authorize: support authenticating with idp tokens (#5484)

* identity: add support for verifying access and identity tokens

* allow overriding with policy option

* authenticate: add verify endpoints

* wip

* implement session creation

* add verify test

* implement idp token login

* fix tests

* add pr permission

* make session ids route-specific

* rename method

* add test

* add access token test

* test for newUserFromIDPClaims

* more tests

* make the session id per-idp

* use type for

* add test

* remove nil checks

authenticate/handlers_verify_test.go

@@ -0,0 +1,45 @@
+package authenticate_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pomerium/pomerium/authenticate"
+	"github.com/pomerium/pomerium/config"
+	"github.com/pomerium/pomerium/internal/testutil"
+	"github.com/pomerium/pomerium/pkg/cryptutil"
+)
+
+func TestVerifyAccessToken(t *testing.T) {
+	t.Parallel()
+
+	ctx := testutil.GetContext(t, time.Minute)
+	a, err := authenticate.New(ctx, &config.Config{
+		Options: &config.Options{
+			CookieSecret:             cryptutil.NewBase64Key(),
+			SharedKey:                cryptutil.NewBase64Key(),
+			AuthenticateCallbackPath: "/oauth2/callback",
+			AuthenticateURLString:    "https://authenticate.example.com",
+
+			Provider:    "oidc",
+			ProviderURL: "http://oidc.example.com",
+		},
+	})
+	require.NoError(t, err)
+
+	w := httptest.NewRecorder()
+	r, err := http.NewRequestWithContext(ctx, http.MethodPost, "https://authenticate.example.com/.pomerium/verify-access-token",
+		strings.NewReader(`{"accessToken":"ACCESS TOKEN"}`))
+	require.NoError(t, err)
+
+	a.Handler().ServeHTTP(w, r)
+
+	assert.Equal(t, 200, w.Code)
+	assert.JSONEq(t, `{"valid":false}`, w.Body.String())
+}