fix redirect loop, remove user/session services, remove duplicate deleted_at fields (#1162)

* fix redirect loop, remove user/session services, remove duplicate deleted_at fields * change loop * reuse err variable * wrap errors, use cookie timeout * wrap error, duplicate if
2025-05-10 23:57:34 +02:00 · 2020-07-30 09:41:57 -06:00 · 2020-07-30 09:41:57 -06:00 · 97f85481f8
commit 97f85481f8
parent 714363fb07
16 changed files with 288 additions and 918 deletions
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -30,8 +30,6 @@ import (
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 // ValidateOptions checks that configuration are complete and valid.
@ -101,12 +99,6 @@ type Authenticate struct {
 	// dataBrokerClient is used to retrieve sessions
 	dataBrokerClient databroker.DataBrokerServiceClient
 	// sessionClient is used to create sessions
 	sessionClient session.SessionServiceClient
 	// userClient is used to update users
 	userClient user.UserServiceClient
 	// guard administrator below.
 	administratorMu sync.Mutex
 	// administrators keeps track of administrator users.
@ -164,8 +156,6 @@ func New(opts *config.Options) (*Authenticate, error) {
 	}
 	dataBrokerClient := databroker.NewDataBrokerServiceClient(dataBrokerConn)
 	sessionClient := session.NewSessionServiceClient(dataBrokerConn)
 	userClient := user.NewUserServiceClient(dataBrokerConn)
 	qpStore := queryparam.NewStore(encryptedEncoder, urlutil.QueryProgrammaticToken)
 	headerStore := header.NewStore(encryptedEncoder, httputil.AuthorizationTypePomerium)
@ -207,8 +197,6 @@ func New(opts *config.Options) (*Authenticate, error) {
 		providerName: opts.Provider,
 		// grpc client for cache
 		dataBrokerClient: dataBrokerClient,
 		sessionClient:    sessionClient,
 		userClient:       userClient,
 		jwk:              &jose.JSONWebKeySet{},
 		templates:        template.Must(frontend.NewTemplates()),
 	}
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -444,16 +444,10 @@ func (a *Authenticate) getSessionFromCtx(ctx context.Context) (*sessions.State,
 }
 func (a *Authenticate) deleteSession(ctx context.Context, sessionID string) error {
-	if a.sessionClient == nil {
+	if a.dataBrokerClient == nil {
 		return nil
 	}
-
+	err := session.Delete(ctx, a.dataBrokerClient, sessionID)
 	_, err := a.sessionClient.Add(ctx, &session.AddRequest{
 		Session: &session.Session{
 			Id:        sessionID,
 			DeletedAt: ptypes.TimestampNow(),
 		},
 	})
 	return err
 }
@ -534,11 +528,11 @@ func (a *Authenticate) Dashboard(w http.ResponseWriter, r *http.Request) error {
 }
 func (a *Authenticate) saveSessionToDataBroker(ctx context.Context, sessionState *sessions.State, accessToken *oauth2.Token) error {
-	if a.sessionClient == nil || a.userClient == nil {
+	if a.dataBrokerClient == nil {
 		return nil
 	}
-	sessionExpiry, _ := ptypes.TimestampProto(time.Now().Add(time.Hour))
+	sessionExpiry, _ := ptypes.TimestampProto(time.Now().Add(a.cookieOptions.Expire))
 	var idTokenExpiry *timestamppb.Timestamp
 	if sessionState.Expiry != nil {
 		idTokenExpiry, _ = ptypes.TimestampProto(sessionState.Expiry.Time())
@ -570,17 +564,13 @@ func (a *Authenticate) saveSessionToDataBroker(ctx context.Context, sessionState
 		if err != nil {
 			return fmt.Errorf("authenticate: error retrieving user info: %w", err)
 		}
-		_, err = a.userClient.Add(ctx, &user.AddRequest{
+		_, err = user.Set(ctx, a.dataBrokerClient, mu.User)
 			User: mu.User,
 		})
 		if err != nil {
 			return fmt.Errorf("authenticate: error saving user: %w", err)
 		}
 	}
-	res, err := a.sessionClient.Add(ctx, &session.AddRequest{
+	res, err := session.Set(ctx, a.dataBrokerClient, s)
 		Session: s,
 	})
 	if err != nil {
 		return fmt.Errorf("authenticate: error saving session: %w", err)
 	}
--- a/authenticate/handlers_test.go
+++ b/authenticate/handlers_test.go
@ -14,6 +14,7 @@ import (
 	"time"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
@ -238,6 +239,9 @@ func TestAuthenticate_SignOut(t *testing.T) {
 				templates:        template.Must(frontend.NewTemplates()),
 				sharedEncoder:    mock.Encoder{},
 				dataBrokerClient: mockDataBrokerServiceClient{
 					delete: func(ctx context.Context, in *databroker.DeleteRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) {
 						return nil, nil
 					},
 					get: func(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error) {
 						data, err := ptypes.MarshalAny(&session.Session{
 							Id: "SESSION_ID",
@ -626,9 +630,14 @@ func TestAuthenticate_Dashboard(t *testing.T) {
 type mockDataBrokerServiceClient struct {
 	databroker.DataBrokerServiceClient
 	delete func(ctx context.Context, in *databroker.DeleteRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	get    func(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error)
 }
 func (m mockDataBrokerServiceClient) Delete(ctx context.Context, in *databroker.DeleteRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) {
 	return m.delete(ctx, in, opts...)
 }
 func (m mockDataBrokerServiceClient) Get(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error) {
 	return m.get(ctx, in, opts...)
 }
--- a/authorize/grpc.go
+++ b/authorize/grpc.go
@ -87,9 +87,6 @@ func (a *Authorize) forceSync(ctx context.Context, ss *sessions.State) error {
 	if s == nil {
 		return errors.New("session not found")
 	}
 	if s.DeletedAt != nil {
 		return errors.New("session was deleted")
 	}
 	a.forceSyncUser(ctx, s.GetUserId())
 	return nil
 }
--- a/cache/cache.go
+++ b/cache/cache.go
@ -19,16 +19,12 @@ import (
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 // Cache represents the cache service. The cache service is a simple interface
 // for storing keyed blobs (bytes) of unstructured data.
 type Cache struct {
 	dataBrokerServer *DataBrokerServer
 	sessionServer    *SessionServer
 	userServer       *UserServer
 	manager          *manager.Manager
 	localListener                net.Listener
@ -73,16 +69,10 @@ func New(opts config.Options) (*Cache, error) {
 	dataBrokerServer := NewDataBrokerServer(localGRPCServer, opts)
 	dataBrokerClient := databroker.NewDataBrokerServiceClient(localGRPCConnection)
 	sessionServer := NewSessionServer(localGRPCServer, dataBrokerClient)
 	sessionClient := session.NewSessionServiceClient(localGRPCConnection)
 	userServer := NewUserServer(localGRPCServer, dataBrokerClient)
 	userClient := user.NewUserServiceClient(localGRPCConnection)
 	manager := manager.New(
 		authenticator,
 		directoryProvider,
 		sessionClient,
 		userClient,
 		dataBrokerClient,
 		manager.WithGroupRefreshInterval(opts.RefreshDirectoryInterval),
 		manager.WithGroupRefreshTimeout(opts.RefreshDirectoryTimeout),
@ -90,8 +80,6 @@ func New(opts config.Options) (*Cache, error) {
 	return &Cache{
 		dataBrokerServer: dataBrokerServer,
 		sessionServer:    sessionServer,
 		userServer:       userServer,
 		manager:          manager,
 		localListener:                localListener,
@ -104,8 +92,6 @@ func New(opts config.Options) (*Cache, error) {
 // Register registers all the gRPC services with the given server.
 func (c *Cache) Register(grpcServer *grpc.Server) {
 	databroker.RegisterDataBrokerServiceServer(grpcServer, c.dataBrokerServer)
 	session.RegisterSessionServiceServer(grpcServer, c.sessionServer)
 	user.RegisterUserServiceServer(grpcServer, c.userServer)
 }
 // Run runs the cache components.
