move directory providers (#3633)

* remove directory providers and support for groups * idp: remove directory providers * better error messages * fix errors * restore postgres * fix test
2025-07-31 07:19:16 +02:00 · 2022-11-03 11:33:56 -06:00 · 2022-11-03 11:33:56 -06:00 · c178819875
commit c178819875
parent bb5c80bae9
78 changed files with 723 additions and 8703 deletions
--- a/pkg/contextutil/contextutil_test.go
+++ b/pkg/contextutil/contextutil_test.go
@ -9,6 +9,7 @@ import (
 )

 func TestMerge(t *testing.T) {
+	type key string
 	t.Run("value", func(t *testing.T) {
 		type contextKey string
 		k1 := contextKey("key1")
--- a/pkg/grpc/config/config.pb.go
+++ b/pkg/grpc/config/config.pb.go
--- a/pkg/grpc/config/config.proto
+++ b/pkg/grpc/config/config.proto
@ -55,7 +55,7 @@ message Route {
  RouteRedirect redirect = 34;

  repeated string allowed_users = 4 [ deprecated = true ];
-  repeated string allowed_groups = 5 [ deprecated = true ];
+  // repeated string allowed_groups = 5 [ deprecated = true ];
  repeated string allowed_domains = 6 [ deprecated = true ];
  map<string, google.protobuf.ListValue> allowed_idp_claims = 32
      [ deprecated = true ];
@ -121,7 +121,7 @@ message Policy {
  string id = 1;
  string name = 2;
  repeated string allowed_users = 3;
-  repeated string allowed_groups = 4;
+  // repeated string allowed_groups = 4;
  repeated string allowed_domains = 5;
  map<string, google.protobuf.ListValue> allowed_idp_claims = 7;
  repeated string rego = 6;
@ -166,9 +166,9 @@ message Settings {
  optional string idp_provider = 24;
  optional string idp_provider_url = 25;
  repeated string scopes = 26;
-  optional string idp_service_account = 27;
-  optional google.protobuf.Duration idp_refresh_directory_timeout = 28;
-  optional google.protobuf.Duration idp_refresh_directory_interval = 29;
+  // optional string idp_service_account = 27;
+  // optional google.protobuf.Duration idp_refresh_directory_timeout = 28;
+  // optional google.protobuf.Duration idp_refresh_directory_interval = 29;
  map<string, string> request_params = 30;
  repeated string authorize_service_urls = 32;
  optional string authorize_internal_service_url = 83;
--- a/pkg/grpc/databroker/databroker.go
+++ b/pkg/grpc/databroker/databroker.go
@ -84,7 +84,7 @@ loop:
 		case err == io.EOF:
 			break loop
 		case err != nil:
-			return nil, 0, 0, err
+			return nil, 0, 0, fmt.Errorf("error receiving record: %w", err)
 		}

 		switch res := res.GetResponse().(type) {
--- a/pkg/grpc/databroker/syncer.go
+++ b/pkg/grpc/databroker/syncer.go
@ -2,6 +2,7 @@ package databroker

 import (
 	"context"
+	"fmt"
 	"time"

 	backoff "github.com/cenkalti/backoff/v4"
@ -132,8 +133,7 @@ func (syncer *Syncer) init(ctx context.Context) error {
 		Type: syncer.cfg.typeURL,
 	})
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("error during initial sync")
-		return err
+		return fmt.Errorf("error during initial sync: %w", err)
 	}
 	syncer.backoff.Reset()

@ -154,8 +154,7 @@ func (syncer *Syncer) sync(ctx context.Context) error {
 		Type:          syncer.cfg.typeURL,
 	})
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("error during sync")
-		return err
+		return fmt.Errorf("error calling sync: %w", err)
 	}

 	log.Info(ctx).Msg("listening for updates")
@ -168,7 +167,7 @@ func (syncer *Syncer) sync(ctx context.Context) error {
 			syncer.serverVersion = 0
 			return nil
 		} else if err != nil {
-			return err
+			return fmt.Errorf("error receiving sync record: %w", err)
 		}

