core/identity: dynamic authenticator registration (#5105)

authenticate/config.go

@@ -3,8 +3,8 @@ package authenticate
 import (
 	"github.com/pomerium/pomerium/authenticate/events"
 	"github.com/pomerium/pomerium/config"
-	"github.com/pomerium/pomerium/internal/identity"
 	identitypb "github.com/pomerium/pomerium/pkg/grpc/identity"
+	"github.com/pomerium/pomerium/pkg/identity"
 )
 
 type authenticateConfig struct {

authenticate/handlers.go

@@ -18,14 +18,14 @@ import (
 	"github.com/pomerium/pomerium/internal/authenticateflow"
 	"github.com/pomerium/pomerium/internal/handlers"
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/identity"
-	"github.com/pomerium/pomerium/internal/identity/oidc"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/middleware"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
+	"github.com/pomerium/pomerium/pkg/identity"
+	"github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 // Handler returns the authenticate service's handler chain.

authenticate/handlers_test.go

@@ -28,8 +28,6 @@ import (
 	"github.com/pomerium/pomerium/internal/encoding/mock"
 	"github.com/pomerium/pomerium/internal/handlers"
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/identity"
-	"github.com/pomerium/pomerium/internal/identity/oidc"
 	"github.com/pomerium/pomerium/internal/sessions"
 	mstore "github.com/pomerium/pomerium/internal/sessions/mock"
 	"github.com/pomerium/pomerium/internal/testutil"
@@ -37,6 +35,8 @@ import (
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	configproto "github.com/pomerium/pomerium/pkg/grpc/config"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/identity"
+	"github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 func testAuthenticate() *Authenticate {

authenticate/identity.go

@@ -2,9 +2,9 @@ package authenticate
 
 import (
 	"github.com/pomerium/pomerium/config"
-	"github.com/pomerium/pomerium/internal/identity"
-	"github.com/pomerium/pomerium/internal/identity/oauth"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/identity"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
 )
 
 func defaultGetIdentityProvider(options *config.Options, idpID string) (identity.Authenticator, error) {

authenticate/state.go

@@ -15,11 +15,11 @@ import (
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/handlers"
-	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/sessions/cookie"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
+	"github.com/pomerium/pomerium/pkg/identity"
 )
 
 type flow interface {

config/options.go

@@ -27,8 +27,6 @@ import (
 	"github.com/pomerium/pomerium/internal/atomicutil"
 	"github.com/pomerium/pomerium/internal/hashutil"
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/identity/oauth"
-	"github.com/pomerium/pomerium/internal/identity/oauth/apple"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sets"
 	"github.com/pomerium/pomerium/internal/telemetry"
@@ -38,6 +36,8 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/config"
 	"github.com/pomerium/pomerium/pkg/grpc/crypt"
 	"github.com/pomerium/pomerium/pkg/hpke"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth/apple"
 )
 
 // DisableHeaderKey is the key used to check whether to disable setting header

config/options_test.go

@@ -25,9 +25,9 @@ import (
 	"google.golang.org/protobuf/proto"
 
 	"github.com/pomerium/csrf"
-	"github.com/pomerium/pomerium/internal/identity/oauth/apple"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc/config"
+	"github.com/pomerium/pomerium/pkg/identity/oauth/apple"
 )
 
 var cmpOptIgnoreUnexported = cmpopts.IgnoreUnexported(Options{}, Policy{})

config/policy.go

@@ -17,11 +17,11 @@ import (
 	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/pomerium/pomerium/internal/hashutil"
-	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
+	"github.com/pomerium/pomerium/pkg/identity"
 )
 
 // Policy contains route specific configuration and access settings.

databroker/cache.go

@@ -17,9 +17,6 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/atomicutil"
 	"github.com/pomerium/pomerium/internal/events"
-	"github.com/pomerium/pomerium/internal/identity"
-	"github.com/pomerium/pomerium/internal/identity/legacymanager"
-	"github.com/pomerium/pomerium/internal/identity/manager"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/telemetry"
 	"github.com/pomerium/pomerium/internal/version"
@@ -28,6 +25,9 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/registry"
 	"github.com/pomerium/pomerium/pkg/grpcutil"
+	"github.com/pomerium/pomerium/pkg/identity"
+	"github.com/pomerium/pomerium/pkg/identity/legacymanager"
+	"github.com/pomerium/pomerium/pkg/identity/manager"
 )
 
 // DataBroker represents the databroker service. The databroker service is a simple interface

internal/authenticateflow/authenticateflow.go

@@ -8,9 +8,9 @@ import (
 
 	"google.golang.org/protobuf/types/known/structpb"
 