--- a/cache/session.go
+++ b/cache/session.go
@ -1,95 +0,0 @@
 package cache
 import (
 	"context"
 	"github.com/golang/protobuf/ptypes"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 )
 // SessionServer implements the session service interface for adding and syncing sessions.
 type SessionServer struct {
 	dataBrokerClient databroker.DataBrokerServiceClient
 }
 // NewSessionServer creates a new SessionServer.
 func NewSessionServer(grpcServer *grpc.Server, dataBrokerClient databroker.DataBrokerServiceClient) *SessionServer {
 	srv := &SessionServer{
 		dataBrokerClient: dataBrokerClient,
 	}
 	session.RegisterSessionServiceServer(grpcServer, srv)
 	return srv
 }
 // Delete deletes a session from the session server.
 func (srv *SessionServer) Delete(ctx context.Context, req *session.DeleteRequest) (*emptypb.Empty, error) {
 	ctx, span := trace.StartSpan(ctx, "session.grpc.Delete")
 	defer span.End()
 	log.Info().
 		Str("service", "session").
 		Str("session_id", req.GetId()).
 		Msg("delete")
 	data, err := ptypes.MarshalAny(new(session.Session))
 	if err != nil {
 		return nil, err
 	}
 	return srv.dataBrokerClient.Delete(ctx, &databroker.DeleteRequest{
 		Type: data.GetTypeUrl(),
 		Id:   req.GetId(),
 	})
 }
 // Add adds a session to the session server.
 func (srv *SessionServer) Add(ctx context.Context, req *session.AddRequest) (*session.AddResponse, error) {
 	ctx, span := trace.StartSpan(ctx, "session.grpc.Add")
 	defer span.End()
 	log.Info().
 		Str("service", "session").
 		Str("session_id", req.GetSession().GetId()).
 		Msg("add")
 	s := req.GetSession()
 	data, err := ptypes.MarshalAny(s)
 	if err != nil {
 		return nil, err
 	}
 	res, err := srv.dataBrokerClient.Set(ctx, &databroker.SetRequest{
 		Type: data.GetTypeUrl(),
 		Id:   s.GetId(),
 		Data: data,
 	})
 	if err != nil {
 		return nil, err
 	}
 	s.Version = res.GetServerVersion()
 	data, err = ptypes.MarshalAny(s)
 	if err != nil {
 		return nil, err
 	}
 	res, err = srv.dataBrokerClient.Set(ctx, &databroker.SetRequest{
 		Type: data.GetTypeUrl(),
 		Id:   s.GetId(),
 		Data: data,
 	})
 	if err != nil {
 		return nil, err
 	}
 	return &session.AddResponse{
 		Session:       req.Session,
 		ServerVersion: res.GetServerVersion(),
 	}, nil
 }
--- a/cache/user.go
+++ b/cache/user.go
@ -1,54 +0,0 @@
 package cache
 import (
 	"context"
 	"github.com/golang/protobuf/ptypes"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 // UserServer implements the user service interface for syncing users.
 type UserServer struct {
 	dataBrokerClient databroker.DataBrokerServiceClient
 }
 // NewUserServer creates a new UserServer.
 func NewUserServer(grpcServer *grpc.Server, dataBrokerClient databroker.DataBrokerServiceClient) *UserServer {
 	srv := &UserServer{
 		dataBrokerClient: dataBrokerClient,
 	}
 	user.RegisterUserServiceServer(grpcServer, srv)
 	return srv
 }
 // Add adds a user to the user server.
 func (srv *UserServer) Add(ctx context.Context, req *user.AddRequest) (*emptypb.Empty, error) {
 	ctx, span := trace.StartSpan(ctx, "user.grpc.Add")
 	defer span.End()
 	log.Info().
 		Str("service", "user").
 		Str("user_id", req.GetUser().GetId()).
 		Msg("add")
 	data, err := ptypes.MarshalAny(req.GetUser())
 	if err != nil {
 		return nil, err
 	}
 	_, err = srv.dataBrokerClient.Set(ctx, &databroker.SetRequest{
 		Type: data.GetTypeUrl(),
 		Id:   req.GetUser().GetId(),
 		Data: data,
 	})
 	if err != nil {
 		return nil, err
 	}
 	return new(emptypb.Empty), nil
 }
--- a/internal/databroker/server.go
+++ b/internal/databroker/server.go
@ -140,6 +140,9 @@ func (srv *Server) Get(ctx context.Context, req *databroker.GetRequest) (*databr
 	if err != nil {
 		return nil, status.Error(codes.NotFound, "record not found")
 	}
 	if record.DeletedAt != nil {
 		return nil, status.Error(codes.NotFound, "record not found")
 	}
 	return &databroker.GetResponse{Record: record}, nil
 }
@ -155,16 +158,27 @@ func (srv *Server) GetAll(ctx context.Context, req *databroker.GetAllRequest) (*
 	if err != nil {
 		return nil, err
 	}
-	records, err := db.GetAll(ctx)
+
 	all, err := db.GetAll(ctx)
 	if err != nil {
 		return nil, err
 	}
 	if len(all) == 0 {
 		return &databroker.GetAllResponse{ServerVersion: srv.version}, nil
 	}
 	var recordVersion string
-	for _, record := range records {
+	records := make([]*databroker.Record, 0, len(all))
 	for _, record := range all {
 		if record.GetVersion() > recordVersion {
 			recordVersion = record.GetVersion()
 		}
 		if record.DeletedAt == nil {
 			records = append(records, record)
 		}
 	}
 	return &databroker.GetAllResponse{
 		ServerVersion: srv.version,
 		RecordVersion: recordVersion,
--- a/internal/databroker/server_test.go
+++ b/internal/databroker/server_test.go
@ -8,10 +8,14 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/anypb"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/signal"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/storage"
 )
@ -80,3 +84,58 @@ func TestServer_initVersion(t *testing.T) {
 		assert.Equal(t, srvVersion, srv.version)
 	})
 }
 func TestServer_Get(t *testing.T) {
 	cfg := newServerConfig()
 	t.Run("ignore deleted", func(t *testing.T) {
 		srv := newServer(cfg)
 		s := new(session.Session)
 		s.Id = "1"
 		any, err := anypb.New(s)
 		assert.NoError(t, err)
 		srv.Set(context.Background(), &databroker.SetRequest{
 			Type: any.TypeUrl,
 			Id:   s.Id,
 			Data: any,
 		})
 		srv.Delete(context.Background(), &databroker.DeleteRequest{
 			Type: any.TypeUrl,
 			Id:   s.Id,
 		})
 		_, err = srv.Get(context.Background(), &databroker.GetRequest{
 			Type: any.TypeUrl,
 			Id:   s.Id,
 		})
 		assert.Error(t, err)
 		assert.Equal(t, codes.NotFound, status.Code(err))
 	})
 }
 func TestServer_GetAll(t *testing.T) {
 	cfg := newServerConfig()
 	t.Run("ignore deleted", func(t *testing.T) {
 		srv := newServer(cfg)
 		s := new(session.Session)
 		s.Id = "1"
 		any, err := anypb.New(s)
 		assert.NoError(t, err)
 		srv.Set(context.Background(), &databroker.SetRequest{
 			Type: any.TypeUrl,
 			Id:   s.Id,
 			Data: any,
 		})
 		srv.Delete(context.Background(), &databroker.DeleteRequest{
 			Type: any.TypeUrl,
 			Id:   s.Id,
 		})
 		res, err := srv.GetAll(context.Background(), &databroker.GetAllRequest{
 			Type: any.TypeUrl,
 		})
 		assert.NoError(t, err)
 		assert.Len(t, res.GetRecords(), 0)
 	})
 }
--- a/internal/identity/manager/manager.go
+++ b/internal/identity/manager/manager.go
@ -29,13 +29,22 @@ type Authenticator interface {
 	UpdateUserInfo(ctx context.Context, t *oauth2.Token, v interface{}) error
 }
 type (
 	sessionMessage struct {
 		record  *databroker.Record
 		session *session.Session
 	}
 	userMessage struct {
 		record *databroker.Record
 		user   *user.User
 	}
 )
 // A Manager refreshes identity information using session and user data.