 		rec := res.GetRecord()
--- a/pkg/grpc/directory/directory.go
+++ b/pkg/grpc/directory/directory.go
@ -1,30 +0,0 @@
-// Package directory contains protobuf types for directory users.
-package directory
-
-import (
-	context "context"
-
-	"github.com/pomerium/pomerium/pkg/grpc/databroker"
-)
-
-// GetGroup gets a directory group from the databroker.
-func GetGroup(ctx context.Context, client databroker.DataBrokerServiceClient, groupID string) (*Group, error) {
-	g := Group{Id: groupID}
-	return &g, databroker.Get(ctx, client, &g)
-}
-
-// GetUser gets a directory user from the databroker.
-func GetUser(ctx context.Context, client databroker.DataBrokerServiceClient, userID string) (*User, error) {
-	u := User{Id: userID}
-	return &u, databroker.Get(ctx, client, &u)
-}
-
-// Options are directory provider options.
-type Options struct {
-	ServiceAccount string
-	Provider       string
-	ProviderURL    string
-	ClientID       string
-	ClientSecret   string
-	QPS            float64
-}
--- a/pkg/grpc/directory/directory.pb.go
+++ b/pkg/grpc/directory/directory.pb.go
@ -1,441 +0,0 @@
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.7
-// source: directory.proto
-
-package directory
-
-import (
-	context "context"
-	grpc "google.golang.org/grpc"
-	codes "google.golang.org/grpc/codes"
-	status "google.golang.org/grpc/status"
-	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
-	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
-	emptypb "google.golang.org/protobuf/types/known/emptypb"
-	reflect "reflect"
-	sync "sync"
-)
-
-const (
-	// Verify that this generated code is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
-	// Verify that runtime/protoimpl is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
-)
-
-type User struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Version     string   `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
-	Id          string   `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
-	GroupIds    []string `protobuf:"bytes,3,rep,name=group_ids,json=groupIds,proto3" json:"group_ids,omitempty"`
-	DisplayName string   `protobuf:"bytes,4,opt,name=display_name,json=displayName,proto3" json:"display_name,omitempty"`
-	Email       string   `protobuf:"bytes,5,opt,name=email,proto3" json:"email,omitempty"`
-}
-
-func (x *User) Reset() {
-	*x = User{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_directory_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *User) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*User) ProtoMessage() {}
-
-func (x *User) ProtoReflect() protoreflect.Message {
-	mi := &file_directory_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use User.ProtoReflect.Descriptor instead.
-func (*User) Descriptor() ([]byte, []int) {
-	return file_directory_proto_rawDescGZIP(), []int{0}
-}
-
-func (x *User) GetVersion() string {
-	if x != nil {
-		return x.Version
-	}
-	return ""
-}
-
-func (x *User) GetId() string {
-	if x != nil {
-		return x.Id
-	}
-	return ""
-}
-
-func (x *User) GetGroupIds() []string {
-	if x != nil {
-		return x.GroupIds
-	}
-	return nil
-}
-
-func (x *User) GetDisplayName() string {
-	if x != nil {
-		return x.DisplayName
-	}
-	return ""
-}
-
-func (x *User) GetEmail() string {
-	if x != nil {
-		return x.Email
-	}
-	return ""
-}
-
-type Group struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
-	Id      string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
-	Name    string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
-	Email   string `protobuf:"bytes,4,opt,name=email,proto3" json:"email,omitempty"`
-}
-
-func (x *Group) Reset() {
-	*x = Group{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_directory_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *Group) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*Group) ProtoMessage() {}
-
-func (x *Group) ProtoReflect() protoreflect.Message {
-	mi := &file_directory_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use Group.ProtoReflect.Descriptor instead.
-func (*Group) Descriptor() ([]byte, []int) {
-	return file_directory_proto_rawDescGZIP(), []int{1}
-}
-
-func (x *Group) GetVersion() string {
-	if x != nil {
-		return x.Version
-	}
-	return ""
-}
-
-func (x *Group) GetId() string {
-	if x != nil {
-		return x.Id
-	}
-	return ""
-}
-
-func (x *Group) GetName() string {
-	if x != nil {
-		return x.Name
-	}
-	return ""
-}
-
-func (x *Group) GetEmail() string {
-	if x != nil {
-		return x.Email
-	}
-	return ""
-}
-
-type RefreshUserRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	UserId      string `protobuf:"bytes,1,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
-	AccessToken string `protobuf:"bytes,2,opt,name=access_token,json=accessToken,proto3" json:"access_token,omitempty"`
-}
-
-func (x *RefreshUserRequest) Reset() {
-	*x = RefreshUserRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_directory_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *RefreshUserRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*RefreshUserRequest) ProtoMessage() {}
-
