ctx, tracerProvider, cfg, a.store, nil)
+	state, err := newAuthorizeStateFromConfig(ctx, nil, tracerProvider, cfg, a.store)
 	if err != nil {
 		return nil, err
 	}
 	a.state = atomicutil.NewValue(state)

-	a.groupsCacheWarmer = newCacheWarmer(state.dataBrokerClientConnection, storage.GlobalCache, directory.GroupRecordType)
 	return a, nil
 }

@ -70,10 +66,6 @@ func (a *Authorize) Run(ctx context.Context) error {
 		a.accessTracker.Run(ctx)
 		return nil
 	})
-	eg.Go(func() error {
-		a.groupsCacheWarmer.Run(ctx)
-		return nil
-	})
 	return eg.Wait()
 }

@ -154,13 +146,9 @@ func newPolicyEvaluator(
 func (a *Authorize) OnConfigChange(ctx context.Context, cfg *config.Config) {
 	currentState := a.state.Load()
 	a.currentConfig.Store(cfg)
-	if newState, err := newAuthorizeStateFromConfig(ctx, a.tracerProvider, cfg, a.store, currentState.evaluator); err != nil {
+	if newState, err := newAuthorizeStateFromConfig(ctx, currentState, a.tracerProvider, cfg, a.store); err != nil {
 		log.Ctx(ctx).Error().Err(err).Msg("authorize: error updating state")
 	} else {
 		a.state.Store(newState)
-
-		if currentState.dataBrokerClientConnection != newState.dataBrokerClientConnection {
-			a.groupsCacheWarmer.UpdateConn(newState.dataBrokerClientConnection)
-		}
 	}
 }
--- a/authorize/cache_warmer.go
+++ b/authorize/cache_warmer.go
@ -1,122 +0,0 @@
-package authorize
-
-import (
-	"context"
-	"time"
-
-	"google.golang.org/grpc"
-
-	"github.com/pomerium/pomerium/internal/log"
-	"github.com/pomerium/pomerium/pkg/grpc/databroker"
-	"github.com/pomerium/pomerium/pkg/storage"
-)
-
-type cacheWarmer struct {
-	cc      *grpc.ClientConn
-	cache   storage.Cache
-	typeURL string
-
-	updatedCC chan *grpc.ClientConn
-}
-
-func newCacheWarmer(
-	cc *grpc.ClientConn,
-	cache storage.Cache,
-	typeURL string,
-) *cacheWarmer {
-	return &cacheWarmer{
-		cc:      cc,
-		cache:   cache,
-		typeURL: typeURL,
-
-		updatedCC: make(chan *grpc.ClientConn, 1),
-	}
-}
-
-func (cw *cacheWarmer) UpdateConn(cc *grpc.ClientConn) {
-	for {
-		select {
-		case cw.updatedCC <- cc:
-			return
-		default:
-		}
-		select {
-		case <-cw.updatedCC:
-		default:
-		}
-	}
-}
-
-func (cw *cacheWarmer) Run(ctx context.Context) {
-	// Run a syncer for the cache warmer until the underlying databroker connection is changed.
-	// When that happens cancel the currently running syncer and start a new one.
-
-	runCtx, runCancel := context.WithCancel(ctx)
-	go cw.run(runCtx, cw.cc)
-
-	for {
-		select {
-		case <-ctx.Done():
-			runCancel()
-			return
-		case cc := <-cw.updatedCC:
-			log.Ctx(ctx).Info().Msg("cache-warmer: received updated databroker client connection, restarting syncer")
-			cw.cc = cc
-			runCancel()
-			runCtx, runCancel = context.WithCancel(ctx)
-			go cw.run(runCtx, cw.cc)
-		}
-	}
-}
-
-func (cw *cacheWarmer) run(ctx context.Context, cc *grpc.ClientConn) {
-	log.Ctx(ctx).Debug().Str("type-url", cw.typeURL).Msg("cache-warmer: running databroker syncer to warm cache")
-	_ = databroker.NewSyncer(ctx, "cache-warmer", cacheWarmerSyncerHandler{
-		client: databroker.NewDataBrokerServiceClient(cc),
-		cache:  cw.cache,
-	}, databroker.WithTypeURL(cw.typeURL)).Run(ctx)
-}
-
-type cacheWarmerSyncerHandler struct {
-	client databroker.DataBrokerServiceClient
-	cache  storage.Cache
-}
-
-func (h cacheWarmerSyncerHandler) GetDataBrokerServiceClient() databroker.DataBrokerServiceClient {
-	return h.client
-}
-
-func (h cacheWarmerSyncerHandler) ClearRecords(_ context.Context) {
-	h.cache.InvalidateAll()
-}
-
-func (h cacheWarmerSyncerHandler) UpdateRecords(ctx context.Context, serverVersion uint64, records []*databroker.Record) {
-	for _, record := range records {
-		req := &databroker.QueryRequest{
-			Type:  record.Type,
-			Limit: 1,
-		}
-		req.SetFilterByIDOrIndex(record.Id)
-
-		res := &databroker.QueryResponse{
-			Records:       []*databroker.Record{record},
-			TotalCount:    1,
-			ServerVersion: serverVersion,
-			RecordVersion: record.Version,
-		}
-
-		expiry := time.Now().Add(time.Hour * 24 * 365)
-		key, err := storage.MarshalQueryRequest(req)
-		if err != nil {
-			log.Ctx(ctx).Error().Err(err).Msg("cache-warmer: failed to marshal query request")
-			continue
-		}
-		value, err := storage.MarshalQueryResponse(res)
-		if err != nil {
-			log.Ctx(ctx).Error().Err(err).Msg("cache-warmer: failed to marshal query response")
-			continue
-		}
-
-		h.cache.Set(expiry, key, value)
-	}
-}
--- a/authorize/cache_warmer_test.go
+++ b/authorize/cache_warmer_test.go
@ -1,52 +0,0 @@
-package authorize
-
-import (
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"go.opentelemetry.io/otel/trace/noop"
-	"google.golang.org/grpc"
-
-	"github.com/pomerium/pomerium/internal/databroker"
-	"github.com/pomerium/pomerium/internal/testutil"
-	databrokerpb "github.com/pomerium/pomerium/pkg/grpc/databroker"
-	"github.com/pomerium/pomerium/pkg/protoutil"
-	"github.com/pomerium/pomerium/pkg/storage"
-)
-
-func TestCacheWarmer(t *testing.T) {
-	t.Parallel()
-
-	ctx := testutil.GetContext(t, 10*time.Minute)
-	cc := testutil.NewGRPCServer(t, func(srv *grpc.Server) {
-		databrokerpb.RegisterDataBrokerServiceServer(srv, databroker.New(ctx, noop.NewTracerProvider()))
-	})
-	t.Cleanup(func() { cc.Close() })
-
-	client := databrokerpb.NewDataBrokerServiceClient(cc)
-	_, err := client.Put(ctx, &databrokerpb.PutRequest{
-		Records: []*databrokerpb.Record{
-			{Type: "example.com/record", Id: "e1", Data: protoutil.NewAnyBool(true)},
-			{Type: "example.com/record", Id: "e2", Data: protoutil.NewAnyBool(true)},
-		},
-	})
-	require.NoError(t, err)
-
-	cache := storage.NewGlobalCache(time.Minute)
-
-	cw := newCacheWarmer(cc, cache, "example.com/record")
-	go cw.Run(ctx)
-
-	assert.Eventually(t, func() bool {
-		req := &databrokerpb.QueryRequest{
-			Type:  "example.com/record",
-			Limit: 1,
-		}
-		req.SetFilterByIDOrIndex("e1")
-		res, err := storage.NewCachingQuerier(storage.NewStaticQuerier(), cache).Query(ctx, req)
-		require.NoError(t, err)
-		return len(res.GetRecords()) == 1
-	}, 10*time.Second, time.Millisecond*100)
-}
--- a/authorize/check_response.go
+++ b/authorize/check_response.go
@ -19,6 +19,7 @@ import (
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc/codes"

+	"github.com/pomerium/pomerium/authorize/checkrequest"
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
@ -161,7 +162,7 @@ func (a *Authorize) deniedResponse(
 			"code":       code,         // http code
 		})
 		headers.Set("Content-Type", "application/json")
-	case getCheckRequestURL(in).Path == "/robots.txt":
+	case checkrequest.GetURL(in).Path == "/robots.txt":
 		code = 200
 		respBody = []byte("User-agent: *\nDisallow: /")
 		headers.Set("Content-Type", "text/plain")
@ -229,7 +230,7 @@ func (a *Authorize) requireLoginResponse(
 	}

 	// always assume https scheme
-	checkRequestURL := getCheckRequestURL(in)
+	checkRequestURL := checkrequest.GetURL(in)
 	checkRequestURL.Scheme = "https"
 	var signInURLQuery url.Values

@ -262,7 +263,7 @@ func (a *Authorize) requireWebAuthnResponse(
 	state := a.state.Load()