 type Manager struct {
 	cfg              *config
 	authenticator    Authenticator
 	directory        directory.Provider
 	sessionClient    session.SessionServiceClient
 	userClient       user.UserServiceClient
 	dataBrokerClient databroker.DataBrokerServiceClient
 	log              zerolog.Logger
@ -60,8 +69,6 @@ type Manager struct {
 func New(
 	authenticator Authenticator,
 	directoryProvider directory.Provider,
 	sessionClient session.SessionServiceClient,
 	userClient user.UserServiceClient,
 	dataBrokerClient databroker.DataBrokerServiceClient,
 	options ...Option,
 ) *Manager {
@ -69,8 +76,6 @@ func New(
 		cfg:              newConfig(options...),
 		authenticator:    authenticator,
 		directory:        directoryProvider,
 		sessionClient:    sessionClient,
 		userClient:       userClient,
 		dataBrokerClient: dataBrokerClient,
 		log:              log.With().Str("service", "identity_manager").Logger(),
@ -100,12 +105,12 @@ func (mgr *Manager) Run(ctx context.Context) error {
 	t, ctx := tomb.WithContext(ctx)
-	updatedSession := make(chan *session.Session, 1)
+	updatedSession := make(chan sessionMessage, 1)
 	t.Go(func() error {
 		return mgr.syncSessions(ctx, updatedSession)
 	})
-	updatedUser := make(chan *user.User, 1)
+	updatedUser := make(chan userMessage, 1)
 	t.Go(func() error {
 		return mgr.syncUsers(ctx, updatedUser)
 	})
@ -129,8 +134,8 @@ func (mgr *Manager) Run(ctx context.Context) error {
 func (mgr *Manager) refreshLoop(
 	ctx context.Context,
-	updatedSession <-chan *session.Session,
+	updatedSession <-chan sessionMessage,
-	updatedUser <-chan *user.User,
+	updatedUser <-chan userMessage,
 	updatedDirectoryUser <-chan *directory.User,
 	updatedDirectoryGroup <-chan *directory.Group,
 ) error {
@ -361,7 +366,7 @@ func (mgr *Manager) refreshSession(ctx context.Context, userID, sessionID string
 	}
 	s.OauthToken = ToOAuthToken(newToken)
-	_, err = mgr.sessionClient.Add(ctx, &session.AddRequest{Session: s.Session})
+	res, err := session.Set(ctx, mgr.dataBrokerClient, s.Session)
 	if err != nil {
 		mgr.log.Error().Err(err).
 			Str("user_id", s.GetUserId()).
@ -370,7 +375,7 @@ func (mgr *Manager) refreshSession(ctx context.Context, userID, sessionID string
 		return
 	}
-	mgr.onUpdateSession(ctx, s.Session)
+	mgr.onUpdateSession(ctx, sessionMessage{record: res.GetRecord(), session: s.Session})
 }
 func (mgr *Manager) refreshUser(ctx context.Context, userID string) {
@ -412,7 +417,7 @@ func (mgr *Manager) refreshUser(ctx context.Context, userID string) {
 			continue
 		}
-		_, err = mgr.userClient.Add(ctx, &user.AddRequest{User: u.User})
+		record, err := user.Set(ctx, mgr.dataBrokerClient, u.User)
 		if err != nil {
 			mgr.log.Error().Err(err).
 				Str("user_id", s.GetUserId()).
