authorize: support authenticating with idp tokens (#5484)

* identity: add support for verifying access and identity tokens

* allow overriding with policy option

* authenticate: add verify endpoints

* wip

* implement session creation

* add verify test

* implement idp token login

* fix tests

* add pr permission

* make session ids route-specific

* rename method

* add test

* add access token test

* test for newUserFromIDPClaims

* more tests

* make the session id per-idp

* use type for

* add test

* remove nil checks

internal/httputil/headers.go

@@ -1,7 +1,12 @@
 package httputil
 
-// AuthorizationTypePomerium is for Authorization: Pomerium JWT... headers
-const AuthorizationTypePomerium = "Pomerium"
+// Pomerium authorization types
+const (
+	// AuthorizationTypePomerium is for Authorization: Pomerium JWT... headers
+	AuthorizationTypePomerium                 = "Pomerium"
+	AuthorizationTypePomeriumIDPAccessToken   = "Pomerium-IDP-Access-Token"   //nolint: gosec
+	AuthorizationTypePomeriumIDPIdentityToken = "Pomerium-IDP-Identity-Token" //nolint: gosec
+)
 
 // Standard headers
 const (
@@ -16,7 +21,9 @@ const (
 	// HeaderPomeriumAuthorization is the header key for a pomerium authorization JWT. It
 	// can be used in place of the standard authorization header if that header is being
 	// used by upstream applications.
-	HeaderPomeriumAuthorization = "x-pomerium-authorization"
+	HeaderPomeriumAuthorization    = "x-pomerium-authorization"
+	HeaderPomeriumIDPAccessToken   = "x-pomerium-idp-access-token"   //nolint: gosec
+	HeaderPomeriumIDPIdentityToken = "x-pomerium-idp-identity-token" //nolint: gosec
 	// HeaderPomeriumResponse is set when pomerium itself creates a response,
 	// as opposed to the upstream application and can be used to distinguish
 	// between an application error, and a pomerium related error when debugging.