-func (x *RefreshUserRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_directory_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use RefreshUserRequest.ProtoReflect.Descriptor instead.
-func (*RefreshUserRequest) Descriptor() ([]byte, []int) {
-	return file_directory_proto_rawDescGZIP(), []int{2}
-}
-
-func (x *RefreshUserRequest) GetUserId() string {
-	if x != nil {
-		return x.UserId
-	}
-	return ""
-}
-
-func (x *RefreshUserRequest) GetAccessToken() string {
-	if x != nil {
-		return x.AccessToken
-	}
-	return ""
-}
-
-var File_directory_proto protoreflect.FileDescriptor
-
-var file_directory_proto_rawDesc = []byte{
-	0x0a, 0x0f, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x12, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x1a, 0x1b, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65, 0x6d,
-	0x70, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x86, 0x01, 0x0a, 0x04, 0x55, 0x73,
-	0x65, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02,
-	0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1b, 0x0a, 0x09,
-	0x67, 0x72, 0x6f, 0x75, 0x70, 0x5f, 0x69, 0x64, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52,
-	0x08, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x49, 0x64, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x64, 0x69, 0x73,
-	0x70, 0x6c, 0x61, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x0b, 0x64, 0x69, 0x73, 0x70, 0x6c, 0x61, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05,
-	0x65, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x6d, 0x61,
-	0x69, 0x6c, 0x22, 0x5b, 0x0a, 0x05, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x18, 0x0a, 0x07, 0x76,
-	0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65,
-	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x6d, 0x61,
-	0x69, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x22,
-	0x50, 0x0a, 0x12, 0x52, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65, 0x72, 0x49, 0x64, 0x12, 0x21,
-	0x0a, 0x0c, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65,
-	0x6e, 0x32, 0x58, 0x0a, 0x10, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x53, 0x65,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x44, 0x0a, 0x0b, 0x52, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68,
-	0x55, 0x73, 0x65, 0x72, 0x12, 0x1d, 0x2e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x79,
-	0x2e, 0x52, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x42, 0x31, 0x5a, 0x2f, 0x67,
-	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69,
-	0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f,
-	0x67, 0x72, 0x70, 0x63, 0x2f, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
-
-var (
-	file_directory_proto_rawDescOnce sync.Once
-	file_directory_proto_rawDescData = file_directory_proto_rawDesc
-)
-
-func file_directory_proto_rawDescGZIP() []byte {
-	file_directory_proto_rawDescOnce.Do(func() {
-		file_directory_proto_rawDescData = protoimpl.X.CompressGZIP(file_directory_proto_rawDescData)
-	})
-	return file_directory_proto_rawDescData
-}
-
-var file_directory_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
-var file_directory_proto_goTypes = []interface{}{
-	(*User)(nil),               // 0: directory.User
-	(*Group)(nil),              // 1: directory.Group
-	(*RefreshUserRequest)(nil), // 2: directory.RefreshUserRequest
-	(*emptypb.Empty)(nil),      // 3: google.protobuf.Empty
-}
-var file_directory_proto_depIdxs = []int32{
-	2, // 0: directory.DirectoryService.RefreshUser:input_type -> directory.RefreshUserRequest
-	3, // 1: directory.DirectoryService.RefreshUser:output_type -> google.protobuf.Empty
-	1, // [1:2] is the sub-list for method output_type
-	0, // [0:1] is the sub-list for method input_type
-	0, // [0:0] is the sub-list for extension type_name
-	0, // [0:0] is the sub-list for extension extendee
-	0, // [0:0] is the sub-list for field type_name
-}
-
-func init() { file_directory_proto_init() }
-func file_directory_proto_init() {
-	if File_directory_proto != nil {
-		return
-	}
-	if !protoimpl.UnsafeEnabled {
-		file_directory_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*User); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_directory_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*Group); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_directory_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RefreshUserRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
-	type x struct{}
-	out := protoimpl.TypeBuilder{
-		File: protoimpl.DescBuilder{
-			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_directory_proto_rawDesc,
-			NumEnums:      0,
-			NumMessages:   3,
-			NumExtensions: 0,
-			NumServices:   1,
-		},
-		GoTypes:           file_directory_proto_goTypes,
-		DependencyIndexes: file_directory_proto_depIdxs,
-		MessageInfos:      file_directory_proto_msgTypes,
-	}.Build()
-	File_directory_proto = out.File
-	file_directory_proto_rawDesc = nil
-	file_directory_proto_goTypes = nil
-	file_directory_proto_depIdxs = nil
-}
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ context.Context
