databroker: update identity manager to use route credentials (#5728)

## Summary Currently when we refresh sessions we always use the global IdP credentials. This PR updates the identity manager to use route settings when defined. To do this a new `idp_id` field is added to the session stored in the databroker. ## Related issues - [ENG-2595](https://linear.app/pomerium/issue/ENG-2595/refresh-using-custom-idp-uses-wrong-credentials) - https://github.com/pomerium/pomerium/issues/4759 ## Checklist - [x] reference any related issues - [x] updated unit tests - [x] add appropriate label (`enhancement`, `bug`, `breaking`, `dependencies`, `ci`) - [x] ready for review
2025-08-02 08:19:23 +02:00 · 2025-07-15 18:04:36 -06:00 · 2025-07-15 18:04:36 -06:00 · 622519e901
commit 622519e901
parent e5e799a868
14 changed files with 185 additions and 123 deletions
--- a/pkg/grpc/session/session.proto
+++ b/pkg/grpc/session/session.proto
@ -1,48 +1,49 @@
 syntax = "proto3";

 package session;
-option go_package = "github.com/pomerium/pomerium/pkg/grpc/session";
+option  go_package = "github.com/pomerium/pomerium/pkg/grpc/session";

 import "google/protobuf/empty.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/timestamp.proto";

 message IDToken {
-  string issuer = 1;
-  string subject = 2;
+  string                    issuer     = 1;
+  string                    subject    = 2;
  google.protobuf.Timestamp expires_at = 3;
-  google.protobuf.Timestamp issued_at = 4;
-  string raw = 5;
+  google.protobuf.Timestamp issued_at  = 4;
+  string                    raw        = 5;
 }

 message OAuthToken {
-  string access_token = 1;
-  string token_type = 2;
-  google.protobuf.Timestamp expires_at = 3;
-  string refresh_token = 4;
+  string                    access_token  = 1;
+  string                    token_type    = 2;
+  google.protobuf.Timestamp expires_at    = 3;
+  string                    refresh_token = 4;
 }

 message Session {
  message DeviceCredential {
    string type_id = 1;
-    oneof credential {
+    oneof  credential {
      google.protobuf.Empty unavailable = 2;
-      string id = 3;
+      string                id          = 3;
    }
  }

-  string version = 1;
-  string id = 2;
-  string user_id = 3;
-  repeated DeviceCredential device_credentials = 17;
-  google.protobuf.Timestamp issued_at = 14;
-  google.protobuf.Timestamp expires_at = 4;
-  google.protobuf.Timestamp accessed_at = 18;
-  IDToken id_token = 6;
-  OAuthToken oauth_token = 7;
-  map<string, google.protobuf.ListValue> claims = 9;
-  repeated string audience = 10;
-  bool refresh_disabled = 19;
+  string                                 version            = 1;
+  string                                 id                 = 2;
+  string                                 user_id            = 3;
+  repeated DeviceCredential              device_credentials = 17;
+  google.protobuf.Timestamp              issued_at          = 14;
+  google.protobuf.Timestamp              expires_at         = 4;
+  google.protobuf.Timestamp              accessed_at        = 18;
+  IDToken                                id_token           = 6;
+  OAuthToken                             oauth_token        = 7;
+  map<string, google.protobuf.ListValue> claims             = 9;
+  repeated string                        audience           = 10;
+  bool                                   refresh_disabled   = 19;
+  string                                 idp_id             = 20;

  optional string impersonate_session_id = 15;
 }