 	// always assume https scheme
-	checkRequestURL := getCheckRequestURL(in)
+	checkRequestURL := checkrequest.GetURL(in)
 	checkRequestURL.Scheme = "https"

 	// If we're already on a webauthn route, return OK.
--- a/authorize/checkrequest/checkrequest.go
+++ b/authorize/checkrequest/checkrequest.go
@ -0,0 +1,44 @@
+// Package checkrequest contains helper functions for working with Envoy
+// ext_authz CheckRequest messages.
+package checkrequest
+
+import (
+	"net/url"
+	"strings"
+
+	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+
+	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/urlutil"
+)
+
+// GetURL converts the request URL from an ext_authz CheckRequest to a [url.URL].
+func GetURL(req *envoy_service_auth_v3.CheckRequest) url.URL {
+	h := req.GetAttributes().GetRequest().GetHttp()
+	u := url.URL{
+		Scheme: h.GetScheme(),
+		Host:   h.GetHost(),
+	}
+	u.Host = urlutil.GetDomainsForURL(&u, false)[0]
+	// envoy sends the query string as part of the path
+	path := h.GetPath()
+	if idx := strings.Index(path, "?"); idx != -1 {
+		u.RawPath, u.RawQuery = path[:idx], path[idx+1:]
+		u.RawQuery = u.Query().Encode()
+	} else {
+		u.RawPath = path
+	}
+	u.Path, _ = url.PathUnescape(u.RawPath)
+	return u
+}
+
+// GetHeaders returns the HTTP headers from an ext_authz CheckRequest, canonicalizing
+// the header keys.
+func GetHeaders(req *envoy_service_auth_v3.CheckRequest) map[string]string {
+	hdrs := make(map[string]string)
+	ch := req.GetAttributes().GetRequest().GetHttp().GetHeaders()
+	for k, v := range ch {
+		hdrs[httputil.CanonicalHeaderKey(k)] = v
+	}
+	return hdrs
+}
--- a/authorize/checkrequest/checkrequest_test.go
+++ b/authorize/checkrequest/checkrequest_test.go
@ -0,0 +1,55 @@
+package checkrequest
+
+import (
+	"net/url"
+	"testing"
+
+	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetURL(t *testing.T) {
+	req := &envoy_service_auth_v3.CheckRequest{
+		Attributes: &envoy_service_auth_v3.AttributeContext{
+			Request: &envoy_service_auth_v3.AttributeContext_Request{
+				Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
+					Host:    "example.com:80",
+					Path:    "/some/path?a=b",
+					Scheme:  "http",
+					Method:  "GET",
+					Headers: map[string]string{"X-Request-Id": "CHECK-REQUEST-ID"},
+				},
+			},
+		},
+	}
+
+	assert.Equal(t, url.URL{
+		Scheme:   "http",
+		Host:     "example.com",
+		Path:     "/some/path",
+		RawPath:  "/some/path",
+		RawQuery: "a=b",
+	}, GetURL(req))
+}
+
+func TestGetHeaders(t *testing.T) {
+	req := &envoy_service_auth_v3.CheckRequest{
+		Attributes: &envoy_service_auth_v3.AttributeContext{
+			Request: &envoy_service_auth_v3.AttributeContext_Request{
+				Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
+					Headers: map[string]string{
+						"content-type": "application/www-x-form-urlencoded",
+						"x-request-id": "CHECK-REQUEST-ID",
+						":authority":   "example.com",
+					},
+				},
+			},
+		},
+	}
+
+	assert.Equal(t, map[string]string{
+		"Content-Type": "application/www-x-form-urlencoded",
+		"X-Request-Id": "CHECK-REQUEST-ID",
+		":authority":   "example.com",
+	}, GetHeaders(req))
+}
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@ -4,16 +4,21 @@ package evaluator
 import (
 	"context"
 	"encoding/base64"
+	"encoding/pem"
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"

+	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	"github.com/go-jose/go-jose/v3"
 	"github.com/hashicorp/go-set/v3"
 	"github.com/open-policy-agent/opa/rego"
 	"golang.org/x/sync/errgroup"
+	"google.golang.org/protobuf/types/known/structpb"

+	"github.com/pomerium/pomerium/authorize/checkrequest"
 	"github.com/pomerium/pomerium/authorize/internal/store"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/errgrouputil"
@ -36,30 +41,37 @@ type Request struct {
 // RequestHTTP is the HTTP field in the request.
 type RequestHTTP struct {
 	Method            string                `json:"method"`
+	Host              string                `json:"host"`
 	Hostname          string                `json:"hostname"`
 	Path              string                `json:"path"`
+	RawPath           string                `json:"raw_path"`
+	RawQuery          string                `json:"raw_query"`
 	URL               string                `json:"url"`
 	Headers           map[string]string     `json:"headers"`
 	ClientCertificate ClientCertificateInfo `json:"client_certificate"`
 	IP                string                `json:"ip"`
 }

-// NewRequestHTTP creates a new RequestHTTP.
-func NewRequestHTTP(
-	method string,
-	requestURL url.URL,
-	headers map[string]string,
-	clientCertificate ClientCertificateInfo,
-	ip string,
+// RequestHTTPFromCheckRequest populates a RequestHTTP from an Envoy CheckRequest proto.
+func RequestHTTPFromCheckRequest(
+	ctx context.Context,
+	in *envoy_service_auth_v3.CheckRequest,
 ) RequestHTTP {
+	requestURL := checkrequest.GetURL(in)
+	rawPath, rawQuery, _ := strings.Cut(in.GetAttributes().GetRequest().GetHttp().GetPath(), "?")
+	attrs := in.GetAttributes()
+	clientCertMetadata := attrs.GetMetadataContext().GetFilterMetadata()["com.pomerium.client-certificate-info"]
 	return RequestHTTP{
-		Method:            method,
+		Method:            attrs.GetRequest().GetHttp().GetMethod(),
+		Host:              attrs.GetRequest().GetHttp().GetHost(),
 		Hostname:          requestURL.Hostname(),
 		Path:              requestURL.Path,
+		RawPath:           rawPath,
+		RawQuery:          rawQuery,
 		URL:               requestURL.String(),
-		Headers:           headers,
-		ClientCertificate: clientCertificate,
-		IP:                ip,
+		Headers:           checkrequest.GetHeaders(in),
+		ClientCertificate: getClientCertificateInfo(ctx, clientCertMetadata),
+		IP:                attrs.GetSource().GetAddress().GetSocketAddress().GetAddress(),
 	}
 }

@ -77,6 +89,41 @@ type ClientCertificateInfo struct {
 	Intermediates string `json:"intermediates,omitempty"`
 }

+// getClientCertificateInfo translates from the client certificate Envoy
+// metadata to the ClientCertificateInfo type.
+func getClientCertificateInfo(
+	ctx context.Context, metadata *structpb.Struct,
+) ClientCertificateInfo {
+	var c ClientCertificateInfo
+	if metadata == nil {
+		return c
+	}
+	c.Presented = metadata.Fields["presented"].GetBoolValue()
+	escapedChain := metadata.Fields["chain"].GetStringValue()
+	if escapedChain == "" {
+		// No validated client certificate.
+		return c
+	}
+
+	chain, err := url.QueryUnescape(escapedChain)
+	if err != nil {
+		log.Ctx(ctx).Error().Str("chain", escapedChain).Err(err).
+			Msg(`received unexpected client certificate "chain" value`)
+		return c
+	}
+
+	// Split the chain into the leaf and any intermediate certificates.
+	p, rest := pem.Decode([]byte(chain))
+	if p == nil {
+		log.Ctx(ctx).Error().Str("chain", escapedChain).
+			Msg(`received unexpected client certificate "chain" value (no PEM block found)`)
+		return c
+	}
+	c.Leaf = string(pem.EncodeToMemory(p))
+	c.Intermediates = string(rest)
+	return c
+}
+
 // RequestSession is the session field in the request.
 type RequestSession struct {
 	ID string `json:"id"`
--- a/authorize/evaluator/evaluator_test.go
+++ b/authorize/evaluator/evaluator_test.go
@ -10,10 +10,12 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/types/known/structpb"

 	"github.com/pomerium/pomerium/authorize/internal/store"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/testutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
@ -22,6 +24,113 @@ import (
 	"github.com/pomerium/pomerium/pkg/storage"
 )