-var _ grpc.ClientConnInterface
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the grpc package it is being compiled against.
-const _ = grpc.SupportPackageIsVersion6
-
-// DirectoryServiceClient is the client API for DirectoryService service.
-//
-// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
-type DirectoryServiceClient interface {
-	RefreshUser(ctx context.Context, in *RefreshUserRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
-}
-
-type directoryServiceClient struct {
-	cc grpc.ClientConnInterface
-}
-
-func NewDirectoryServiceClient(cc grpc.ClientConnInterface) DirectoryServiceClient {
-	return &directoryServiceClient{cc}
-}
-
-func (c *directoryServiceClient) RefreshUser(ctx context.Context, in *RefreshUserRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) {
-	out := new(emptypb.Empty)
-	err := c.cc.Invoke(ctx, "/directory.DirectoryService/RefreshUser", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-// DirectoryServiceServer is the server API for DirectoryService service.
-type DirectoryServiceServer interface {
-	RefreshUser(context.Context, *RefreshUserRequest) (*emptypb.Empty, error)
-}
-
-// UnimplementedDirectoryServiceServer can be embedded to have forward compatible implementations.
-type UnimplementedDirectoryServiceServer struct {
-}
-
-func (*UnimplementedDirectoryServiceServer) RefreshUser(context.Context, *RefreshUserRequest) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RefreshUser not implemented")
-}
-
-func RegisterDirectoryServiceServer(s *grpc.Server, srv DirectoryServiceServer) {
-	s.RegisterService(&_DirectoryService_serviceDesc, srv)
-}
-
-func _DirectoryService_RefreshUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(RefreshUserRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DirectoryServiceServer).RefreshUser(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/directory.DirectoryService/RefreshUser",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DirectoryServiceServer).RefreshUser(ctx, req.(*RefreshUserRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-var _DirectoryService_serviceDesc = grpc.ServiceDesc{
-	ServiceName: "directory.DirectoryService",
-	HandlerType: (*DirectoryServiceServer)(nil),
-	Methods: []grpc.MethodDesc{
-		{
-			MethodName: "RefreshUser",
-			Handler:    _DirectoryService_RefreshUser_Handler,
-		},
-	},
-	Streams:  []grpc.StreamDesc{},
-	Metadata: "directory.proto",
-}
--- a/pkg/grpc/directory/directory.proto
+++ b/pkg/grpc/directory/directory.proto
@ -1,30 +0,0 @@
-syntax = "proto3";
-
-package directory;
-option go_package = "github.com/pomerium/pomerium/pkg/grpc/directory";
-
-import "google/protobuf/empty.proto";
-
-message User {
-  string version = 1;
-  string id = 2;
-  repeated string group_ids = 3;
-  string display_name = 4;
-  string email = 5;
-}
-
-message Group {
-  string version = 1;
-  string id = 2;
-  string name = 3;
-  string email = 4;
-}
-
-message RefreshUserRequest {
-  string user_id = 1;
-  string access_token = 2;
-}
-
-service DirectoryService {
-  rpc RefreshUser(RefreshUserRequest) returns (google.protobuf.Empty);
-}
--- a/pkg/grpc/identity/identity.pb.go
+++ b/pkg/grpc/identity/identity.pb.go
@ -25,14 +25,14 @@ type Provider struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Id             string            `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
-	ClientId       string            `protobuf:"bytes,2,opt,name=client_id,json=clientId,proto3" json:"client_id,omitempty"`
-	ClientSecret   string            `protobuf:"bytes,3,opt,name=client_secret,json=clientSecret,proto3" json:"client_secret,omitempty"`
-	Type           string            `protobuf:"bytes,4,opt,name=type,proto3" json:"type,omitempty"`
-	Scopes         []string          `protobuf:"bytes,5,rep,name=scopes,proto3" json:"scopes,omitempty"`
-	ServiceAccount string            `protobuf:"bytes,6,opt,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"`
-	Url            string            `protobuf:"bytes,7,opt,name=url,proto3" json:"url,omitempty"`
-	RequestParams  map[string]string `protobuf:"bytes,8,rep,name=request_params,json=requestParams,proto3" json:"request_params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Id           string   `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	ClientId     string   `protobuf:"bytes,2,opt,name=client_id,json=clientId,proto3" json:"client_id,omitempty"`
+	ClientSecret string   `protobuf:"bytes,3,opt,name=client_secret,json=clientSecret,proto3" json:"client_secret,omitempty"`
+	Type         string   `protobuf:"bytes,4,opt,name=type,proto3" json:"type,omitempty"`
+	Scopes       []string `protobuf:"bytes,5,rep,name=scopes,proto3" json:"scopes,omitempty"`
+	// string service_account = 6;
+	Url           string            `protobuf:"bytes,7,opt,name=url,proto3" json:"url,omitempty"`
+	RequestParams map[string]string `protobuf:"bytes,8,rep,name=request_params,json=requestParams,proto3" json:"request_params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 }

