authorize: support authenticating with idp tokens (#5484)

* identity: add support for verifying access and identity tokens

* allow overriding with policy option

* authenticate: add verify endpoints

* wip

* implement session creation

* add verify test

* implement idp token login

* fix tests

* add pr permission

* make session ids route-specific

* rename method

* add test

* add access token test

* test for newUserFromIDPClaims

* more tests

* make the session id per-idp

* use type for

* add test

* remove nil checks

authorize/authorize.go

@@ -29,7 +29,7 @@ import (
 type Authorize struct {
 	state             *atomicutil.Value[*authorizeState]
 	store             *store.Store
-	currentOptions    *atomicutil.Value[*config.Options]
+	currentConfig     *atomicutil.Value[*config.Config]
 	accessTracker     *AccessTracker
 	globalCache       storage.Cache
 	groupsCacheWarmer *cacheWarmer
@@ -43,7 +43,7 @@ func New(ctx context.Context, cfg *config.Config) (*Authorize, error) {
 	tracerProvider := trace.NewTracerProvider(ctx, "Authorize")
 	tracer := tracerProvider.Tracer(trace.PomeriumCoreTracer)
 	a := &Authorize{
-		currentOptions: config.NewAtomicOptions(),
+		currentConfig:  atomicutil.NewValue(&config.Config{Options: new(config.Options)}),
 		store:          store.New(),
 		globalCache:    storage.NewGlobalCache(time.Minute),
 		tracerProvider: tracerProvider,
@@ -155,7 +155,7 @@ func newPolicyEvaluator(
 // OnConfigChange updates internal structures based on config.Options
 func (a *Authorize) OnConfigChange(ctx context.Context, cfg *config.Config) {
 	currentState := a.state.Load()
-	a.currentOptions.Store(cfg.Options)
+	a.currentConfig.Store(cfg)
 	if newState, err := newAuthorizeStateFromConfig(ctx, a.tracerProvider, cfg, a.store, currentState.evaluator); err != nil {
 		log.Ctx(ctx).Error().Err(err).Msg("authorize: error updating state")
 	} else {