@ -421,11 +426,11 @@ func (mgr *Manager) refreshUser(ctx context.Context, userID string) {
 			continue
 		}
-		mgr.onUpdateUser(ctx, u.User)
+		mgr.onUpdateUser(ctx, userMessage{record: record, user: u.User})
 	}
 }
-func (mgr *Manager) syncSessions(ctx context.Context, ch chan<- *session.Session) error {
+func (mgr *Manager) syncSessions(ctx context.Context, ch chan<- sessionMessage) error {
 	mgr.log.Info().Msg("syncing sessions")
 	any, err := ptypes.MarshalAny(new(session.Session))
@ -455,13 +460,13 @@ func (mgr *Manager) syncSessions(ctx context.Context, ch chan<- *session.Session
 			select {
 			case <-ctx.Done():
 				return ctx.Err()
-			case ch <- &pbSession:
+			case ch <- sessionMessage{record: record, session: &pbSession}:
 			}
 		}
 	}
 }
-func (mgr *Manager) syncUsers(ctx context.Context, ch chan<- *user.User) error {
+func (mgr *Manager) syncUsers(ctx context.Context, ch chan<- userMessage) error {
 	mgr.log.Info().Msg("syncing users")
 	any, err := ptypes.MarshalAny(new(user.User))
@ -491,7 +496,7 @@ func (mgr *Manager) syncUsers(ctx context.Context, ch chan<- *user.User) error {
 			select {
 			case <-ctx.Done():
 				return ctx.Err()
-			case ch <- &pbUser:
+			case ch <- userMessage{record: record, user: &pbUser}:
 			}
 		}
 	}
@ -635,44 +640,44 @@ func (mgr *Manager) syncDirectoryGroups(ctx context.Context, ch chan<- *director
 	}
 }
-func (mgr *Manager) onUpdateSession(ctx context.Context, pbSession *session.Session) {
+func (mgr *Manager) onUpdateSession(ctx context.Context, msg sessionMessage) {
-	mgr.sessionScheduler.Remove(toSessionSchedulerKey(pbSession.GetUserId(), pbSession.GetId()))
+	mgr.sessionScheduler.Remove(toSessionSchedulerKey(msg.session.GetUserId(), msg.session.GetId()))
-	if pbSession.GetDeletedAt() != nil {
+	if msg.record.GetDeletedAt() != nil {
 		// remove from local store
-		mgr.sessions.Delete(pbSession.GetUserId(), pbSession.GetId())
+		mgr.sessions.Delete(msg.session.GetUserId(), msg.session.GetId())
 		return
 	}
 	// update session
-	s, _ := mgr.sessions.Get(pbSession.GetUserId(), pbSession.GetId())
+	s, _ := mgr.sessions.Get(msg.session.GetUserId(), msg.session.GetId())
 	s.lastRefresh = time.Now()
 	s.gracePeriod = mgr.cfg.sessionRefreshGracePeriod
 	s.coolOffDuration = mgr.cfg.sessionRefreshCoolOffDuration
-	s.Session = pbSession
+	s.Session = msg.session
 	mgr.sessions.ReplaceOrInsert(s)
-	mgr.sessionScheduler.Add(s.NextRefresh(), toSessionSchedulerKey(pbSession.GetUserId(), pbSession.GetId()))
+	mgr.sessionScheduler.Add(s.NextRefresh(), toSessionSchedulerKey(msg.session.GetUserId(), msg.session.GetId()))
 	// create the user if it doesn't exist yet
-	if _, ok := mgr.users.Get(pbSession.GetUserId()); !ok {
+	if _, ok := mgr.users.Get(msg.session.GetUserId()); !ok {
-		mgr.createUser(ctx, pbSession)
+		mgr.createUser(ctx, msg.session)
 	}
 }
-func (mgr *Manager) onUpdateUser(_ context.Context, pbUser *user.User) {
+func (mgr *Manager) onUpdateUser(_ context.Context, msg userMessage) {
-	if pbUser.DeletedAt != nil {
+	if msg.record.DeletedAt != nil {
-		mgr.users.Delete(pbUser.GetId())
+		mgr.users.Delete(msg.user.GetId())
-		mgr.userScheduler.Remove(pbUser.GetId())
+		mgr.userScheduler.Remove(msg.user.GetId())
 		return
 	}
-	u, ok := mgr.users.Get(pbUser.GetId())
+	u, ok := mgr.users.Get(msg.user.GetId())
 	if ok {
 		// only reset the refresh time if this is an existing user
 		u.lastRefresh = time.Now()
 	}
 	u.refreshInterval = mgr.cfg.groupRefreshInterval
-	u.User = pbUser
+	u.User = msg.user
 	mgr.users.ReplaceOrInsert(u)
 	mgr.userScheduler.Add(u.NextRefresh(), u.GetId())
 }
@ -692,7 +697,7 @@ func (mgr *Manager) createUser(ctx context.Context, pbSession *session.Session)
 		},
 	}
-	_, err := mgr.userClient.Add(ctx, &user.AddRequest{User: u.User})
+	_, err := user.Set(ctx, mgr.dataBrokerClient, u.User)
 	if err != nil {
 		mgr.log.Error().Err(err).
 			Str("user_id", pbSession.GetUserId()).
@ -702,8 +707,7 @@ func (mgr *Manager) createUser(ctx context.Context, pbSession *session.Session)
 }
 func (mgr *Manager) deleteSession(ctx context.Context, pbSession *session.Session) {
-	pbSession.DeletedAt = ptypes.TimestampNow()
+	err := session.Delete(ctx, mgr.dataBrokerClient, pbSession.GetId())
 	_, err := mgr.sessionClient.Add(ctx, &session.AddRequest{Session: pbSession})
 	if err != nil {
 		mgr.log.Error().Err(err).
 			Str("session_id", pbSession.GetId()).
--- a/pkg/grpc/session/session.go
+++ b/pkg/grpc/session/session.go
@ -3,12 +3,27 @@ package session
 import (
 	context "context"
 	"fmt"
 	"github.com/golang/protobuf/ptypes"
 	"google.golang.org/protobuf/types/known/anypb"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 // Delete deletes a session from the databroker.
 func Delete(ctx context.Context, client databroker.DataBrokerServiceClient, sessionID string) error {
 	any, _ := ptypes.MarshalAny(new(Session))
 	_, err := client.Delete(ctx, &databroker.DeleteRequest{
 		Type: any.GetTypeUrl(),
 		Id:   sessionID,
 	})
 	if err != nil {
 		return fmt.Errorf("error deleting session: %w", err)
 	}
 	return nil
 }
 // Get gets a session from the databroker.
 func Get(ctx context.Context, client databroker.DataBrokerServiceClient, sessionID string) (*Session, error) {
 	any, _ := ptypes.MarshalAny(new(Session))
@ -18,13 +33,27 @@ func Get(ctx context.Context, client databroker.DataBrokerServiceClient, session
 		Id:   sessionID,
 	})
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error getting session from databroker: %w", err)
 	}
 	var s Session
 	err = ptypes.UnmarshalAny(res.GetRecord().GetData(), &s)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error unmarshaling session from databroker: %w", err)
 	}
 	return &s, nil
 }
 // Set sets a session in the databroker.
 func Set(ctx context.Context, client databroker.DataBrokerServiceClient, s *Session) (*databroker.SetResponse, error) {
 	any, _ := anypb.New(s)
 	res, err := client.Set(ctx, &databroker.SetRequest{
 		Type: any.GetTypeUrl(),
 		Id:   s.Id,
 		Data: any,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("error setting session in databroker: %w", err)
 	}
 	return res, nil
 }
--- a/pkg/grpc/session/session.pb.go
+++ b/pkg/grpc/session/session.pb.go
@ -7,14 +7,9 @@
 package session
 import (
 	context "context"
 	proto "github.com/golang/protobuf/proto"
 	any "github.com/golang/protobuf/ptypes/any"
 	empty "github.com/golang/protobuf/ptypes/empty"
 	timestamp "github.com/golang/protobuf/ptypes/timestamp"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@ -183,7 +178,6 @@ type Session struct {
 	Id         string               `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
 	UserId     string               `protobuf:"bytes,3,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
 	ExpiresAt  *timestamp.Timestamp `protobuf:"bytes,4,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"`
 	DeletedAt  *timestamp.Timestamp `protobuf:"bytes,5,opt,name=deleted_at,json=deletedAt,proto3" json:"deleted_at,omitempty"`
 	IdToken    *IDToken             `protobuf:"bytes,6,opt,name=id_token,json=idToken,proto3" json:"id_token,omitempty"`
 	OauthToken *OAuthToken          `protobuf:"bytes,7,opt,name=oauth_token,json=oauthToken,proto3" json:"oauth_token,omitempty"`
 	Claims     map[string]*any.Any  `protobuf:"bytes,8,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
@ -249,13 +243,6 @@ func (x *Session) GetExpiresAt() *timestamp.Timestamp {
 	return nil
 }
 func (x *Session) GetDeletedAt() *timestamp.Timestamp {
 	if x != nil {
 		return x.DeletedAt
 	}
 	return nil
 }
 func (x *Session) GetIdToken() *IDToken {
 	if x != nil {
 		return x.IdToken
@ -277,238 +264,64 @@ func (x *Session) GetClaims() map[string]*any.Any {
 	return nil
 }
 type AddRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Session *Session `protobuf:"bytes,1,opt,name=session,proto3" json:"session,omitempty"`
 }
 func (x *AddRequest) Reset() {
 	*x = AddRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_session_proto_msgTypes[3]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *AddRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*AddRequest) ProtoMessage() {}
 func (x *AddRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_session_proto_msgTypes[3]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use AddRequest.ProtoReflect.Descriptor instead.