 func (x *Provider) Reset() {
@ -102,13 +102,6 @@ func (x *Provider) GetScopes() []string {
 	return nil
 }

-func (x *Provider) GetServiceAccount() string {
-	if x != nil {
-		return x.ServiceAccount
-	}
-	return ""
-}
-
 func (x *Provider) GetUrl() string {
 	if x != nil {
 		return x.Url
@ -128,7 +121,7 @@ var File_identity_proto protoreflect.FileDescriptor
 var file_identity_proto_rawDesc = []byte{
 	0x0a, 0x0e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x12, 0x11, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74,
-	0x69, 0x74, 0x79, 0x22, 0xdc, 0x02, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72,
+	0x69, 0x74, 0x79, 0x22, 0xb3, 0x02, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72,
 	0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64,
 	0x12, 0x1b, 0x0a, 0x09, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20,
 	0x01, 0x28, 0x09, 0x52, 0x08, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x23, 0x0a,
@ -136,24 +129,22 @@ var file_identity_proto_rawDesc = []byte{
 	0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72,
 	0x65, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x73,
-	0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x12, 0x27,
-	0x0a, 0x0f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e,
-	0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
-	0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x07,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x55, 0x0a, 0x0e, 0x72, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x2e, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x69, 0x64, 0x65,
-	0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x2e, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72,
-	0x79, 0x52, 0x0d, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73,
-	0x1a, 0x40, 0x0a, 0x12, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d,
-	0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02,
-	0x38, 0x01, 0x42, 0x30, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
-	0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69,
-	0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x69, 0x64, 0x65, 0x6e,
-	0x74, 0x69, 0x74, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x12, 0x10,
+	0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c,
+	0x12, 0x55, 0x0a, 0x0e, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x70, 0x61, 0x72, 0x61,
+	0x6d, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72,
+	0x69, 0x75, 0x6d, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x50, 0x72, 0x6f,
+	0x76, 0x69, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x50, 0x61, 0x72,
+	0x61, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0d, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x40, 0x0a, 0x12, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a,
+	0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
+	0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
+	0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x30, 0x5a, 0x2e, 0x67, 0x69, 0x74,
+	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d,
+	0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72,
+	0x70, 0x63, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x33,
 }