+func Test_getClientCertificateInfo(t *testing.T) {
+	const leafPEM = `-----BEGIN CERTIFICATE-----
+MIIBZTCCAQugAwIBAgICEAEwCgYIKoZIzj0EAwIwGjEYMBYGA1UEAxMPSW50ZXJt
+ZWRpYXRlIENBMCIYDzAwMDEwMTAxMDAwMDAwWhgPMDAwMTAxMDEwMDAwMDBaMB8x
+HTAbBgNVBAMTFENsaWVudCBjZXJ0aWZpY2F0ZSAxMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAESly1cwEbcxaJBl6qAhrX1k7vejTFNE2dEbrTMpUYMl86GEWdsDYN
+KSa/1wZCowPy82gPGjfAU90odkqJOusCQqM4MDYwEwYDVR0lBAwwCgYIKwYBBQUH
+AwIwHwYDVR0jBBgwFoAU6Qb7nEl2XHKpf/QLL6PENsHFqbowCgYIKoZIzj0EAwID
+SAAwRQIgXREMUz81pYwJCMLGcV0ApaXIUap1V5n1N4VhyAGxGLYCIQC8p/LwoSgu
+71H3/nCi5MxsECsvVtsmHIfwXt0wulQ1TA==
+-----END CERTIFICATE-----
+`
+	const intermediatePEM = `-----BEGIN CERTIFICATE-----
+MIIBYzCCAQigAwIBAgICEAEwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHUm9vdCBD
+QTAiGA8wMDAxMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAaMRgwFgYDVQQD
+Ew9JbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATYaTr9
+uH4LpEp541/2SlKrdQZwNns+NHY/ftm++NhMDUn+izzNbPZ5aPT6VBs4Q6vbgfkK
+kDaBpaKzb+uOT+o1o0IwQDAdBgNVHQ4EFgQU6Qb7nEl2XHKpf/QLL6PENsHFqbow
+HwYDVR0jBBgwFoAUiQ3r61y+vxDn6PMWZrpISr67HiQwCgYIKoZIzj0EAwIDSQAw
+RgIhAMvdURs28uib2QwSMnqJjKasMb30yrSJvTiSU+lcg97/AiEA+6GpioM0c221
+n/XNKVYEkPmeXHRoz9ZuVDnSfXKJoHE=
+-----END CERTIFICATE-----
+`
+	const rootPEM = `-----BEGIN CERTIFICATE-----
+MIIBNzCB36ADAgECAgIQADAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdSb290IENB
+MCIYDzAwMDEwMTAxMDAwMDAwWhgPMDAwMTAxMDEwMDAwMDBaMBIxEDAOBgNVBAMT
+B1Jvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS6q0mTvm29xasq7Lwk
+aRGb2S/LkQFsAwaCXohSNvonCQHRMCRvA1IrQGk/oyBS5qrDoD9/7xkcVYHuTv5D
+CbtuoyEwHzAdBgNVHQ4EFgQUiQ3r61y+vxDn6PMWZrpISr67HiQwCgYIKoZIzj0E
+AwIDRwAwRAIgF1ux0ridbN+bo0E3TTcNY8Xfva7yquYRMmEkfbGvSb0CIDqK80B+
+fYCZHo3CID0gRSemaQ/jYMgyeBFrHIr6icZh
+-----END CERTIFICATE-----
+`
+
+	cases := []struct {
+		label       string
+		presented   bool
+		chain       string
+		expected    ClientCertificateInfo
+		expectedLog string
+	}{
+		{
+			"not presented",
+			false,
+			"",
+			ClientCertificateInfo{},
+			"",
+		},
+		{
+			"presented",
+			true,
+			url.QueryEscape(leafPEM),
+			ClientCertificateInfo{
+				Presented: true,
+				Leaf:      leafPEM,
+			},
+			"",
+		},
+		{
+			"presented with intermediates",
+			true,
+			url.QueryEscape(leafPEM + intermediatePEM + rootPEM),
+			ClientCertificateInfo{
+				Presented:     true,
+				Leaf:          leafPEM,
+				Intermediates: intermediatePEM + rootPEM,
+			},
+			"",
+		},
+		{
+			"invalid chain URL encoding",
+			false,
+			"invalid%URL%encoding",
+			ClientCertificateInfo{},
+			`{"chain":"invalid%URL%encoding","error":"invalid URL escape \"%UR\"","level":"error","message":"received unexpected client certificate \"chain\" value"}`,
+		},
+		{
+			"invalid chain PEM encoding",
+			true,
+			"not valid PEM data",
+			ClientCertificateInfo{
+				Presented: true,
+			},
+			`{"chain":"not valid PEM data","level":"error","message":"received unexpected client certificate \"chain\" value (no PEM block found)"}`,
+		},
+	}
+
+	ctx := context.Background()
+	for i := range cases {
+		c := &cases[i]
+		t.Run(c.label, func(t *testing.T) {
+			metadata := &structpb.Struct{
+				Fields: map[string]*structpb.Value{
+					"presented": structpb.NewBoolValue(c.presented),
+					"chain":     structpb.NewStringValue(c.chain),
+				},
+			}
+			var info ClientCertificateInfo
+			logOutput := testutil.CaptureLogs(t, func() {
+				info = getClientCertificateInfo(ctx, metadata)
+			})
+			assert.Equal(t, c.expected, info)
+			assert.Contains(t, logOutput, c.expectedLog)
+		})
+	}
+}
+
 func TestEvaluator(t *testing.T) {
 	signingKey, err := cryptutil.NewSigningKey()
 	require.NoError(t, err)
@ -527,13 +636,9 @@ func TestEvaluator(t *testing.T) {
 	t.Run("http method", func(t *testing.T) {
 		res, err := eval(t, options, []proto.Message{}, &Request{
 			Policy: policies[8],
-			HTTP: NewRequestHTTP(
-				http.MethodGet,
-				*mustParseURL("https://from.example.com/"),
-				nil,
-				ClientCertificateInfo{},
-				"",
-			),
+			HTTP: RequestHTTP{
+				Method: http.MethodGet,
+			},
 		})
 		require.NoError(t, err)
 		assert.True(t, res.Allow.Value)
@ -541,13 +646,10 @@ func TestEvaluator(t *testing.T) {
 	t.Run("http path", func(t *testing.T) {
 		res, err := eval(t, options, []proto.Message{}, &Request{
 			Policy: policies[9],
-			HTTP: NewRequestHTTP(
-				"POST",
-				*mustParseURL("https://from.example.com/test"),
-				nil,
-				ClientCertificateInfo{},
-				"",
-			),
+			HTTP: RequestHTTP{
+				Method: "POST",
+				Path:   "/test",
+			},
 		})
 		require.NoError(t, err)
 		assert.True(t, res.Allow.Value)
--- a/authorize/grpc.go
+++ b/authorize/grpc.go
@ -2,26 +2,23 @@ package authorize

 import (
 	"context"
-	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
-	"net/url"
 	"strings"

 	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/types/known/structpb"

+	"github.com/pomerium/pomerium/authorize/checkrequest"
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/config/envoyconfig"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sessions"
-	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/contextutil"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
@ -34,11 +31,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
 	ctx, span := a.tracer.Start(ctx, "authorize.grpc.Check")
 	defer span.End()

-	querier := storage.NewCachingQuerier(
-		storage.NewQuerier(a.state.Load().dataBrokerClient),
-		storage.GlobalCache,
-	)
-	ctx = storage.WithQuerier(ctx, querier)
+	ctx = a.withQuerierForCheckRequest(ctx)

 	state := a.state.Load()

@ -84,7 +77,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
 	if err != nil {
 		log.Ctx(ctx).Error().Err(err).Str("request-id", requestID).Msg("grpc check ext_authz_error")
 	}
-	a.logAuthorizeCheck(ctx, in, res, s, u)
+	a.logAuthorizeCheck(ctx, req, res, s, u)
 	return resp, err
 }

@ -142,18 +135,10 @@ func (a *Authorize) getEvaluatorRequestFromCheckRequest(
 	ctx context.Context,
 	in *envoy_service_auth_v3.CheckRequest,
 ) (*evaluator.Request, error) {
-	requestURL := getCheckRequestURL(in)
 	attrs := in.GetAttributes()
-	clientCertMetadata := attrs.GetMetadataContext().GetFilterMetadata()["com.pomerium.client-certificate-info"]
 	req := &evaluator.Request{
 		IsInternal: envoyconfig.ExtAuthzContextExtensionsIsInternal(attrs.GetContextExtensions()),
-		HTTP: evaluator.NewRequestHTTP(
-			attrs.GetRequest().GetHttp().GetMethod(),
-			requestURL,
-			getCheckRequestHeaders(in),
-			getClientCertificateInfo(ctx, clientCertMetadata),
-			attrs.GetSource().GetAddress().GetSocketAddress().GetAddress(),
-		),
+		HTTP:       evaluator.RequestHTTPFromCheckRequest(ctx, in),
 	}
 	req.Policy = a.getMatchingPolicy(envoyconfig.ExtAuthzContextExtensionsRouteID(attrs.GetContextExtensions()))
 	return req, nil
@ -172,9 +157,24 @@ func (a *Authorize) getMatchingPolicy(routeID uint64) *config.Policy {
 	return nil
 }

