config: allow blank identity providers when loading sessions for service account support (#3709)

2025-05-24 14:37:12 +02:00 · 2022-10-27 08:32:06 -06:00 · 2022-10-27 08:32:06 -06:00 · 6a9d6e45e1
commit 6a9d6e45e1
parent 1b596115e9
2 changed files with 25 additions and 7 deletions
--- a/config/session.go
+++ b/config/session.go
@ -69,14 +69,16 @@ func (store *SessionStore) LoadSessionState(r *http.Request) (*sessions.State, e
 	}
 	// confirm that the identity provider id matches the state
-	idp, err := store.options.GetIdentityProviderForRequestURL(urlutil.GetAbsoluteURL(r).String())
+	if state.IdentityProviderID != "" {
-	if err != nil {
+		idp, err := store.options.GetIdentityProviderForRequestURL(urlutil.GetAbsoluteURL(r).String())
-		return nil, err
+		if err != nil {
-	}
+			return nil, err
 		}
-	if idp.GetId() != state.IdentityProviderID {
+		if idp.GetId() != state.IdentityProviderID {
-		return nil, fmt.Errorf("unexpected session state identity provider id: %s != %s",
+			return nil, fmt.Errorf("unexpected session state identity provider id: %s != %s",
-			idp.GetId(), state.IdentityProviderID)
+				idp.GetId(), state.IdentityProviderID)
 		}
 	}
 	return &state, nil
--- a/config/session_test.go
+++ b/config/session_test.go
@ -125,4 +125,20 @@ func TestSessionStore_LoadSessionState(t *testing.T) {
 		assert.Error(t, err)
 		assert.Nil(t, s)
 	})
 	t.Run("blank idp", func(t *testing.T) {
 		rawJWS := makeJWS(t, &sessions.State{
 			Issuer: "authenticate.example.com",
 			ID:     "example",
 		})
 		r, err := http.NewRequest(http.MethodGet, "https://p2.example.com", nil)
 		require.NoError(t, err)
 		r.Header.Set(httputil.HeaderPomeriumAuthorization, rawJWS)
 		s, err := store.LoadSessionState(r)
 		assert.NoError(t, err)
 		assert.Empty(t, cmp.Diff(&sessions.State{
 			Issuer: "authenticate.example.com",
 			ID:     "example",
 		}, s))
 	})
 }