-	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/pkg/grpc"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
+	"github.com/pomerium/pomerium/pkg/identity"
 )
 
 var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn)

internal/authenticateflow/identityprofile.go

@@ -15,13 +15,13 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/identity"
-	"github.com/pomerium/pomerium/internal/identity/manager"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	identitypb "github.com/pomerium/pomerium/pkg/grpc/identity"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/identity"
+	"github.com/pomerium/pomerium/pkg/identity/manager"
 )
 
 // An "identity profile" is an alternative to a session, used in the stateless

internal/authenticateflow/stateful.go

@@ -17,8 +17,6 @@ import (
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/handlers"
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/identity"
-	"github.com/pomerium/pomerium/internal/identity/manager"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/urlutil"
@@ -28,6 +26,8 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 	"github.com/pomerium/pomerium/pkg/grpcutil"
+	"github.com/pomerium/pomerium/pkg/identity"
+	"github.com/pomerium/pomerium/pkg/identity/manager"
 )
 
 // Stateful implements the stateful authentication flow. In this flow, the

internal/authenticateflow/stateful_test.go

@@ -23,7 +23,6 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/mock"
-	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/internal/sessions"
 	mstore "github.com/pomerium/pomerium/internal/sessions/mock"
 	"github.com/pomerium/pomerium/internal/urlutil"
@@ -31,6 +30,7 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker/mock_databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/identity"
 	"github.com/pomerium/pomerium/pkg/protoutil"
 )
 

internal/authenticateflow/stateless.go

@@ -18,7 +18,6 @@ import (
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/handlers"
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/urlutil"
@@ -29,6 +28,7 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 	"github.com/pomerium/pomerium/pkg/hpke"
+	"github.com/pomerium/pomerium/pkg/identity"
 )
 
 // Stateless implements the stateless authentication flow. In this flow, the

internal/identity/providers.go

@@ -1,74 +0,0 @@
-// Package identity provides support for making OpenID Connect (OIDC)
-// and OAuth2 authenticated HTTP requests with third party identity providers.
-package identity
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-
-	"golang.org/x/oauth2"
-
-	"github.com/pomerium/pomerium/internal/identity/identity"
-	"github.com/pomerium/pomerium/internal/identity/oauth"
-	"github.com/pomerium/pomerium/internal/identity/oauth/apple"
-	"github.com/pomerium/pomerium/internal/identity/oauth/github"
-	"github.com/pomerium/pomerium/internal/identity/oidc"
-	"github.com/pomerium/pomerium/internal/identity/oidc/auth0"
-	"github.com/pomerium/pomerium/internal/identity/oidc/azure"
-	"github.com/pomerium/pomerium/internal/identity/oidc/cognito"
-	"github.com/pomerium/pomerium/internal/identity/oidc/gitlab"
-	"github.com/pomerium/pomerium/internal/identity/oidc/google"
-	"github.com/pomerium/pomerium/internal/identity/oidc/okta"
-	"github.com/pomerium/pomerium/internal/identity/oidc/onelogin"
-	"github.com/pomerium/pomerium/internal/identity/oidc/ping"
-)
-
-// Authenticator is an interface representing the ability to authenticate with an identity provider.
-type Authenticator interface {
-	Authenticate(context.Context, string, identity.State) (*oauth2.Token, error)
-	Refresh(context.Context, *oauth2.Token, identity.State) (*oauth2.Token, error)
-	Revoke(context.Context, *oauth2.Token) error
-	Name() string
-	UpdateUserInfo(ctx context.Context, t *oauth2.Token, v any) error
-
-	SignIn(w http.ResponseWriter, r *http.Request, state string) error
-	SignOut(w http.ResponseWriter, r *http.Request, idTokenHint, authenticateSignedOutURL, redirectToURL string) error
-}
-
-// NewAuthenticator returns a new identity provider based on its name.
-func NewAuthenticator(o oauth.Options) (a Authenticator, err error) {
-	ctx := context.Background()
-	switch o.ProviderName {
-	case apple.Name:
-		a, err = apple.New(ctx, &o)
-	case auth0.Name:
-		a, err = auth0.New(ctx, &o)
-	case azure.Name:
-		a, err = azure.New(ctx, &o)
-	case gitlab.Name:
-		a, err = gitlab.New(ctx, &o)
-	case github.Name:
-		a, err = github.New(ctx, &o)
-	case google.Name:
-		a, err = google.New(ctx, &o)
-	case oidc.Name:
-		a, err = oidc.New(ctx, &o)
-	case okta.Name:
-		a, err = okta.New(ctx, &o)
-	case onelogin.Name:
-		a, err = onelogin.New(ctx, &o)
-	case ping.Name:
-		a, err = ping.New(ctx, &o)
-	case cognito.Name:
-		a, err = cognito.New(ctx, &o)
-	case "":
-		return nil, fmt.Errorf("identity: provider is not defined")
-	default:
-		return nil, fmt.Errorf("identity: unknown provider: %s", o.ProviderName)
-	}
-	if err != nil {
-		return nil, err
-	}
-	return a, nil
-}