+func (a *Authorize) withQuerierForCheckRequest(ctx context.Context) context.Context {
+	state := a.state.Load()
+	q := storage.NewQuerier(state.dataBrokerClient)
+	// if sync queriers are enabled, use those
+	if len(state.syncQueriers) > 0 {
+		m := map[string]storage.Querier{}
+		for recordType, sq := range state.syncQueriers {
+			m[recordType] = storage.NewFallbackQuerier(sq, q)
+		}
+		q = storage.NewTypedQuerier(q, m)
+	}
+	q = storage.NewCachingQuerier(q, storage.GlobalCache)
+	return storage.WithQuerier(ctx, q)
+}
+
 func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v3.CheckRequest) *http.Request {
 	hattrs := req.GetAttributes().GetRequest().GetHttp()
-	u := getCheckRequestURL(req)
+	u := checkrequest.GetURL(req)
 	hreq := &http.Request{
 		Method:     hattrs.GetMethod(),
 		URL:        &u,
@ -197,57 +197,3 @@ func getCheckRequestHeaders(req *envoy_service_auth_v3.CheckRequest) map[string]
 	}
 	return hdrs
 }
-
-func getCheckRequestURL(req *envoy_service_auth_v3.CheckRequest) url.URL {
-	h := req.GetAttributes().GetRequest().GetHttp()
-	u := url.URL{
-		Scheme: h.GetScheme(),
-		Host:   h.GetHost(),
-	}
-	u.Host = urlutil.GetDomainsForURL(&u, false)[0]
-	// envoy sends the query string as part of the path
-	path := h.GetPath()
-	if idx := strings.Index(path, "?"); idx != -1 {
-		u.RawPath, u.RawQuery = path[:idx], path[idx+1:]
-		u.RawQuery = u.Query().Encode()
-	} else {
-		u.RawPath = path
-	}
-	u.Path, _ = url.PathUnescape(u.RawPath)
-	return u
-}
-
-// getClientCertificateInfo translates from the client certificate Envoy
-// metadata to the ClientCertificateInfo type.
-func getClientCertificateInfo(
-	ctx context.Context, metadata *structpb.Struct,
-) evaluator.ClientCertificateInfo {
-	var c evaluator.ClientCertificateInfo
-	if metadata == nil {
-		return c
-	}
-	c.Presented = metadata.Fields["presented"].GetBoolValue()
-	escapedChain := metadata.Fields["chain"].GetStringValue()
-	if escapedChain == "" {
-		// No validated client certificate.
-		return c
-	}
-
-	chain, err := url.QueryUnescape(escapedChain)
-	if err != nil {
-		log.Ctx(ctx).Error().Str("chain", escapedChain).Err(err).
-			Msg(`received unexpected client certificate "chain" value`)
-		return c
-	}
-
-	// Split the chain into the leaf and any intermediate certificates.
-	p, rest := pem.Decode([]byte(chain))
-	if p == nil {
-		log.Ctx(ctx).Error().Str("chain", escapedChain).
-			Msg(`received unexpected client certificate "chain" value (no PEM block found)`)
-		return c
-	}
-	c.Leaf = string(pem.EncodeToMemory(p))
-	c.Intermediates = string(rest)
-	return c
-}
--- a/authorize/grpc_test.go
+++ b/authorize/grpc_test.go
@ -18,7 +18,6 @@ import (
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/atomicutil"
-	"github.com/pomerium/pomerium/internal/testutil"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/storage"
 )
@ -92,20 +91,25 @@ func Test_getEvaluatorRequest(t *testing.T) {
 	require.NoError(t, err)
 	expect := &evaluator.Request{
 		Policy: &a.currentConfig.Load().Options.Policies[0],
-		HTTP: evaluator.NewRequestHTTP(
-			http.MethodGet,
-			mustParseURL("http://example.com/some/path?qs=1"),
-			map[string]string{
+		HTTP: evaluator.RequestHTTP{
+			Method:   http.MethodGet,
+			Host:     "example.com",
+			Hostname: "example.com",
+			Path:     "/some/path",
+			RawPath:  "/some/path",
+			RawQuery: "qs=1",
+			URL:      "http://example.com/some/path?qs=1",
+			Headers: map[string]string{
 				"Accept":            "text/html",
 				"X-Forwarded-Proto": "https",
 			},
-			evaluator.ClientCertificateInfo{
+			ClientCertificate: evaluator.ClientCertificateInfo{
 				Presented:     true,
 				Leaf:          certPEM[1:] + "\n",
 				Intermediates: "",
 			},
-			"",
-		),
+			IP: "",
+		},
 	}
 	assert.Equal(t, expect, actual)
 }
@ -145,127 +149,25 @@ func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) {
 	expect := &evaluator.Request{
 		Policy:  &a.currentConfig.Load().Options.Policies[0],
 		Session: evaluator.RequestSession{},
-		HTTP: evaluator.NewRequestHTTP(
-			http.MethodGet,
-			mustParseURL("http://example.com/some/path?qs=1"),
-			map[string]string{
+		HTTP: evaluator.RequestHTTP{
+			Method:   http.MethodGet,
+			Host:     "example.com:80",
+			Hostname: "example.com",
+			Path:     "/some/path",
+			RawPath:  "/some/path",
+			RawQuery: "qs=1",
+			URL:      "http://example.com/some/path?qs=1",
+			Headers: map[string]string{
 				"Accept":            "text/html",
 				"X-Forwarded-Proto": "https",
 			},
-			evaluator.ClientCertificateInfo{},
-			"",
-		),
+			ClientCertificate: evaluator.ClientCertificateInfo{},
+			IP:                "",
+		},
 	}
 	assert.Equal(t, expect, actual)
 }

-func Test_getClientCertificateInfo(t *testing.T) {
-	const leafPEM = `-----BEGIN CERTIFICATE-----
-MIIBZTCCAQugAwIBAgICEAEwCgYIKoZIzj0EAwIwGjEYMBYGA1UEAxMPSW50ZXJt
-ZWRpYXRlIENBMCIYDzAwMDEwMTAxMDAwMDAwWhgPMDAwMTAxMDEwMDAwMDBaMB8x
-HTAbBgNVBAMTFENsaWVudCBjZXJ0aWZpY2F0ZSAxMFkwEwYHKoZIzj0CAQYIKoZI
-zj0DAQcDQgAESly1cwEbcxaJBl6qAhrX1k7vejTFNE2dEbrTMpUYMl86GEWdsDYN
-KSa/1wZCowPy82gPGjfAU90odkqJOusCQqM4MDYwEwYDVR0lBAwwCgYIKwYBBQUH
-AwIwHwYDVR0jBBgwFoAU6Qb7nEl2XHKpf/QLL6PENsHFqbowCgYIKoZIzj0EAwID
-SAAwRQIgXREMUz81pYwJCMLGcV0ApaXIUap1V5n1N4VhyAGxGLYCIQC8p/LwoSgu
-71H3/nCi5MxsECsvVtsmHIfwXt0wulQ1TA==
-----END CERTIFICATE-----
-`
-	const intermediatePEM = `-----BEGIN CERTIFICATE-----
-MIIBYzCCAQigAwIBAgICEAEwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHUm9vdCBD
-QTAiGA8wMDAxMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAaMRgwFgYDVQQD
-Ew9JbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATYaTr9
-uH4LpEp541/2SlKrdQZwNns+NHY/ftm++NhMDUn+izzNbPZ5aPT6VBs4Q6vbgfkK
-kDaBpaKzb+uOT+o1o0IwQDAdBgNVHQ4EFgQU6Qb7nEl2XHKpf/QLL6PENsHFqbow
-HwYDVR0jBBgwFoAUiQ3r61y+vxDn6PMWZrpISr67HiQwCgYIKoZIzj0EAwIDSQAw
-RgIhAMvdURs28uib2QwSMnqJjKasMb30yrSJvTiSU+lcg97/AiEA+6GpioM0c221
-n/XNKVYEkPmeXHRoz9ZuVDnSfXKJoHE=
-----END CERTIFICATE-----
-`
-	const rootPEM = `-----BEGIN CERTIFICATE-----
-MIIBNzCB36ADAgECAgIQADAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdSb290IENB
-MCIYDzAwMDEwMTAxMDAwMDAwWhgPMDAwMTAxMDEwMDAwMDBaMBIxEDAOBgNVBAMT
-B1Jvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS6q0mTvm29xasq7Lwk
-aRGb2S/LkQFsAwaCXohSNvonCQHRMCRvA1IrQGk/oyBS5qrDoD9/7xkcVYHuTv5D
-CbtuoyEwHzAdBgNVHQ4EFgQUiQ3r61y+vxDn6PMWZrpISr67HiQwCgYIKoZIzj0E
-AwIDRwAwRAIgF1ux0ridbN+bo0E3TTcNY8Xfva7yquYRMmEkfbGvSb0CIDqK80B+
-fYCZHo3CID0gRSemaQ/jYMgyeBFrHIr6icZh
-----END CERTIFICATE-----
-`
-
-	cases := []struct {
-		label       string
-		presented   bool
-		chain       string
-		expected    evaluator.ClientCertificateInfo
-		expectedLog string
-	}{
-		{
-			"not presented",
-			false,
-			"",
-			evaluator.ClientCertificateInfo{},
-			"",
-		},
-		{
-			"presented",
-			true,
-			url.QueryEscape(leafPEM),
-			evaluator.ClientCertificateInfo{
-				Presented: true,
-				Leaf:      leafPEM,
-			},
-			"",
-		},
-		{
-			"presented with intermediates",
-			true,
-			url.QueryEscape(leafPEM + intermediatePEM + rootPEM),
-			evaluator.ClientCertificateInfo{
-				Presented:     true,
-				Leaf:          leafPEM,
-				Intermediates: intermediatePEM + rootPEM,
-			},
-			"",
-		},
-		{
-			"invalid chain URL encoding",
-			false,
-			"invalid%URL%encoding",
-			evaluator.ClientCertificateInfo{},
-			`{"chain":"invalid%URL%encoding","error":"invalid URL escape \"%UR\"","level":"error","message":"received unexpected client certificate \"chain\" value"}`,
-		},
-		{
-			"invalid chain PEM encoding",
-			true,
-			"not valid PEM data",
-			evaluator.ClientCertificateInfo{
-				Presented: true,
-			},
-			`{"chain":"not valid PEM data","level":"error","message":"received unexpected client certificate \"chain\" value (no PEM block found)"}`,
-		},
-	}
-
-	ctx := context.Background()
-	for i := range cases {
-		c := &cases[i]
-		t.Run(c.label, func(t *testing.T) {
-			metadata := &structpb.Struct{
-				Fields: map[string]*structpb.Value{
-					"presented": structpb.NewBoolValue(c.presented),
-					"chain":     structpb.NewStringValue(c.chain),
-				},
-			}
-			var info evaluator.ClientCertificateInfo
-			logOutput := testutil.CaptureLogs(t, func() {
-				info = getClientCertificateInfo(ctx, metadata)
-			})
-			assert.Equal(t, c.expected, info)
-			assert.Contains(t, logOutput, c.expectedLog)
-		})
-	}
-}
-
 type mockDataBrokerServiceClient struct {
 	databroker.DataBrokerServiceClient