 func (*AddRequest) Descriptor() ([]byte, []int) {
 	return file_session_proto_rawDescGZIP(), []int{3}
 }
 func (x *AddRequest) GetSession() *Session {
 	if x != nil {
 		return x.Session
 	}
 	return nil
 }
 type AddResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Session       *Session `protobuf:"bytes,1,opt,name=session,proto3" json:"session,omitempty"`
 	ServerVersion string   `protobuf:"bytes,2,opt,name=server_version,json=serverVersion,proto3" json:"server_version,omitempty"`
 }
 func (x *AddResponse) Reset() {
 	*x = AddResponse{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_session_proto_msgTypes[4]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *AddResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*AddResponse) ProtoMessage() {}
 func (x *AddResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_session_proto_msgTypes[4]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use AddResponse.ProtoReflect.Descriptor instead.
 func (*AddResponse) Descriptor() ([]byte, []int) {
 	return file_session_proto_rawDescGZIP(), []int{4}
 }
 func (x *AddResponse) GetSession() *Session {
 	if x != nil {
 		return x.Session
 	}
 	return nil
 }
 func (x *AddResponse) GetServerVersion() string {
 	if x != nil {
 		return x.ServerVersion
 	}
 	return ""
 }
 type DeleteRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
 }
 func (x *DeleteRequest) Reset() {
 	*x = DeleteRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_session_proto_msgTypes[5]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *DeleteRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*DeleteRequest) ProtoMessage() {}
 func (x *DeleteRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_session_proto_msgTypes[5]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use DeleteRequest.ProtoReflect.Descriptor instead.
 func (*DeleteRequest) Descriptor() ([]byte, []int) {
 	return file_session_proto_rawDescGZIP(), []int{5}
 }
 func (x *DeleteRequest) GetId() string {
 	if x != nil {
 		return x.Id
 	}
 	return ""
 }
 var File_session_proto protoreflect.FileDescriptor
 var file_session_proto_rawDesc = []byte{
 	0x0a, 0x0d, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
 	0x07, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
 	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x1a, 0x1b, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70,
-	0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
+	0x72, 0x6f, 0x74, 0x6f, 0x22, 0xaf, 0x01, 0x0a, 0x07, 0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e,
-	0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x12, 0x16, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x6f, 0x22, 0xaf, 0x01, 0x0a, 0x07, 0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x16, 0x0a,
+	0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a,
-	0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x69,
+	0x65, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65,
-	0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74,
+	0x63, 0x74, 0x12, 0x39, 0x0a, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x5f, 0x61, 0x74,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x39, 0x0a, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x5f, 0x61, 0x74, 0x18, 0x03, 0x20,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
-	0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
+	0x6d, 0x70, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x37, 0x0a,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52,
+	0x09, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b,
-	0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x37, 0x0a, 0x09, 0x69, 0x73,
+	0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x73, 0x75, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
+	0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x08, 0x69, 0x73,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x73, 0x75, 0x65, 0x64, 0x41, 0x74, 0x22, 0xae, 0x01, 0x0a, 0x0a, 0x4f, 0x41, 0x75, 0x74, 0x68,
-	0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65,
+	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x21, 0x0a, 0x0c, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f,
-	0x64, 0x41, 0x74, 0x22, 0xae, 0x01, 0x0a, 0x0a, 0x4f, 0x41, 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b,
+	0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x63, 0x63,
-	0x65, 0x6e, 0x12, 0x21, 0x0a, 0x0c, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b,
+	0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x6f, 0x6b, 0x65,
-	0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73,
+	0x6e, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x74, 0x6f,
-	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x74,
+	0x6b, 0x65, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x12, 0x39, 0x0a, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72,
-	0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x74, 0x6f, 0x6b, 0x65, 0x6e,
+	0x65, 0x73, 0x5f, 0x61, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
-	0x54, 0x79, 0x70, 0x65, 0x12, 0x39, 0x0a, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x5f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
-	0x61, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
+	0x41, 0x74, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f,
-	0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12,
+	0x6b, 0x65, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x66, 0x72, 0x65,
-	0x23, 0x0a, 0x0d, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e,
+	0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xf1, 0x02, 0x0a, 0x07, 0x53, 0x65, 0x73, 0x73,
-	0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54,
+	0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01,
-	0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xac, 0x03, 0x0a, 0x07, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a,
-	0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x17, 0x0a,
-	0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64,
+	0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73,
+	0x75, 0x73, 0x65, 0x72, 0x49, 0x64, 0x12, 0x39, 0x0a, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65,
-	0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65,
+	0x73, 0x5f, 0x61, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f,
-	0x72, 0x49, 0x64, 0x12, 0x39, 0x0a, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x5f, 0x61,
+	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d,
-	0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74,
+	0x74, 0x12, 0x2b, 0x0a, 0x08, 0x69, 0x64, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x06, 0x20,
-	0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x39,
+	0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x49, 0x44,
-	0x0a, 0x0a, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x05, 0x20, 0x01,
+	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x07, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34,
-	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x0a, 0x0b, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x07, 0x20,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09,
+	0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x4f, 0x41,
-	0x64, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x2b, 0x0a, 0x08, 0x69, 0x64, 0x5f,
+	0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x0a, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x54,
-	0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x73, 0x65,
+	0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x18, 0x08,
-	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x07, 0x69,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x53,
-	0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x0b, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x5f,
+	0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74,
-	0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x65,
+	0x72, 0x79, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x1a, 0x4f, 0x0a, 0x0b, 0x43, 0x6c,
-	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x4f, 0x41, 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e,
+	0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
-	0x52, 0x0a, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x06,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2a, 0x0a, 0x05, 0x76,
-	0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x73,