 var (
--- a/pkg/grpc/identity/identity.proto
+++ b/pkg/grpc/identity/identity.proto
@ -9,7 +9,7 @@ message Provider {
  string client_secret = 3;
  string type = 4;
  repeated string scopes = 5;
-  string service_account = 6;
+  // string service_account = 6;
  string url = 7;
  map<string, string> request_params = 8;
 }
--- a/pkg/grpc/protoc.bash
+++ b/pkg/grpc/protoc.bash
@ -92,11 +92,6 @@ _import_paths=$(join_by , "${_imports[@]}")
  --go_out="$_import_paths,plugins=grpc,paths=source_relative:./device/." \
  ./device/device.proto

-../../scripts/protoc -I ./directory/ \
-  --go_out="$_import_paths,plugins=grpc,paths=source_relative:./directory/." \
-  ./directory/directory.proto
-
-
 ../../scripts/protoc -I ./identity/ \
  --go_out="$_import_paths,plugins=grpc,paths=source_relative:./identity/." \
  ./identity/identity.proto
--- a/pkg/policy/criteria/groups.go
+++ b/pkg/policy/criteria/groups.go
@ -1,82 +0,0 @@
-package criteria
-
-import (
-	"github.com/open-policy-agent/opa/ast"
-
-	"github.com/pomerium/pomerium/pkg/policy/generator"
-	"github.com/pomerium/pomerium/pkg/policy/parser"
-	"github.com/pomerium/pomerium/pkg/policy/rules"
-)
-
-var groupsBody = ast.Body{
-	ast.MustParseExpr(`
-		session := get_session(input.session.id)
-	`),
-	ast.MustParseExpr(`
-		directory_user := get_directory_user(session)
-	`),
-	ast.MustParseExpr(`
-		group_ids := get_group_ids(session, directory_user)
-	`),
-	ast.MustParseExpr(`
-		group_names := [directory_group.name |
-			some i
-			group_id := group_ids[i]
-			directory_group := get_directory_group(group_id)
-			directory_group != null
-			directory_group.name != null]
-	`),
-	ast.MustParseExpr(`
-		group_emails := [directory_group.email |
-			some i
-			group_id := group_ids[i]
-			directory_group := get_directory_group(group_id)
-			directory_group != null
-			directory_group.email != null]
-	`),
-	ast.MustParseExpr(`
-		groups = array.concat(group_ids, array.concat(group_names, group_emails))
-	`),
-}
-
-type groupsCriterion struct {
-	g *Generator
-}
-
-func (groupsCriterion) DataType() generator.CriterionDataType {
-	return CriterionDataTypeStringListMatcher
-}
-
-func (groupsCriterion) Name() string {
-	return "groups"
-}
-
-func (c groupsCriterion) GenerateRule(_ string, data parser.Value) (*ast.Rule, []*ast.Rule, error) {
-	var body ast.Body
-	body = append(body, groupsBody...)
-
-	err := matchStringList(&body, ast.VarTerm("groups"), data)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	rule := NewCriterionSessionRule(c.g, c.Name(),
-		ReasonGroupsOK, ReasonGroupsUnauthorized,
-		body)
-
-	return rule, []*ast.Rule{
-		rules.GetSession(),
-		rules.GetDirectoryUser(),
-		rules.GetDirectoryGroup(),
-		rules.GetGroupIDs(),
-	}, nil
-}
-
-// Groups returns a Criterion on a user's group ids, names or emails.
-func Groups(generator *Generator) Criterion {
-	return groupsCriterion{g: generator}
-}
-
-func init() {
-	Register(Groups)
-}
--- a/pkg/policy/criteria/groups_test.go
+++ b/pkg/policy/criteria/groups_test.go
@ -1,100 +0,0 @@
-package criteria
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/pomerium/pomerium/pkg/grpc/directory"
-	"github.com/pomerium/pomerium/pkg/grpc/session"
-)
-
-func TestGroups(t *testing.T) {
-	t.Run("no session", func(t *testing.T) {
-		res, err := evaluate(t, `
-allow:
-  and:
-    - groups:
-        has: group1
-    - groups:
-        has: group2
-`, []dataBrokerRecord{}, Input{Session: InputSession{ID: "SESSION_ID"}})
-		require.NoError(t, err)
-		require.Equal(t, A{false, A{ReasonUserUnauthenticated}, M{}}, res["allow"])