--- a/authorize/log.go
+++ b/authorize/log.go
@ -2,9 +2,7 @@ package authorize

 import (
 	"context"
-	"strings"

-	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/rs/zerolog"
 	"go.opentelemetry.io/otel/attribute"
@ -21,19 +19,19 @@ import (

 func (a *Authorize) logAuthorizeCheck(
 	ctx context.Context,
-	in *envoy_service_auth_v3.CheckRequest,
+	req *evaluator.Request,
 	res *evaluator.Result, s sessionOrServiceAccount, u *user.User,
 ) {
 	ctx, span := a.tracer.Start(ctx, "authorize.grpc.LogAuthorizeCheck")
 	defer span.End()

-	hdrs := getCheckRequestHeaders(in)
+	hdrs := req.HTTP.Headers
 	impersonateDetails := a.getImpersonateDetails(ctx, s)

 	evt := log.Ctx(ctx).Info().Str("service", "authorize")
 	fields := a.currentConfig.Load().Options.GetAuthorizeLogFields()
 	for _, field := range fields {
-		evt = populateLogEvent(ctx, field, evt, in, s, u, hdrs, impersonateDetails, res)
+		evt = populateLogEvent(ctx, field, evt, req, s, u, impersonateDetails, res)
 	}
 	evt = log.HTTPHeaders(evt, fields, hdrs)

@ -134,22 +132,19 @@ func populateLogEvent(
 	ctx context.Context,
 	field log.AuthorizeLogField,
 	evt *zerolog.Event,
-	in *envoy_service_auth_v3.CheckRequest,
+	req *evaluator.Request,
 	s sessionOrServiceAccount,
 	u *user.User,
-	hdrs map[string]string,
 	impersonateDetails *impersonateDetails,
 	res *evaluator.Result,
 ) *zerolog.Event {
-	path, query, _ := strings.Cut(in.GetAttributes().GetRequest().GetHttp().GetPath(), "?")
-
 	switch field {
 	case log.AuthorizeLogFieldCheckRequestID:
-		return evt.Str(string(field), hdrs["X-Request-Id"])
+		return evt.Str(string(field), req.HTTP.Headers["X-Request-Id"])
 	case log.AuthorizeLogFieldEmail:
 		return evt.Str(string(field), u.GetEmail())
 	case log.AuthorizeLogFieldHost:
-		return evt.Str(string(field), in.GetAttributes().GetRequest().GetHttp().GetHost())
+		return evt.Str(string(field), req.HTTP.Host)
 	case log.AuthorizeLogFieldIDToken:
 		if s, ok := s.(*session.Session); ok {
 			evt = evt.Str(string(field), s.GetIdToken().GetRaw())
@ -180,13 +175,13 @@ func populateLogEvent(
 		}
 		return evt
 	case log.AuthorizeLogFieldIP:
-		return evt.Str(string(field), in.GetAttributes().GetSource().GetAddress().GetSocketAddress().GetAddress())
+		return evt.Str(string(field), req.HTTP.IP)
 	case log.AuthorizeLogFieldMethod:
-		return evt.Str(string(field), in.GetAttributes().GetRequest().GetHttp().GetMethod())
+		return evt.Str(string(field), req.HTTP.Method)
 	case log.AuthorizeLogFieldPath:
-		return evt.Str(string(field), path)
+		return evt.Str(string(field), req.HTTP.RawPath)
 	case log.AuthorizeLogFieldQuery:
-		return evt.Str(string(field), query)
+		return evt.Str(string(field), req.HTTP.RawQuery)
 	case log.AuthorizeLogFieldRequestID:
 		return evt.Str(string(field), requestid.FromContext(ctx))
 	case log.AuthorizeLogFieldServiceAccountID:
--- a/authorize/log_test.go
+++ b/authorize/log_test.go
@ -6,8 +6,6 @@ import (
 	"strings"
 	"testing"

-	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
-	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"

@ -24,27 +22,16 @@ func Test_populateLogEvent(t *testing.T) {
 	ctx := context.Background()
 	ctx = requestid.WithValue(ctx, "REQUEST-ID")

-	checkRequest := &envoy_service_auth_v3.CheckRequest{
-		Attributes: &envoy_service_auth_v3.AttributeContext{
-			Request: &envoy_service_auth_v3.AttributeContext_Request{
-				Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
-					Host:   "HOST",
-					Path:   "https://www.example.com/some/path?a=b",
-					Method: "GET",
-				},
-			},
-			Source: &envoy_service_auth_v3.AttributeContext_Peer{
-				Address: &envoy_config_core_v3.Address{
-					Address: &envoy_config_core_v3.Address_SocketAddress{
-						SocketAddress: &envoy_config_core_v3.SocketAddress{
-							Address: "127.0.0.1",
-						},
-					},
-				},
-			},
+	req := &evaluator.Request{
+		HTTP: evaluator.RequestHTTP{
+			Method:   "GET",
+			Host:     "HOST",
+			RawPath:  "/some/path",
+			RawQuery: "a=b",
+			Headers:  map[string]string{"X-Request-Id": "CHECK-REQUEST-ID"},
+			IP:       "127.0.0.1",
 		},
 	}
-	headers := map[string]string{"X-Request-Id": "CHECK-REQUEST-ID"}
 	s := &session.Session{
 		Id: "SESSION-ID",
 		IdToken: &session.IDToken{
@ -86,7 +73,7 @@ func Test_populateLogEvent(t *testing.T) {
 		{log.AuthorizeLogFieldImpersonateUserID, s, `{"impersonate-user-id":"IMPERSONATE-USER-ID"}`},
 		{log.AuthorizeLogFieldIP, s, `{"ip":"127.0.0.1"}`},
 		{log.AuthorizeLogFieldMethod, s, `{"method":"GET"}`},
-		{log.AuthorizeLogFieldPath, s, `{"path":"https://www.example.com/some/path"}`},
+		{log.AuthorizeLogFieldPath, s, `{"path":"/some/path"}`},
 		{log.AuthorizeLogFieldQuery, s, `{"query":"a=b"}`},
 		{log.AuthorizeLogFieldRemovedGroupsCount, s, `{"removed-groups-count":42}`},
 		{log.AuthorizeLogFieldRequestID, s, `{"request-id":"REQUEST-ID"}`},
@ -102,7 +89,7 @@ func Test_populateLogEvent(t *testing.T) {
 			var buf bytes.Buffer
 			log := zerolog.New(&buf)
 			evt := log.Log()
-			evt = populateLogEvent(ctx, tc.field, evt, checkRequest, tc.s, u, headers, impersonateDetails, res)
+			evt = populateLogEvent(ctx, tc.field, evt, req, tc.s, u, impersonateDetails, res)
 			evt.Send()

 			assert.Equal(t, tc.expect, strings.TrimSpace(buf.String()))
--- a/authorize/state.go
+++ b/authorize/state.go
@ -9,12 +9,17 @@ import (
 	oteltrace "go.opentelemetry.io/otel/trace"
 	googlegrpc "google.golang.org/grpc"