+	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f,
-	0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x43,
+	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79,
-	0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69,
+	0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x2f, 0x5a, 0x2d, 0x67,
-	0x6d, 0x73, 0x1a, 0x4f, 0x0a, 0x0b, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72,
+	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69,
-	0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f,
-	0x6b, 0x65, 0x79, 0x12, 0x2a, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72,
-	0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x74, 0x6f, 0x33,
 	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a,
 	0x02, 0x38, 0x01, 0x22, 0x38, 0x0a, 0x0a, 0x41, 0x64, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
 	0x74, 0x12, 0x2a, 0x0a, 0x07, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01,
 	0x28, 0x0b, 0x32, 0x10, 0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x73,
 	0x73, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x60, 0x0a,
 	0x0b, 0x41, 0x64, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2a, 0x0a, 0x07,
 	0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e,
 	0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52,
 	0x07, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x65, 0x72, 0x76,
 	0x65, 0x72, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x0d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22,
 	0x1f, 0x0a, 0x0d, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
 	0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64,
 	0x32, 0x7c, 0x0a, 0x0e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69,
 	0x63, 0x65, 0x12, 0x30, 0x0a, 0x03, 0x41, 0x64, 0x64, 0x12, 0x13, 0x2e, 0x73, 0x65, 0x73, 0x73,
 	0x69, 0x6f, 0x6e, 0x2e, 0x41, 0x64, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14,
 	0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x41, 0x64, 0x64, 0x52, 0x65, 0x73, 0x70,
 	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x38, 0x0a, 0x06, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x12, 0x16,
 	0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52,
 	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x42, 0x2f,
 	0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d,
 	0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70,
 	0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
@ -523,40 +336,29 @@ func file_session_proto_rawDescGZIP() []byte {
 	return file_session_proto_rawDescData
 }
-var file_session_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_session_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
 var file_session_proto_goTypes = []interface{}{
 	(*IDToken)(nil),             // 0: session.IDToken
 	(*OAuthToken)(nil),          // 1: session.OAuthToken
 	(*Session)(nil),             // 2: session.Session
-	(*AddRequest)(nil),          // 3: session.AddRequest
+	nil,                         // 3: session.Session.ClaimsEntry
-	(*AddResponse)(nil),         // 4: session.AddResponse
+	(*timestamp.Timestamp)(nil), // 4: google.protobuf.Timestamp
-	(*DeleteRequest)(nil),       // 5: session.DeleteRequest
+	(*any.Any)(nil),             // 5: google.protobuf.Any
 	nil,                         // 6: session.Session.ClaimsEntry
 	(*timestamp.Timestamp)(nil), // 7: google.protobuf.Timestamp
 	(*any.Any)(nil),             // 8: google.protobuf.Any
 	(*empty.Empty)(nil),         // 9: google.protobuf.Empty
 }
 var file_session_proto_depIdxs = []int32{
-	7,  // 0: session.IDToken.expires_at:type_name -> google.protobuf.Timestamp
+	4, // 0: session.IDToken.expires_at:type_name -> google.protobuf.Timestamp
-	7,  // 1: session.IDToken.issued_at:type_name -> google.protobuf.Timestamp
+	4, // 1: session.IDToken.issued_at:type_name -> google.protobuf.Timestamp
-	7,  // 2: session.OAuthToken.expires_at:type_name -> google.protobuf.Timestamp
+	4, // 2: session.OAuthToken.expires_at:type_name -> google.protobuf.Timestamp
-	7,  // 3: session.Session.expires_at:type_name -> google.protobuf.Timestamp
+	4, // 3: session.Session.expires_at:type_name -> google.protobuf.Timestamp
-	7,  // 4: session.Session.deleted_at:type_name -> google.protobuf.Timestamp
+	0, // 4: session.Session.id_token:type_name -> session.IDToken
-	0,  // 5: session.Session.id_token:type_name -> session.IDToken
+	1, // 5: session.Session.oauth_token:type_name -> session.OAuthToken
-	1,  // 6: session.Session.oauth_token:type_name -> session.OAuthToken
+	3, // 6: session.Session.claims:type_name -> session.Session.ClaimsEntry
-	6,  // 7: session.Session.claims:type_name -> session.Session.ClaimsEntry
+	5, // 7: session.Session.ClaimsEntry.value:type_name -> google.protobuf.Any
-	2,  // 8: session.AddRequest.session:type_name -> session.Session
+	8, // [8:8] is the sub-list for method output_type
-	2,  // 9: session.AddResponse.session:type_name -> session.Session
+	8, // [8:8] is the sub-list for method input_type
-	8,  // 10: session.Session.ClaimsEntry.value:type_name -> google.protobuf.Any
+	8, // [8:8] is the sub-list for extension type_name
-	3,  // 11: session.SessionService.Add:input_type -> session.AddRequest
+	8, // [8:8] is the sub-list for extension extendee
-	5,  // 12: session.SessionService.Delete:input_type -> session.DeleteRequest
+	0, // [0:8] is the sub-list for field type_name
 	4,  // 13: session.SessionService.Add:output_type -> session.AddResponse
 	9,  // 14: session.SessionService.Delete:output_type -> google.protobuf.Empty
 	13, // [13:15] is the sub-list for method output_type
 	11, // [11:13] is the sub-list for method input_type
 	11, // [11:11] is the sub-list for extension type_name
 	11, // [11:11] is the sub-list for extension extendee
 	0,  // [0:11] is the sub-list for field type_name
 }
 func init() { file_session_proto_init() }
@ -601,42 +403,6 @@ func file_session_proto_init() {
 				return nil
 			}
 		}
 		file_session_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*AddRequest); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_session_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*AddResponse); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_session_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*DeleteRequest); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@ -644,9 +410,9 @@ func file_session_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_session_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   7,
+			NumMessages:   4,
 			NumExtensions: 0,
-			NumServices:   1,
+			NumServices:   0,
 		},
 		GoTypes:           file_session_proto_goTypes,
 		DependencyIndexes: file_session_proto_depIdxs,
@ -657,119 +423,3 @@ func file_session_proto_init() {
 	file_session_proto_goTypes = nil
 	file_session_proto_depIdxs = nil
 }
 // Reference imports to suppress errors if they are not otherwise used.
 var _ context.Context
 var _ grpc.ClientConnInterface
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
 const _ = grpc.SupportPackageIsVersion6
 // SessionServiceClient is the client API for SessionService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
 type SessionServiceClient interface {
 	Add(ctx context.Context, in *AddRequest, opts ...grpc.CallOption) (*AddResponse, error)
 	Delete(ctx context.Context, in *DeleteRequest, opts ...grpc.CallOption) (*empty.Empty, error)
 }
 type sessionServiceClient struct {
 	cc grpc.ClientConnInterface
 }
 func NewSessionServiceClient(cc grpc.ClientConnInterface) SessionServiceClient {
 	return &sessionServiceClient{cc}
 }
 func (c *sessionServiceClient) Add(ctx context.Context, in *AddRequest, opts ...grpc.CallOption) (*AddResponse, error) {
 	out := new(AddResponse)
 	err := c.cc.Invoke(ctx, "/session.SessionService/Add", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 func (c *sessionServiceClient) Delete(ctx context.Context, in *DeleteRequest, opts ...grpc.CallOption) (*empty.Empty, error) {
 	out := new(empty.Empty)
 	err := c.cc.Invoke(ctx, "/session.SessionService/Delete", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 // SessionServiceServer is the server API for SessionService service.
 type SessionServiceServer interface {
 	Add(context.Context, *AddRequest) (*AddResponse, error)
 	Delete(context.Context, *DeleteRequest) (*empty.Empty, error)
 }
 // UnimplementedSessionServiceServer can be embedded to have forward compatible implementations.
