multi-domain login redirects (#5564)

Add a new 'depends_on' route configuration option taking a list of additional hosts to redirect through on login. Update the authorize service and proxy service to support a chain of /.pomerium/callback redirects. Add an integration test for this feature.
2025-07-30 15:00:51 +02:00 · 2025-04-04 13:14:30 -07:00 · 2025-04-04 13:14:30 -07:00 · c848c225e8
commit c848c225e8
parent c47055bece
12 changed files with 227 additions and 16 deletions
--- a/config/policy.go
+++ b/config/policy.go
@ -200,6 +200,8 @@ type Policy struct {
 	ShowErrorDetails bool `mapstructure:"show_error_details" yaml:"show_error_details" json:"show_error_details"`

 	Policy *PPLPolicy `mapstructure:"policy" yaml:"policy,omitempty" json:"policy,omitempty"`
+
+	DependsOn []string `mapstructure:"depends_on" yaml:"depends_on,omitempty" json:"depends_on,omitempty"`
 }

 // RewriteHeader is a policy configuration option to rewrite an HTTP header.
@ -690,6 +692,10 @@ func (p *Policy) Validate() error {
 		return fmt.Errorf("config: unsupported jwt_issuer_format value %q", p.JWTIssuerFormat)
 	}

+	if len(p.DependsOn) > 5 {
+		return fmt.Errorf("config: depends_on is limited to 5 additional redirect hosts, got %v", p.DependsOn)
+	}
+
 	return nil
 }