+	"github.com/pomerium/datasource/pkg/directory"
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/authorize/internal/store"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/authenticateflow"
 	"github.com/pomerium/pomerium/pkg/grpc"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
+	"github.com/pomerium/pomerium/pkg/grpcutil"
+	"github.com/pomerium/pomerium/pkg/storage"
 )

 var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn)
@ -30,14 +35,15 @@ type authorizeState struct {
 	dataBrokerClient           databroker.DataBrokerServiceClient
 	sessionStore               *config.SessionStore
 	authenticateFlow           authenticateFlow
+	syncQueriers               map[string]storage.Querier
 }

 func newAuthorizeStateFromConfig(
 	ctx context.Context,
+	previousState *authorizeState,
 	tracerProvider oteltrace.TracerProvider,
 	cfg *config.Config,
 	store *store.Store,
-	previousPolicyEvaluator *evaluator.Evaluator,
 ) (*authorizeState, error) {
 	if err := validateOptions(cfg.Options); err != nil {
 		return nil, fmt.Errorf("authorize: bad options: %w", err)
@ -46,8 +52,12 @@ func newAuthorizeStateFromConfig(
 	state := new(authorizeState)

 	var err error
+	var previousEvaluator *evaluator.Evaluator
+	if previousState != nil {
+		previousEvaluator = previousState.evaluator
+	}

-	state.evaluator, err = newPolicyEvaluator(ctx, cfg.Options, store, previousPolicyEvaluator)
+	state.evaluator, err = newPolicyEvaluator(ctx, cfg.Options, store, previousEvaluator)
 	if err != nil {
 		return nil, fmt.Errorf("authorize: failed to update policy with options: %w", err)
 	}
@ -88,5 +98,29 @@ func newAuthorizeStateFromConfig(
 		return nil, err
 	}

+	state.syncQueriers = make(map[string]storage.Querier)
+	if previousState != nil {
+		if previousState.dataBrokerClientConnection == state.dataBrokerClientConnection {
+			state.syncQueriers = previousState.syncQueriers
+		} else {
+			for _, v := range previousState.syncQueriers {
+				v.Stop()
+			}
+		}
+	}
+	if cfg.Options.IsRuntimeFlagSet(config.RuntimeFlagAuthorizeUseSyncedData) {
+		for _, recordType := range []string{
+			grpcutil.GetTypeURL(new(session.Session)),
+			grpcutil.GetTypeURL(new(user.User)),
+			grpcutil.GetTypeURL(new(user.ServiceAccount)),
+			directory.GroupRecordType,
+			directory.UserRecordType,
+		} {
+			if _, ok := state.syncQueriers[recordType]; !ok {
+				state.syncQueriers[recordType] = storage.NewSyncQuerier(state.dataBrokerClient, recordType)
+			}
+		}
+	}
+
 	return state, nil
 }
--- a/config/runtime_flags.go
+++ b/config/runtime_flags.go
@ -25,6 +25,10 @@ var (

 	// RuntimeFlagAddExtraMetricsLabels enables adding extra labels to metrics (host and installation id)
 	RuntimeFlagAddExtraMetricsLabels = runtimeFlag("add_extra_metrics_labels", true)
+
+	// RuntimeFlagAuthorizeUseSyncedData enables synced data for querying the databroker for
+	// certain types of data.
+	RuntimeFlagAuthorizeUseSyncedData = runtimeFlag("authorize_use_synced_data", true)
 )

 // RuntimeFlag is a runtime flag that can flip on/off certain features
--- a/internal/testenv/selftests/tracing_test.go
+++ b/internal/testenv/selftests/tracing_test.go
@ -81,14 +81,16 @@ func TestOTLPTracing(t *testing.T) {

 	results := NewTraceResults(srv.FlushResourceSpans())
 	var (
-		testEnvironmentLocalTest    = fmt.Sprintf("Test Environment: %s", t.Name())
-		testEnvironmentAuthenticate = "Test Environment: Authenticate"
-		authenticateOAuth2Client    = "Authenticate: OAuth2 Client: GET /.well-known/jwks.json"
-		idpServerGetUserinfo        = "IDP: Server: GET /oidc/userinfo"
-		idpServerPostToken          = "IDP: Server: POST /oidc/token"
-		controlPlaneEnvoyAccessLogs = "Control Plane: envoy.service.accesslog.v3.AccessLogService/StreamAccessLogs"
-		controlPlaneEnvoyDiscovery  = "Control Plane: envoy.service.discovery.v3.AggregatedDiscoveryService/DeltaAggregatedResources"
-		controlPlaneExport          = "Control Plane: opentelemetry.proto.collector.trace.v1.TraceService/Export"
+		testEnvironmentLocalTest      = fmt.Sprintf("Test Environment: %s", t.Name())
+		testEnvironmentAuthenticate   = "Test Environment: Authenticate"
+		authenticateOAuth2Client      = "Authenticate: OAuth2 Client: GET /.well-known/jwks.json"
+		authorizeDatabrokerSync       = "Authorize: databroker.DataBrokerService/Sync"
+		authorizeDatabrokerSyncLatest = "Authorize: databroker.DataBrokerService/SyncLatest"
+		idpServerGetUserinfo          = "IDP: Server: GET /oidc/userinfo"
+		idpServerPostToken            = "IDP: Server: POST /oidc/token"
+		controlPlaneEnvoyAccessLogs   = "Control Plane: envoy.service.accesslog.v3.AccessLogService/StreamAccessLogs"
+		controlPlaneEnvoyDiscovery    = "Control Plane: envoy.service.discovery.v3.AggregatedDiscoveryService/DeltaAggregatedResources"
+		controlPlaneExport            = "Control Plane: opentelemetry.proto.collector.trace.v1.TraceService/Export"
 	)

 	results.MatchTraces(t,
@ -96,11 +98,13 @@ func TestOTLPTracing(t *testing.T) {
 			Exact:              true,
 			CheckDetachedSpans: true,
 		},
-		Match{Name: testEnvironmentLocalTest, TraceCount: 1, Services: []string{"Authorize", "Test Environment", "Control Plane", "Data Broker"}},
+		Match{Name: testEnvironmentLocalTest, TraceCount: 1, Services: []string{"Test Environment", "Control Plane", "Data Broker"}},
 		Match{Name: testEnvironmentAuthenticate, TraceCount: 1, Services: allServices},
 		Match{Name: authenticateOAuth2Client, TraceCount: Greater(0)},
 		Match{Name: idpServerGetUserinfo, TraceCount: EqualToMatch(authenticateOAuth2Client)},
 		Match{Name: idpServerPostToken, TraceCount: EqualToMatch(authenticateOAuth2Client)},
+		Match{Name: authorizeDatabrokerSync, TraceCount: Greater(0)},
+		Match{Name: authorizeDatabrokerSyncLatest, TraceCount: Greater(0)},
 		Match{Name: controlPlaneEnvoyDiscovery, TraceCount: 1},
 		Match{Name: controlPlaneExport, TraceCount: Greater(0)},
 		Match{Name: controlPlaneEnvoyAccessLogs, TraceCount: Any{}},
@ -283,6 +287,7 @@ func (s *SamplingTestSuite) TestExternalTraceparentNeverSample() {
 			"IDP: Server: POST /oidc/token":                           {},
 			"IDP: Server: GET /oidc/userinfo":                         {},
 			"Authenticate: OAuth2 Client: GET /.well-known/jwks.json": {},
+			"Authorize: databroker.DataBrokerService/SyncLatest":      {},
 		}
 		actual := slices.Collect(maps.Keys(traces.ByName))
 		for _, name := range actual {
--- a/pkg/storage/postgres/tracing_test.go
+++ b/pkg/storage/postgres/tracing_test.go
@ -58,12 +58,13 @@ func TestQueryTracing(t *testing.T) {
 		results := tracetest.NewTraceResults(receiver.FlushResourceSpans())
 		traces, exists := results.GetTraces().ByParticipant["Data Broker"]
 		require.True(t, exists)
-		require.Len(t, traces, 1)
 		var found bool
-		for _, span := range traces[0].Spans {
-			if span.Scope.GetName() == "github.com/exaring/otelpgx" {
-				found = true
-				break
+		for _, trace := range traces {
+			for _, span := range trace.Spans {
+				if span.Scope.GetName() == "github.com/exaring/otelpgx" {
+					found = true
+					break
+				}
 			}
 		}
 		assert.True(t, found, "no spans with otelpgx scope found")
--- a/pkg/storage/querier.go
+++ b/pkg/storage/querier.go
@ -3,6 +3,7 @@ package storage
 import (
 	"context"
 	"encoding/json"
+	"errors"

 	grpc "google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@ -14,10 +15,14 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpcutil"
 )

+// ErrUnavailable indicates that a querier is not available.
+var ErrUnavailable = errors.New("unavailable")
+
 // A Querier is a read-only subset of the client methods
 type Querier interface {
 	InvalidateCache(ctx context.Context, in *databroker.QueryRequest)
 	Query(ctx context.Context, in *databroker.QueryRequest, opts ...grpc.CallOption) (*databroker.QueryResponse, error)
+	Stop()
 }

