move directory providers (#3633)

* remove directory providers and support for groups

* idp: remove directory providers

* better error messages

* fix errors

* restore postgres

* fix test

examples/config/config.docker.yaml

@@ -1,6 +1,5 @@
 # See detailed configuration settings : https://www.pomerium.com/docs/reference/
 
-
 # this is the domain the identity provider will callback after a user authenticates
 authenticate_service_url: https://authenticate.localhost.pomerium.io
 
@@ -20,7 +19,6 @@ certificate_key_file: /pomerium/privkey.pem
 idp_provider: google
 idp_client_id: REPLACE_ME
 idp_client_secret: REPLACE_ME
-#idp_service_account: REPLACE_ME # Required by some identity providers for directory sync
 
 # Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
 cookie_secret: V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=

examples/config/config.example.env

@@ -1,7 +1,6 @@
 #!/bin/bash
 # Main configuration flags : https://www.pomerium.com/docs/reference/
 
-
 # Main configuration flags
 # export ADDRESS=":8443"                      # optional, default is 443
 # export POMERIUM_DEBUG=true                  # optional, default is false
@@ -37,7 +36,6 @@ export COOKIE_SECRET="$(head -c32 /dev/urandom | base64)"
 # export IDP_CLIENT_ID="REPLACEME" # from the application the users login to
 # export IDP_CLIENT_SECRET="REPLACEME" # from the application the users login to
 # the following is optional and only needed if you want role (Auth0 calls groups roles) data
-# export IDP_SERVICE_ACCOUNT="REPLACEME" # built from the machine-to-machine application which talks to the Auth0 Management API
 
 # Azure
 # export IDP_PROVIDER="azure"
@@ -64,8 +62,3 @@ export IDP_PROVIDER="google"
 # directly as a base64 encoded yaml/json file, or as the policy key in the configuration
 # file
 export POLICY="$(base64 ./docs/configuration/examples/config/policy.example.yaml)"
-
-# For Group data you must set an IDP_SERVICE_ACCOUNT
-# https://www.pomerium.com/configuration/#identity-provider-service-account
-# export IDP_SERVICE_ACCOUNT=$( echo YOUR_SERVICE_ACCOUNT | base64)
-# For Google manually edit the service account to add the impersonate_user field before base64

examples/config/config.example.yaml

@@ -40,8 +40,6 @@ authenticate_service_url: https://authenticate.localhost.pomerium.io
 # idp_provider_url: "https://REPLACEME.us.auth0.com"
 # idp_client_id: "REPLACEME" # from the application the users login to
 # idp_client_secret: "REPLACEME" # from the application the users login to
-# the following is optional and only needed if you want role (Auth0 calls groups roles) data
-# idp_service_account: "REPLACEME" # built from the machine-to-machine application which talks to the Auth0 Management API
 
 # Azure
 # idp_provider: "azure"
@@ -54,10 +52,6 @@ authenticate_service_url: https://authenticate.localhost.pomerium.io
 # idp_client_id: "REPLACEME
 # idp_client_secret: "REPLACEME
 
-# IF GSUITE and you want to get user groups you will need to set a service account
-# see identity provider docs for gooogle for more info :
-# idp_service_account: $(echo '{"impersonate_user": "user@example.com"}' | base64)
-
 # OKTA
 # idp_provider: "okta"
 # idp_client_id: "REPLACEME"
@@ -70,9 +64,6 @@ authenticate_service_url: https://authenticate.localhost.pomerium.io
 # idp_client_secret: "REPLACEME"
 # idp_provider_url: "https://openid-connect.onelogin.com/oidc" #optional, defaults to `https://openid-connect.onelogin.com/oidc`
 
-# For Group data you must set an IDP_SERVICE_ACCOUNT
-# idp_service_account: YOUR_SERVICE_ACCOUNT
-
 # Proxied routes and per-route policies are defined in a routes block
 routes:
   - from: https://verify.localhost.pomerium.io

examples/docker/nginx.docker-compose.yml

@@ -22,7 +22,6 @@ services:
       # - IDP_PROVIDER_URL=https://beyondperimeter.okta.com
       # - IDP_CLIENT_ID=REPLACE_ME
       # - IDP_CLIENT_SECRET=REPLACE_ME
-      # - IDP_SERVICE_ACCOUNT=REPLACE_ME
       # NOTE! Generate new secret keys! e.g. `head -c32 /dev/urandom | base64`
       # Generated secret keys must match between services
       - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=

examples/helm/helm_gke.sh

@@ -3,7 +3,7 @@
 # curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
 # NOTE! This will create real resources on Google's cloud. Make sure you clean up any unused
 # resources to avoid being billed. For reference, this tutorial cost me <10 cents for a couple of hours.
-# NOTE! You must change the identity provider client secret setting, and service account setting!
+# NOTE! You must change the identity provider client secret setting!
 # NOTE! If you are using gsuite, you should also set `authenticate.idp.serviceAccount`, see docs !
 
 echo "=> [GCE] creating cluster"

examples/kubernetes/kubernetes-config.yaml

@@ -14,9 +14,6 @@ override_certificate_name: "*.localhost.pomerium.io"
 idp_provider: google
 idp_client_id: REPLACE_ME.apps.googleusercontent.com
 idp_client_secret: "REPLACE_ME"
-# Required for group data
-# https://www.pomerium.com/configuration/#identity-provider-service-account
-idp_service_account: YOUR_SERVICE_ACCOUNT
 
 routes:
   - from: https://verify.localhost.pomerium.io

examples/kubernetes/pomerium-values.yaml

@@ -7,7 +7,6 @@ authenticate:
     provider: "google"
     clientID: YOUR_CLIENT_ID
     clientSecret: YOUR_SECRET
-    serviceAccount: YOUR_SERVICE_ACCOUNT
   proxied: false
 
 proxy:

examples/kubernetes/values.yaml

@@ -3,9 +3,6 @@ authenticate:
     provider: "google"
     clientID: YOUR_CLIENT_ID
     clientSecret: YOUR_SECRET
-    # Required for group data
-    # https://www.pomerium.com/configuration/#identity-provider-service-account
-    serviceAccount: YOUR_SERVICE_ACCOUNT
   service:
     type: NodePort
     annotations: