authorize: support authenticating with idp tokens (#5484)

* identity: add support for verifying access and identity tokens

* allow overriding with policy option

* authenticate: add verify endpoints

* wip

* implement session creation

* add verify test

* implement idp token login

* fix tests

* add pr permission

* make session ids route-specific

* rename method

* add test

* add access token test

* test for newUserFromIDPClaims

* more tests

* make the session id per-idp

* use type for

* add test

* remove nil checks

authorize/check_response_test.go

@@ -127,8 +127,9 @@ func TestAuthorize_okResponse(t *testing.T) {
 		}},
 		JWTClaimsHeaders: config.NewJWTClaimHeaders("email"),
 	}
-	a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))}
-	a.currentOptions.Store(opt)
+	a := &Authorize{currentConfig: atomicutil.NewValue(&config.Config{
+		Options: opt,
+	}), state: atomicutil.NewValue(new(authorizeState))}
 	a.store = store.New()
 	pe, err := newPolicyEvaluator(context.Background(), opt, a.store, nil)
 	require.NoError(t, err)
@@ -183,15 +184,16 @@ func TestAuthorize_okResponse(t *testing.T) {
 func TestAuthorize_deniedResponse(t *testing.T) {
 	t.Parallel()
 
-	a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))}
-	a.currentOptions.Store(&config.Options{
-		Policies: []config.Policy{{
-			From: "https://example.com",
-			SubPolicies: []config.SubPolicy{{
-				Rego: []string{"allow = true"},
+	a := &Authorize{currentConfig: atomicutil.NewValue(&config.Config{
+		Options: &config.Options{
+			Policies: []config.Policy{{
+				From: "https://example.com",
+				SubPolicies: []config.SubPolicy{{
+					Rego: []string{"allow = true"},
+				}},
 			}},
-		}},
-	})
+		},
+	}), state: atomicutil.NewValue(new(authorizeState))}
 
 	t.Run("json", func(t *testing.T) {
 		t.Parallel()