pkg/grpc/session/session.go

@@ -11,8 +11,8 @@ import (
 	"google.golang.org/protobuf/types/known/structpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
-	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/identity"
 	"github.com/pomerium/pomerium/pkg/protoutil"
 	"github.com/pomerium/pomerium/pkg/slices"
 )

pkg/grpc/user/user.go

@@ -9,8 +9,8 @@ import (
 	"google.golang.org/protobuf/types/known/structpb"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 
-	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/identity"
 	"github.com/pomerium/pomerium/pkg/slices"
 )
 

pkg/identity/legacymanager/data.go

@@ -7,9 +7,9 @@ import (
 	"github.com/google/btree"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
-	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
+	"github.com/pomerium/pomerium/pkg/identity"
 )
 
 const userRefreshInterval = 10 * time.Minute

pkg/identity/legacymanager/manager.go

@@ -18,7 +18,6 @@ import (
 	"github.com/pomerium/pomerium/internal/atomicutil"
 	"github.com/pomerium/pomerium/internal/enabler"
 	"github.com/pomerium/pomerium/internal/events"
-	"github.com/pomerium/pomerium/internal/identity/identity"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/scheduler"
 	"github.com/pomerium/pomerium/internal/telemetry/metrics"
@@ -26,6 +25,7 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 	"github.com/pomerium/pomerium/pkg/grpcutil"
+	"github.com/pomerium/pomerium/pkg/identity/identity"
 	metrics_ids "github.com/pomerium/pomerium/pkg/metrics"
 )
 

pkg/identity/legacymanager/manager_test.go

@@ -17,11 +17,11 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/pomerium/pomerium/internal/events"
-	"github.com/pomerium/pomerium/internal/identity/identity"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker/mock_databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
+	"github.com/pomerium/pomerium/pkg/identity/identity"
 	metrics_ids "github.com/pomerium/pomerium/pkg/metrics"
 	"github.com/pomerium/pomerium/pkg/protoutil"
 )

pkg/identity/manager/data.go

@@ -7,9 +7,9 @@ import (
 
 	"google.golang.org/protobuf/types/known/timestamppb"
 
-	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
+	"github.com/pomerium/pomerium/pkg/identity"
 )
 
 func nextSessionRefresh(

pkg/identity/manager/manager.go

@@ -18,13 +18,13 @@ import (
 	"github.com/pomerium/pomerium/internal/atomicutil"
 	"github.com/pomerium/pomerium/internal/enabler"
 	"github.com/pomerium/pomerium/internal/events"
-	"github.com/pomerium/pomerium/internal/identity/identity"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/telemetry/metrics"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 	"github.com/pomerium/pomerium/pkg/grpcutil"
+	"github.com/pomerium/pomerium/pkg/identity/identity"
 	metrics_ids "github.com/pomerium/pomerium/pkg/metrics"
 )
 

pkg/identity/manager/manager_test.go

@@ -5,7 +5,7 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"github.com/pomerium/pomerium/internal/identity/identity"
+	"github.com/pomerium/pomerium/pkg/identity/identity"
 )
 
 type mockAuthenticator struct {

pkg/identity/mock_provider.go

@@ -6,7 +6,7 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"github.com/pomerium/pomerium/internal/identity/identity"
+	"github.com/pomerium/pomerium/pkg/identity/identity"
 )
 
 // MockProvider provides a mocked implementation of the providers interface.

pkg/identity/oauth/apple/apple.go

@@ -16,11 +16,11 @@ import (
 	"golang.org/x/oauth2"
 
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/identity/identity"
-	"github.com/pomerium/pomerium/internal/identity/oauth"
-	"github.com/pomerium/pomerium/internal/identity/oidc"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/internal/version"
+	"github.com/pomerium/pomerium/pkg/identity/identity"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 // Name identifies the apple identity provider.

pkg/identity/oauth/github/github.go

@@ -17,12 +17,12 @@ import (
 	"golang.org/x/oauth2"
 
