authorize: support authenticating with idp tokens (#5484)

* identity: add support for verifying access and identity tokens * allow overriding with policy option * authenticate: add verify endpoints * wip * implement session creation * add verify test * implement idp token login * fix tests * add pr permission * make session ids route-specific * rename method * add test * add access token test * test for newUserFromIDPClaims * more tests * make the session id per-idp * use type for * add test * remove nil checks
2025-07-17 16:48:13 +02:00 · 2025-02-18 13:02:06 -07:00 · 2025-02-18 13:02:06 -07:00 · b9fd926618
commit b9fd926618
parent 6e22b7a19a
36 changed files with 2791 additions and 885 deletions
--- a/authenticate/identity.go
+++ b/authenticate/identity.go
@ -3,11 +3,12 @@ package authenticate
 import (
 	"context"

+	oteltrace "go.opentelemetry.io/otel/trace"
+
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/identity"
 	"github.com/pomerium/pomerium/pkg/identity/oauth"
-	oteltrace "go.opentelemetry.io/otel/trace"
 )

 func defaultGetIdentityProvider(ctx context.Context, tracerProvider oteltrace.TracerProvider, options *config.Options, idpID string) (identity.Authenticator, error) {
@ -26,7 +27,8 @@ func defaultGetIdentityProvider(ctx context.Context, tracerProvider oteltrace.Tr
 	if err != nil {
 		return nil, err
 	}
-	return identity.NewAuthenticator(ctx, tracerProvider, oauth.Options{
+
+	o := oauth.Options{
 		RedirectURL:     redirectURL,
 		ProviderName:    idp.GetType(),
 		ProviderURL:     idp.GetUrl(),
@ -34,5 +36,9 @@ func defaultGetIdentityProvider(ctx context.Context, tracerProvider oteltrace.Tr
 		ClientSecret:    idp.GetClientSecret(),
 		Scopes:          idp.GetScopes(),
 		AuthCodeOptions: idp.GetRequestParams(),
-	})
+	}
+	if v := idp.GetAccessTokenAllowedAudiences(); v != nil {
+		o.AccessTokenAllowedAudiences = &v.Values
+	}
+	return identity.NewAuthenticator(ctx, tracerProvider, o)
 }