databroker: update identity manager to use route credentials (#5728)

## Summary Currently when we refresh sessions we always use the global IdP credentials. This PR updates the identity manager to use route settings when defined. To do this a new `idp_id` field is added to the session stored in the databroker. ## Related issues - [ENG-2595](https://linear.app/pomerium/issue/ENG-2595/refresh-using-custom-idp-uses-wrong-credentials) - https://github.com/pomerium/pomerium/issues/4759 ## Checklist - [x] reference any related issues - [x] updated unit tests - [x] add appropriate label (`enhancement`, `bug`, `breaking`, `dependencies`, `ci`) - [x] ready for review
2025-07-29 14:39:40 +02:00 · 2025-07-15 18:04:36 -06:00 · 2025-07-15 18:04:36 -06:00 · 622519e901
commit 622519e901
parent e5e799a868
14 changed files with 185 additions and 123 deletions
--- a/internal/authenticateflow/stateful.go
+++ b/internal/authenticateflow/stateful.go
@ -189,15 +189,13 @@ func (s *Stateful) PersistSession(
 	now := timeNow()
 	sessionExpiry := timestamppb.New(now.Add(s.sessionDuration))

-	sess := &session.Session{
-		Id:         sessionState.ID,
-		UserId:     sessionState.UserID(),
-		IssuedAt:   timestamppb.New(now),
-		AccessedAt: timestamppb.New(now),
-		ExpiresAt:  sessionExpiry,
-		OauthToken: manager.ToOAuthToken(accessToken),
-		Audience:   sessionState.Audience,
-	}
+	sess := session.New(sessionState.IdentityProviderID, sessionState.ID)
+	sess.UserId = sessionState.UserID()
+	sess.IssuedAt = timestamppb.New(now)
+	sess.AccessedAt = timestamppb.New(now)
+	sess.ExpiresAt = sessionExpiry
+	sess.OauthToken = manager.ToOAuthToken(accessToken)
+	sess.Audience = sessionState.Audience
 	sess.SetRawIDToken(claims.RawIDToken)
 	sess.AddClaims(claims.Flatten())

@ -236,9 +234,7 @@ func (s *Stateful) GetUserInfoData(
 		isImpersonated = true
 	}
 	if err != nil {
-		pbSession = &session.Session{
-			Id: sessionState.ID,
-		}
+		pbSession = session.New(sessionState.IdentityProviderID, sessionState.ID)
 	}

 	pbUser, err := user.Get(r.Context(), s.dataBrokerClient, pbSession.GetUserId())
--- a/internal/authenticateflow/stateless.go
+++ b/internal/authenticateflow/stateless.go
@ -415,7 +415,7 @@ func (s *Stateless) Callback(w http.ResponseWriter, r *http.Request) error {
 	ss := newSessionStateFromProfile(profile)
 	sess, err := session.Get(r.Context(), s.dataBrokerClient, ss.ID)
 	if err != nil {
-		sess = &session.Session{Id: ss.ID}
+		sess = session.New(ss.IdentityProviderID, ss.ID)
 	}
 	populateSessionFromProfile(sess, profile, ss, s.options.CookieExpire)
 	u, err := user.Get(r.Context(), s.dataBrokerClient, ss.UserID())