-		require.Equal(t, A{false, A{}}, res["deny"])
-	})
-	t.Run("by id", func(t *testing.T) {
-		res, err := evaluate(t, `
-allow:
-  and:
-    - groups:
-        has: group1
-`,
-			[]dataBrokerRecord{
-				&session.Session{
-					Id:     "SESSION_ID",
-					UserId: "USER_ID",
-				},
-				&directory.User{
-					Id:       "USER_ID",
-					GroupIds: []string{"group1"},
-				},
-			},
-			Input{Session: InputSession{ID: "SESSION_ID"}})
-		require.NoError(t, err)
-		require.Equal(t, A{true, A{ReasonGroupsOK}, M{}}, res["allow"])
-		require.Equal(t, A{false, A{}}, res["deny"])
-	})
-	t.Run("by email", func(t *testing.T) {
-		res, err := evaluate(t, `
-allow:
-  and:
-    - groups:
-        has: "group1@example.com"
-`,
-			[]dataBrokerRecord{
-				&session.Session{
-					Id:     "SESSION_ID",
-					UserId: "USER_ID",
-				},
-				&directory.User{
-					Id:       "USER_ID",
-					GroupIds: []string{"group1"},
-				},
-				&directory.Group{
-					Id:    "group1",
-					Email: "group1@example.com",
-				},
-			},
-			Input{Session: InputSession{ID: "SESSION_ID"}})
-		require.NoError(t, err)
-		require.Equal(t, A{true, A{ReasonGroupsOK}, M{}}, res["allow"])
-		require.Equal(t, A{false, A{}}, res["deny"])
-	})
-	t.Run("by name", func(t *testing.T) {
-		res, err := evaluate(t, `
-allow:
-  and:
-    - groups:
-        has: "Group 1"
-`,
-			[]dataBrokerRecord{
-				&session.Session{
-					Id:     "SESSION_ID",
-					UserId: "USER_ID",
-				},
-				&directory.User{
-					Id:       "USER_ID",
-					GroupIds: []string{"group1"},
-				},
-				&directory.Group{
-					Id:   "group1",
-					Name: "Group 1",
-				},
-			},
-			Input{Session: InputSession{ID: "SESSION_ID"}})
-		require.NoError(t, err)
-		require.Equal(t, A{true, A{ReasonGroupsOK}, M{}}, res["allow"])
-		require.Equal(t, A{false, A{}}, res["deny"])
-	})
-}
--- a/pkg/policy/criteria/reasons.go
+++ b/pkg/policy/criteria/reasons.go
@ -18,8 +18,6 @@ const (
 	ReasonDomainUnauthorized                   = "domain-unauthorized"
 	ReasonEmailOK                              = "email-ok"
 	ReasonEmailUnauthorized                    = "email-unauthorized"
-	ReasonGroupsOK                             = "groups-ok"
-	ReasonGroupsUnauthorized                   = "groups-unauthorized"
 	ReasonHTTPMethodOK                         = "http-method-ok"
 	ReasonHTTPMethodUnauthorized               = "http-method-unauthorized"
 	ReasonHTTPPathOK                           = "http-path-ok"
--- a/pkg/policy/rules/rules.go
+++ b/pkg/policy/rules/rules.go
@ -74,42 +74,6 @@ get_device_enrollment(device_credential) = v {
 `)
 }

-// GetDirectoryUser returns the directory user for the given session.
-func GetDirectoryUser() *ast.Rule {
-	return ast.MustParseRule(`
-get_directory_user(session) = v {
-	v = get_databroker_record("type.googleapis.com/directory.User", session.user_id)
-	v != null
-} else = "" {
-	true
-}
-`)
-}
-
-// GetDirectoryGroup returns the directory group for the given id.
-func GetDirectoryGroup() *ast.Rule {
-	return ast.MustParseRule(`
-get_directory_group(id) = v {
-	v = get_databroker_record("type.googleapis.com/directory.Group", id)
-	v != null
-} else = {} {
-	true
-}
-`)
-}
-
-// GetGroupIDs returns the group ids for the given session or directory user.
-func GetGroupIDs() *ast.Rule {
-	return ast.MustParseRule(`
-get_group_ids(session, directory_user) = v {
-	v = directory_user.group_ids
-	v != null
-} else = [] {
-	true
-}
-`)
-}
-
 // MergeWithAnd merges criterion results using `and`.
 func MergeWithAnd() *ast.Rule {
 	return ast.MustParseRule(`