sessions: check idp id to detect provider changes to force session invalidation (#3707)

* sessions: check idp id to detect provider changes to force session invalidation * remove dead code * fix test
2025-06-01 02:12:50 +02:00 · 2022-10-25 16:20:32 -06:00 · 2022-10-25 16:20:32 -06:00 · 30bdae3d9e
commit 30bdae3d9e
parent 3f7a482815
14 changed files with 265 additions and 193 deletions
--- a/config/identity.go
+++ b/config/identity.go
@ -1,14 +1,16 @@
 package config

 import (
+	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/grpc/identity"
 )

 // GetIdentityProviderForID returns the identity provider associated with the given IDP id.
 // If none is found the default provider is returned.
 func (o *Options) GetIdentityProviderForID(idpID string) (*identity.Provider, error) {
-	for _, policy := range o.GetAllPolicies() {
-		idp, err := o.GetIdentityProviderForPolicy(&policy) //nolint
+	for _, p := range o.GetAllPolicies() {
+		p := p
+		idp, err := o.GetIdentityProviderForPolicy(&p)
 		if err != nil {
 			return nil, err
 		}
@ -48,3 +50,19 @@ func (o *Options) GetIdentityProviderForPolicy(policy *Policy) (*identity.Provid
 	idp.Id = idp.Hash()
 	return idp, nil
 }
+
+// GetIdentityProviderForRequestURL gets the identity provider associated with the given request URL.
+func (o *Options) GetIdentityProviderForRequestURL(requestURL string) (*identity.Provider, error) {
+	u, err := urlutil.ParseAndValidateURL(requestURL)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, p := range o.GetAllPolicies() {
+		p := p
+		if p.Matches(*u) {
+			return o.GetIdentityProviderForPolicy(&p)
+		}
+	}
+	return o.GetIdentityProviderForPolicy(nil)
+}