 // nilQuerier always returns NotFound.
@ -26,9 +31,11 @@ type nilQuerier struct{}
 func (nilQuerier) InvalidateCache(_ context.Context, _ *databroker.QueryRequest) {}

 func (nilQuerier) Query(_ context.Context, _ *databroker.QueryRequest, _ ...grpc.CallOption) (*databroker.QueryResponse, error) {
-	return nil, status.Error(codes.NotFound, "not found")
+	return nil, errors.Join(ErrUnavailable, status.Error(codes.NotFound, "not found"))
 }

+func (nilQuerier) Stop() {}
+
 type querierKey struct{}

 // GetQuerier gets the databroker Querier from the context.
--- a/pkg/storage/querier_caching.go
+++ b/pkg/storage/querier_caching.go
@ -50,6 +50,8 @@ func (q *cachingQuerier) Query(ctx context.Context, in *databroker.QueryRequest,
 	return res, nil
 }

+func (*cachingQuerier) Stop() {}
+
 func (q *cachingQuerier) getCacheKey(in *databroker.QueryRequest) ([]byte, error) {
 	in = proto.Clone(in).(*databroker.QueryRequest)
 	in.MinimumRecordVersionHint = nil
--- a/pkg/storage/querier_client.go
+++ b/pkg/storage/querier_client.go
@ -23,3 +23,5 @@ func (q *clientQuerier) InvalidateCache(_ context.Context, _ *databroker.QueryRe
 func (q *clientQuerier) Query(ctx context.Context, in *databroker.QueryRequest, opts ...grpc.CallOption) (*databroker.QueryResponse, error) {
 	return q.client.Query(ctx, in, opts...)
 }
+
+func (*clientQuerier) Stop() {}
--- a/pkg/storage/querier_fallback.go
+++ b/pkg/storage/querier_fallback.go
@ -0,0 +1,49 @@
+package storage
+
+import (
+	"context"
+	"errors"
+
+	grpc "google.golang.org/grpc"
+
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+)
+
+type fallbackQuerier []Querier
+
+// NewFallbackQuerier creates a new fallback-querier. The first call to Query that
+// does not return an error will be used.
+func NewFallbackQuerier(queriers ...Querier) Querier {
+	return fallbackQuerier(queriers)
+}
+
+// InvalidateCache invalidates the cache of all the queriers.
+func (q fallbackQuerier) InvalidateCache(ctx context.Context, req *databroker.QueryRequest) {
+	for _, qq := range q {
+		qq.InvalidateCache(ctx, req)
+	}
+}
+
+// Query returns the first querier's results that doesn't result in an error.
+func (q fallbackQuerier) Query(ctx context.Context, req *databroker.QueryRequest, opts ...grpc.CallOption) (*databroker.QueryResponse, error) {
+	if len(q) == 0 {
+		return nil, ErrUnavailable
+	}
+
+	var merr error
+	for _, qq := range q {
+		res, err := qq.Query(ctx, req, opts...)
+		if err == nil {
+			return res, nil
+		}
+		merr = errors.Join(merr, err)
+	}
+	return nil, merr
+}
+
+// Stop stops all the queriers.
+func (q fallbackQuerier) Stop() {
+	for _, qq := range q {
+		qq.Stop()
+	}
+}
--- a/pkg/storage/querier_fallback_test.go
+++ b/pkg/storage/querier_fallback_test.go
@ -0,0 +1,36 @@
+package storage_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/testing/protocmp"
+
+	"github.com/pomerium/pomerium/internal/testutil"
+	databrokerpb "github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/storage"
+)
+
+func TestFallbackQuerier(t *testing.T) {
+	t.Parallel()
+
+	ctx := testutil.GetContext(t, time.Minute)
+	q1 := storage.GetQuerier(ctx) // nil querier
+	q2 := storage.NewStaticQuerier(&databrokerpb.Record{
+		Type:    "t1",
+		Id:      "r1",
+		Version: 1,
+	})
+	res, err := storage.NewFallbackQuerier(q1, q2).Query(ctx, &databrokerpb.QueryRequest{
+		Type:  "t1",
+		Limit: 1,
+	})
+	assert.NoError(t, err, "should fallback")
+	assert.Empty(t, cmp.Diff(&databrokerpb.QueryResponse{
+		Records:       []*databrokerpb.Record{{Type: "t1", Id: "r1", Version: 1}},
+		TotalCount:    1,
+		RecordVersion: 1,
+	}, res, protocmp.Transform()))
+}
--- a/pkg/storage/querier_static.go
+++ b/pkg/storage/querier_static.go
@ -81,3 +81,5 @@ func (q *staticQuerier) InvalidateCache(_ context.Context, _ *databroker.QueryRe
 func (q *staticQuerier) Query(_ context.Context, req *databroker.QueryRequest, _ ...grpc.CallOption) (*databroker.QueryResponse, error) {
 	return QueryRecordCollections(q.records, req)
 }
+
+func (*staticQuerier) Stop() {}
--- a/pkg/storage/querier_sync.go
+++ b/pkg/storage/querier_sync.go
@ -0,0 +1,184 @@
+package storage
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"sync"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	grpc "google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+
+	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+)
+
+type syncQuerier struct {
+	client     databroker.DataBrokerServiceClient
+	recordType string
+
+	cancel              context.CancelFunc
+	serverVersion       uint64
+	latestRecordVersion uint64
+
+	mu      sync.RWMutex
+	ready   bool
+	records RecordCollection
+}
+
+// NewSyncQuerier creates a new Querier backed by an in-memory record collection
+// filled via sync calls to the databroker.
+func NewSyncQuerier(
+	client databroker.DataBrokerServiceClient,
+	recordType string,
+) Querier {
+	q := &syncQuerier{
+		client:     client,
+		recordType: recordType,
+		records:    NewRecordCollection(),
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	q.cancel = cancel
+	go q.run(ctx)
+
+	return q
+}
+
+func (q *syncQuerier) InvalidateCache(_ context.Context, _ *databroker.QueryRequest) {
+	// do nothing
+}
+
+func (q *syncQuerier) Query(_ context.Context, req *databroker.QueryRequest, _ ...grpc.CallOption) (*databroker.QueryResponse, error) {
+	q.mu.RLock()
+	if !q.canHandleQueryLocked(req) {
+		q.mu.RUnlock()
+		return nil, ErrUnavailable
+	}
+	defer q.mu.RUnlock()
+	return QueryRecordCollections(map[string]RecordCollection{
+		q.recordType: q.records,
+	}, req)
+}
+
+func (q *syncQuerier) Stop() {
+	q.cancel()
+}
+
+func (q *syncQuerier) canHandleQueryLocked(req *databroker.QueryRequest) bool {
+	if !q.ready {
+		return false
+	}
+	if req.GetType() != q.recordType {
+		return false
+	}
+	if req.MinimumRecordVersionHint != nil && q.latestRecordVersion < *req.MinimumRecordVersionHint {
+		return false
+	}
+	return true
+}
+
+func (q *syncQuerier) run(ctx context.Context) {
+	bo := backoff.WithContext(backoff.NewExponentialBackOff(backoff.WithMaxElapsedTime(0)), ctx)
+	_ = backoff.RetryNotify(func() error {
+		if q.serverVersion == 0 {
+			err := q.syncLatest(ctx)
+			if err != nil {
+				return err
+			}
+		}
+
+		return q.sync(ctx)
+	}, bo, func(err error, d time.Duration) {
+		log.Ctx(ctx).Error().
+			Err(err).
+			Dur("delay", d).
+			Msg("storage/sync-querier: error syncing records")
+	})
+}
+
+func (q *syncQuerier) syncLatest(ctx context.Context) error {
+	stream, err := q.client.SyncLatest(ctx, &databroker.SyncLatestRequest{
+		Type: q.recordType,
+	})
+	if err != nil {
+		return fmt.Errorf("error starting sync latest stream: %w", err)
+	}
+
+	q.mu.Lock()
+	q.ready = false
+	q.records.Clear()
+	q.mu.Unlock()
+
+	for {
+		res, err := stream.Recv()
+		if errors.Is(err, io.EOF) {
+			break
+		} else if err != nil {
+			return fmt.Errorf("error receiving sync latest message: %w", err)
+		}
+
+		switch res := res.Response.(type) {
+		case *databroker.SyncLatestResponse_Record:
+			q.mu.Lock()
+			q.records.Put(res.Record)
+			q.mu.Unlock()
+		case *databroker.SyncLatestResponse_Versions:
+			q.mu.Lock()