 type UnimplementedSessionServiceServer struct {
 }
 func (*UnimplementedSessionServiceServer) Add(context.Context, *AddRequest) (*AddResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Add not implemented")
 }
 func (*UnimplementedSessionServiceServer) Delete(context.Context, *DeleteRequest) (*empty.Empty, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Delete not implemented")
 }
 func RegisterSessionServiceServer(s *grpc.Server, srv SessionServiceServer) {
 	s.RegisterService(&_SessionService_serviceDesc, srv)
 }
 func _SessionService_Add_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(AddRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(SessionServiceServer).Add(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: "/session.SessionService/Add",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(SessionServiceServer).Add(ctx, req.(*AddRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 func _SessionService_Delete_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(DeleteRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(SessionServiceServer).Delete(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: "/session.SessionService/Delete",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(SessionServiceServer).Delete(ctx, req.(*DeleteRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 var _SessionService_serviceDesc = grpc.ServiceDesc{
 	ServiceName: "session.SessionService",
 	HandlerType: (*SessionServiceServer)(nil),
 	Methods: []grpc.MethodDesc{
 		{
 			MethodName: "Add",
 			Handler:    _SessionService_Add_Handler,
 		},
 		{
 			MethodName: "Delete",
 			Handler:    _SessionService_Delete_Handler,
 		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "session.proto",
 }
--- a/pkg/grpc/session/session.proto
+++ b/pkg/grpc/session/session.proto
@ -4,7 +4,6 @@ package session;
 option go_package = "github.com/pomerium/pomerium/pkg/grpc/session";
 import "google/protobuf/any.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/timestamp.proto";
 message IDToken {
@ -26,21 +25,7 @@ message Session {
  string id = 2;
  string user_id = 3;
  google.protobuf.Timestamp expires_at = 4;
  google.protobuf.Timestamp deleted_at = 5;
  IDToken id_token = 6;
  OAuthToken oauth_token = 7;
  map<string, google.protobuf.Any> claims = 8;
 }
 message AddRequest { Session session = 1; }
 message AddResponse {
  Session session = 1;
  string server_version = 2;
 }
 message DeleteRequest { string id = 1; }
 service SessionService {
  rpc Add(AddRequest) returns (AddResponse);
  rpc Delete(DeleteRequest) returns (google.protobuf.Empty);
 }
--- a/pkg/grpc/user/user.go
+++ b/pkg/grpc/user/user.go
@ -3,8 +3,10 @@ package user
 import (
 	context "context"
 	"fmt"
 	"github.com/golang/protobuf/ptypes"
 	"google.golang.org/protobuf/types/known/anypb"
 	"github.com/pomerium/pomerium/internal/protoutil"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
@ -19,13 +21,13 @@ func Get(ctx context.Context, client databroker.DataBrokerServiceClient, userID
 		Id:   userID,
 	})
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error getting user from databroker: %w", err)
 	}
 	var u User
 	err = ptypes.UnmarshalAny(res.GetRecord().GetData(), &u)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error unmarshaling user from databroker: %w", err)
 	}
 	return &u, nil
 }
@ -34,3 +36,17 @@ func Get(ctx context.Context, client databroker.DataBrokerServiceClient, userID
 func (user *User) GetClaim(claim string) interface{} {
 	return protoutil.AnyToInterface(user.GetClaims()[claim])
 }
 // Set sets a user in the databroker.
 func Set(ctx context.Context, client databroker.DataBrokerServiceClient, u *User) (*databroker.Record, error) {
 	any, _ := anypb.New(u)
 	res, err := client.Set(ctx, &databroker.SetRequest{
 		Type: any.GetTypeUrl(),
 		Id:   u.Id,
 		Data: any,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("error setting user in databroker: %w", err)
 	}
 	return res.GetRecord(), nil
 }
--- a/pkg/grpc/user/user.pb.go
+++ b/pkg/grpc/user/user.pb.go
@ -7,14 +7,8 @@
 package user
 import (
 	context "context"
 	proto "github.com/golang/protobuf/proto"
 	any "github.com/golang/protobuf/ptypes/any"
 	empty "github.com/golang/protobuf/ptypes/empty"
 	timestamp "github.com/golang/protobuf/ptypes/timestamp"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@ -41,9 +35,6 @@ type User struct {
 	Id      string              `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
 	Name    string              `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
 	Email   string              `protobuf:"bytes,4,opt,name=email,proto3" json:"email,omitempty"`
 	CreatedAt  *timestamp.Timestamp `protobuf:"bytes,5,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"`
 	ModifiedAt *timestamp.Timestamp `protobuf:"bytes,6,opt,name=modified_at,json=modifiedAt,proto3" json:"modified_at,omitempty"`
 	DeletedAt  *timestamp.Timestamp `protobuf:"bytes,7,opt,name=deleted_at,json=deletedAt,proto3" json:"deleted_at,omitempty"`
 	Claims  map[string]*any.Any `protobuf:"bytes,8,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 }
@ -107,27 +98,6 @@ func (x *User) GetEmail() string {
 	return ""
 }
 func (x *User) GetCreatedAt() *timestamp.Timestamp {
 	if x != nil {
 		return x.CreatedAt
 	}
 	return nil
 }
 func (x *User) GetModifiedAt() *timestamp.Timestamp {
 	if x != nil {
 		return x.ModifiedAt
 	}
 	return nil
 }
 func (x *User) GetDeletedAt() *timestamp.Timestamp {
 	if x != nil {
 		return x.DeletedAt
 	}
 	return nil
 }
 func (x *User) GetClaims() map[string]*any.Any {
 	if x != nil {
 		return x.Claims
@ -135,98 +105,30 @@ func (x *User) GetClaims() map[string]*any.Any {
 	return nil
 }
 type AddRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	User *User `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
 }
 func (x *AddRequest) Reset() {
 	*x = AddRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_user_proto_msgTypes[1]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *AddRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*AddRequest) ProtoMessage() {}
 func (x *AddRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_user_proto_msgTypes[1]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use AddRequest.ProtoReflect.Descriptor instead.
 func (*AddRequest) Descriptor() ([]byte, []int) {
 	return file_user_proto_rawDescGZIP(), []int{1}
 }
 func (x *AddRequest) GetUser() *User {
 	if x != nil {
 		return x.User
 	}
 	return nil
 }
 var File_user_proto protoreflect.FileDescriptor
 var file_user_proto_rawDesc = []byte{
 	0x0a, 0x0a, 0x75, 0x73, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x75, 0x73,
 	0x65, 0x72, 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1b, 0x67,
+	0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xdb, 0x01,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65,
+	0x0a, 0x04, 0x55, 0x73, 0x65, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f,
-	0x6d, 0x70, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67,
+	0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
-	0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65,
+	0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64,
-	0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x8e, 0x03, 0x0a, 0x04,
+	0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
-	0x55, 0x73, 0x65, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18,
+	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x04, 0x20,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x0e,
+	0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x12, 0x2e, 0x0a, 0x06, 0x63, 0x6c,
-	0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12,
+	0x61, 0x69, 0x6d, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x75, 0x73, 0x65,
-	0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61,
+	0x72, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74,
-	0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x72, 0x79, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x1a, 0x4f, 0x0a, 0x0b, 0x43, 0x6c,
-	0x09, 0x52, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x12, 0x39, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61,
+	0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
-	0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2a, 0x0a, 0x05, 0x76,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54,
+	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f,
-	0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65,
+	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79,
-	0x64, 0x41, 0x74, 0x12, 0x3b, 0x0a, 0x0b, 0x6d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x5f,
+	0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x2c, 0x5a, 0x2a, 0x67,
-	0x61, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
+	0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f,
-	0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, 0x6d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x41, 0x74,
+	0x67, 0x72, 0x70, 0x63, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x39, 0x0a, 0x0a, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x07,
+	0x33,
 	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
 	0x52, 0x09, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x2e, 0x0a, 0x06, 0x63,
 	0x6c, 0x61, 0x69, 0x6d, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x75, 0x73,
 	0x65, 0x72, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e,
 	0x74, 0x72, 0x79, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x1a, 0x4f, 0x0a, 0x0b, 0x43,
 	0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
 	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2a, 0x0a, 0x05,
 	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f,
 	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e,
 	0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x2c, 0x0a, 0x0a,
 	0x41, 0x64, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x04, 0x75, 0x73,
 	0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0a, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x2e,
 	0x55, 0x73, 0x65, 0x72, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x32, 0x3e, 0x0a, 0x0b, 0x55, 0x73,
 	0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x2f, 0x0a, 0x03, 0x41, 0x64, 0x64,
 	0x12, 0x10, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x2e, 0x41, 0x64, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65,
 	0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x42, 0x2c, 0x5a, 0x2a, 0x67, 0x69,
 	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75,
 	0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67,
 	0x72, 0x70, 0x63, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
@ -241,29 +143,20 @@ func file_user_proto_rawDescGZIP() []byte {
 	return file_user_proto_rawDescData
 }
-var file_user_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
+var file_user_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
 var file_user_proto_goTypes = []interface{}{
 	(*User)(nil),    // 0: user.User
-	(*AddRequest)(nil),          // 1: user.AddRequest
+	nil,             // 1: user.User.ClaimsEntry
-	nil,                         // 2: user.User.ClaimsEntry
+	(*any.Any)(nil), // 2: google.protobuf.Any
 	(*timestamp.Timestamp)(nil), // 3: google.protobuf.Timestamp
 	(*any.Any)(nil),             // 4: google.protobuf.Any
 	(*empty.Empty)(nil),         // 5: google.protobuf.Empty
 }
 var file_user_proto_depIdxs = []int32{
-	3, // 0: user.User.created_at:type_name -> google.protobuf.Timestamp
+	1, // 0: user.User.claims:type_name -> user.User.ClaimsEntry
-	3, // 1: user.User.modified_at:type_name -> google.protobuf.Timestamp
+	2, // 1: user.User.ClaimsEntry.value:type_name -> google.protobuf.Any
-	3, // 2: user.User.deleted_at:type_name -> google.protobuf.Timestamp
+	2, // [2:2] is the sub-list for method output_type
-	2, // 3: user.User.claims:type_name -> user.User.ClaimsEntry
+	2, // [2:2] is the sub-list for method input_type
-	0, // 4: user.AddRequest.user:type_name -> user.User
+	2, // [2:2] is the sub-list for extension type_name
-	4, // 5: user.User.ClaimsEntry.value:type_name -> google.protobuf.Any
+	2, // [2:2] is the sub-list for extension extendee
-	1, // 6: user.UserService.Add:input_type -> user.AddRequest
+	0, // [0:2] is the sub-list for field type_name
 	5, // 7: user.UserService.Add:output_type -> google.protobuf.Empty
 	7, // [7:8] is the sub-list for method output_type
 	6, // [6:7] is the sub-list for method input_type
 	6, // [6:6] is the sub-list for extension type_name
 	6, // [6:6] is the sub-list for extension extendee
 	0, // [0:6] is the sub-list for field type_name
 }
 func init() { file_user_proto_init() }
@ -284,18 +177,6 @@ func file_user_proto_init() {
 				return nil
 			}
 		}
 		file_user_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*AddRequest); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@ -303,9 +184,9 @@ func file_user_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_user_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   3,
+			NumMessages:   2,
 			NumExtensions: 0,
-			NumServices:   1,
+			NumServices:   0,
 		},
 		GoTypes:           file_user_proto_goTypes,
 		DependencyIndexes: file_user_proto_depIdxs,
@ -316,83 +197,3 @@ func file_user_proto_init() {
 	file_user_proto_goTypes = nil
 	file_user_proto_depIdxs = nil
 }
 // Reference imports to suppress errors if they are not otherwise used.
 var _ context.Context
 var _ grpc.ClientConnInterface
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
 const _ = grpc.SupportPackageIsVersion6
 // UserServiceClient is the client API for UserService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
 type UserServiceClient interface {
 	Add(ctx context.Context, in *AddRequest, opts ...grpc.CallOption) (*empty.Empty, error)
 }
 type userServiceClient struct {
 	cc grpc.ClientConnInterface
 }
 func NewUserServiceClient(cc grpc.ClientConnInterface) UserServiceClient {
 	return &userServiceClient{cc}
 }
 func (c *userServiceClient) Add(ctx context.Context, in *AddRequest, opts ...grpc.CallOption) (*empty.Empty, error) {
 	out := new(empty.Empty)
 	err := c.cc.Invoke(ctx, "/user.UserService/Add", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 // UserServiceServer is the server API for UserService service.
 type UserServiceServer interface {
 	Add(context.Context, *AddRequest) (*empty.Empty, error)
 }
 // UnimplementedUserServiceServer can be embedded to have forward compatible implementations.
 type UnimplementedUserServiceServer struct {
 }
 func (*UnimplementedUserServiceServer) Add(context.Context, *AddRequest) (*empty.Empty, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Add not implemented")
 }
 func RegisterUserServiceServer(s *grpc.Server, srv UserServiceServer) {
 	s.RegisterService(&_UserService_serviceDesc, srv)
 }
 func _UserService_Add_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(AddRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(UserServiceServer).Add(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: "/user.UserService/Add",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(UserServiceServer).Add(ctx, req.(*AddRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 var _UserService_serviceDesc = grpc.ServiceDesc{
 	ServiceName: "user.UserService",
 	HandlerType: (*UserServiceServer)(nil),
 	Methods: []grpc.MethodDesc{
 		{
 			MethodName: "Add",
 			Handler:    _UserService_Add_Handler,
 		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "user.proto",
 }
--- a/pkg/grpc/user/user.proto
+++ b/pkg/grpc/user/user.proto
@ -4,20 +4,11 @@ package user;
 option go_package = "github.com/pomerium/pomerium/pkg/grpc/user";
 import "google/protobuf/any.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/timestamp.proto";
 message User {
  string version = 1;
  string id = 2;
  string name = 3;
  string email = 4;
  google.protobuf.Timestamp created_at = 5;
  google.protobuf.Timestamp modified_at = 6;
  google.protobuf.Timestamp deleted_at = 7;
  map<string, google.protobuf.Any> claims = 8;
 }
 message AddRequest { User user = 1; }
 service UserService { rpc Add(AddRequest) returns (google.protobuf.Empty); }