+			q.serverVersion = res.Versions.ServerVersion
+			q.latestRecordVersion = res.Versions.LatestRecordVersion
+			q.mu.Unlock()
+		default:
+			return fmt.Errorf("unknown message type from sync latest: %T", res)
+		}
+	}
+
+	q.mu.Lock()
+	log.Ctx(ctx).Info().
+		Str("record-type", q.recordType).
+		Int("record-count", q.records.Len()).
+		Uint64("latest-record-version", q.latestRecordVersion).
+		Msg("storage/sync-querier: synced latest records")
+	q.ready = true
+	q.mu.Unlock()
+
+	return nil
+}
+
+func (q *syncQuerier) sync(ctx context.Context) error {
+	q.mu.RLock()
+	req := &databroker.SyncRequest{
+		ServerVersion: q.serverVersion,
+		RecordVersion: q.latestRecordVersion,
+		Type:          q.recordType,
+	}
+	q.mu.RUnlock()
+
+	stream, err := q.client.Sync(ctx, req)
+	if err != nil {
+		return fmt.Errorf("error starting sync stream: %w", err)
+	}
+
+	for {
+		res, err := stream.Recv()
+		if status.Code(err) == codes.Aborted {
+			// this indicates the server version changed, so we need to reset
+			q.mu.Lock()
+			q.serverVersion = 0
+			q.latestRecordVersion = 0
+			q.mu.Unlock()
+			return fmt.Errorf("stream was aborted due to mismatched server versions: %w", err)
+		} else if err != nil {
+			return fmt.Errorf("error receiving sync message: %w", err)
+		}
+
+		q.mu.Lock()
+		q.latestRecordVersion = max(q.latestRecordVersion, res.Record.Version)
+		q.records.Put(res.Record)
+		q.mu.Unlock()
+	}
+}
--- a/pkg/storage/querier_sync_test.go
+++ b/pkg/storage/querier_sync_test.go
@ -0,0 +1,89 @@
+package storage_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/otel/trace/noop"
+	grpc "google.golang.org/grpc"
+	"google.golang.org/protobuf/testing/protocmp"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/pomerium/pomerium/internal/databroker"
+	"github.com/pomerium/pomerium/internal/testutil"
+	databrokerpb "github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/protoutil"
+	"github.com/pomerium/pomerium/pkg/storage"
+)
+
+func TestSyncQuerier(t *testing.T) {
+	t.Parallel()
+
+	ctx := testutil.GetContext(t, 10*time.Minute)
+	cc := testutil.NewGRPCServer(t, func(srv *grpc.Server) {
+		databrokerpb.RegisterDataBrokerServiceServer(srv, databroker.New(ctx, noop.NewTracerProvider()))
+	})
+	t.Cleanup(func() { cc.Close() })
+
+	client := databrokerpb.NewDataBrokerServiceClient(cc)
+
+	r1 := &databrokerpb.Record{
+		Type: "t1",
+		Id:   "r1",
+		Data: protoutil.ToAny("q2"),
+	}
+	_, err := client.Put(ctx, &databrokerpb.PutRequest{
+		Records: []*databrokerpb.Record{r1},
+	})
+	require.NoError(t, err)
+
+	r2 := &databrokerpb.Record{
+		Type: "t1",
+		Id:   "r2",
+		Data: protoutil.ToAny("q2"),
+	}
+
+	q := storage.NewSyncQuerier(client, "t1")
+	t.Cleanup(q.Stop)
+
+	assert.EventuallyWithT(t, func(c *assert.CollectT) {
+		res, err := q.Query(ctx, &databrokerpb.QueryRequest{
+			Type: "t1",
+			Filter: newStruct(t, map[string]any{
+				"id": "r1",
+			}),
+			Limit: 1,
+		})
+		if assert.NoError(c, err) && assert.Len(c, res.Records, 1) {
+			assert.Empty(c, cmp.Diff(r1.Data, res.Records[0].Data, protocmp.Transform()))
+		}
+	}, time.Second*10, time.Millisecond*50, "should sync records")
+
+	_, err = client.Put(ctx, &databrokerpb.PutRequest{
+		Records: []*databrokerpb.Record{r2},
+	})
+	require.NoError(t, err)
+
+	assert.EventuallyWithT(t, func(c *assert.CollectT) {
+		res, err := q.Query(ctx, &databrokerpb.QueryRequest{
+			Type: "t1",
+			Filter: newStruct(t, map[string]any{
+				"id": "r2",
+			}),
+			Limit: 1,
+		})
+		if assert.NoError(c, err) && assert.Len(c, res.Records, 1) {
+			assert.Empty(c, cmp.Diff(r2.Data, res.Records[0].Data, protocmp.Transform()))
+		}
+	}, time.Second*10, time.Millisecond*50, "should pick up changes")
+}
+
+func newStruct(t *testing.T, m map[string]any) *structpb.Struct {
+	t.Helper()
+	s, err := structpb.NewStruct(m)
+	require.NoError(t, err)
+	return s
+}
--- a/pkg/storage/querier_typed.go
+++ b/pkg/storage/querier_typed.go
@ -0,0 +1,45 @@
+package storage
+
+import (
+	"context"
+
+	grpc "google.golang.org/grpc"
+
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+)
+
+type typedQuerier struct {
+	defaultQuerier Querier
+	queriersByType map[string]Querier
+}
+
+// NewTypedQuerier creates a new Querier that dispatches to other queries based on the type.
+func NewTypedQuerier(defaultQuerier Querier, queriersByType map[string]Querier) Querier {
+	return &typedQuerier{
+		defaultQuerier: defaultQuerier,
+		queriersByType: queriersByType,
+	}
+}
+
+func (q *typedQuerier) InvalidateCache(ctx context.Context, req *databroker.QueryRequest) {
+	qq, ok := q.queriersByType[req.Type]
+	if !ok {
+		qq = q.defaultQuerier
+	}
+	qq.InvalidateCache(ctx, req)
+}
+
+func (q *typedQuerier) Query(ctx context.Context, req *databroker.QueryRequest, opts ...grpc.CallOption) (*databroker.QueryResponse, error) {
+	qq, ok := q.queriersByType[req.Type]
+	if !ok {
+		qq = q.defaultQuerier
+	}
+	return qq.Query(ctx, req, opts...)
+}
+
+func (q *typedQuerier) Stop() {
+	q.defaultQuerier.Stop()
+	for _, qq := range q.queriersByType {
+		qq.Stop()
+	}
+}
--- a/pkg/storage/querier_typed_test.go
+++ b/pkg/storage/querier_typed_test.go
@ -0,0 +1,68 @@
+package storage_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/testing/protocmp"
+
+	"github.com/pomerium/pomerium/internal/testutil"
+	databrokerpb "github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/storage"
+)
+
+func TestTypedQuerier(t *testing.T) {
+	t.Parallel()
+
+	ctx := testutil.GetContext(t, time.Minute)
+
+	q1 := storage.NewStaticQuerier(&databrokerpb.Record{
+		Type: "t1",
+		Id:   "r1",
+	})
+	q2 := storage.NewStaticQuerier(&databrokerpb.Record{
+		Type: "t2",
+		Id:   "r2",
+	})
+	q3 := storage.NewStaticQuerier(&databrokerpb.Record{
+		Type: "t3",
+		Id:   "r3",
+	})
+
+	q := storage.NewTypedQuerier(q1, map[string]storage.Querier{
+		"t2": q2,
+		"t3": q3,
+	})
+
+	res, err := q.Query(ctx, &databrokerpb.QueryRequest{
+		Type:  "t1",
+		Limit: 1,
+	})
+	assert.NoError(t, err)
+	assert.Empty(t, cmp.Diff(&databrokerpb.QueryResponse{
+		Records:    []*databrokerpb.Record{{Type: "t1", Id: "r1"}},
+		TotalCount: 1,
+	}, res, protocmp.Transform()))
+
+	res, err = q.Query(ctx, &databrokerpb.QueryRequest{
+		Type:  "t2",
+		Limit: 1,
+	})
+	assert.NoError(t, err)
+	assert.Empty(t, cmp.Diff(&databrokerpb.QueryResponse{
+		Records:    []*databrokerpb.Record{{Type: "t2", Id: "r2"}},
+		TotalCount: 1,
+	}, res, protocmp.Transform()))
+
+	res, err = q.Query(ctx, &databrokerpb.QueryRequest{
+		Type:  "t3",
+		Limit: 1,
+	})
+	assert.NoError(t, err)
+	assert.Empty(t, cmp.Diff(&databrokerpb.QueryResponse{
+		Records:    []*databrokerpb.Record{{Type: "t3", Id: "r3"}},
+		TotalCount: 1,
+	}, res, protocmp.Transform()))
+}
--- a/pkg/telemetry/trace/client_test.go
+++ b/pkg/telemetry/trace/client_test.go
@ -297,6 +297,8 @@ func (h *errHandler) Handle(err error) {
 }

 func TestNewTraceClientFromConfig(t *testing.T) {
+	t.Skip("failing because authorize uses databroker sync now")
+
 	env := testenv.New(t, testenv.WithTraceDebugFlags(testenv.StandardTraceDebugFlags))

 	receiver := scenarios.NewOTLPTraceReceiver()