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/identity/identity"
-	"github.com/pomerium/pomerium/internal/identity/oauth"
-	"github.com/pomerium/pomerium/internal/identity/oidc"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/internal/version"
+	"github.com/pomerium/pomerium/pkg/identity/identity"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 // Name identifies the GitHub identity provider
@@ -36,7 +36,7 @@ const (
 	emailPath          = "/user/emails"
 	// https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps
 	authURL  = "/login/oauth/authorize"
-	tokenURL = "/login/oauth/access_token"
+	tokenURL = "/login/oauth/access_token" //nolint:gosec
 
 	// since github doesn't implement oidc, we need this to refresh the user session
 	refreshDeadline = time.Minute * 60

pkg/identity/oidc/auth0/auth0.go

@@ -11,9 +11,9 @@ import (
 	"strings"
 
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/identity/oauth"
-	pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
+	pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 const (

pkg/identity/oidc/auth0/auth0_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/pomerium/pomerium/internal/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
 )
 
 func TestProvider(t *testing.T) {

pkg/identity/oidc/azure/microsoft.go

@@ -14,8 +14,8 @@ import (
 	go_oidc "github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
 
-	"github.com/pomerium/pomerium/internal/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
-	pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
+	pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 // Name identifies the Azure identity provider

pkg/identity/oidc/azure/microsoft_test.go

@@ -7,7 +7,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/pomerium/pomerium/internal/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
 )
 
 func TestAuthCodeOptions(t *testing.T) {

pkg/identity/oidc/cognito/cognito.go

@@ -8,9 +8,9 @@ import (
 	"net/url"
 
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/identity/oauth"
-	pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
+	pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 var defaultScopes = []string{"openid", "email", "profile"}

pkg/identity/oidc/cognito/cognito_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/pomerium/pomerium/internal/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
 )
 
 func TestProvider(t *testing.T) {

pkg/identity/oidc/gitlab/gitlab.go

@@ -9,8 +9,8 @@ import (
 
 	"github.com/coreos/go-oidc/v3/oidc"
 
-	"github.com/pomerium/pomerium/internal/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
-	pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
+	pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 // Name identifies the GitLab identity provider.

pkg/identity/oidc/google/google.go

@@ -10,8 +10,8 @@ import (
 
 	oidc "github.com/coreos/go-oidc/v3/oidc"
 
-	"github.com/pomerium/pomerium/internal/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
-	pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
+	pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 const (

pkg/identity/oidc/google/google_test.go

@@ -7,7 +7,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/pomerium/pomerium/internal/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
 )
 
 func TestAuthCodeOptions(t *testing.T) {

pkg/identity/oidc/oidc.go

@@ -16,10 +16,10 @@ import (
 	"golang.org/x/oauth2"
 
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/identity/identity"
-	"github.com/pomerium/pomerium/internal/identity/oauth"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/internal/version"
+	"github.com/pomerium/pomerium/pkg/identity/identity"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
 )
 
 // Name identifies the generic OpenID Connect provider.

pkg/identity/oidc/oidc_test.go

@@ -13,7 +13,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2"
 
-	"github.com/pomerium/pomerium/internal/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
 )
 
 func TestRevoke(t *testing.T) {

pkg/identity/oidc/okta/okta.go

@@ -7,8 +7,8 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/pomerium/pomerium/internal/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
-	pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
+	pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 const (

pkg/identity/oidc/onelogin/onelogin.go

@@ -10,8 +10,8 @@ import (
 
 	oidc "github.com/coreos/go-oidc/v3/oidc"
 
-	"github.com/pomerium/pomerium/internal/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
-	pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
+	pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 const (

pkg/identity/oidc/ping/ping.go

@@ -7,8 +7,8 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/pomerium/pomerium/internal/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
-	pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
+	pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
 )
 
 const (

pkg/identity/providers.go

@@ -0,0 +1,80 @@
+// Package identity provides support for making OpenID Connect (OIDC)
+// and OAuth2 authenticated HTTP requests with third party identity providers.
+package identity
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"golang.org/x/oauth2"
+
+	"github.com/pomerium/pomerium/pkg/identity/identity"
+	"github.com/pomerium/pomerium/pkg/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/identity/oauth/apple"
+	"github.com/pomerium/pomerium/pkg/identity/oauth/github"
+	"github.com/pomerium/pomerium/pkg/identity/oidc"
+	"github.com/pomerium/pomerium/pkg/identity/oidc/auth0"
+	"github.com/pomerium/pomerium/pkg/identity/oidc/azure"
+	"github.com/pomerium/pomerium/pkg/identity/oidc/cognito"
+	"github.com/pomerium/pomerium/pkg/identity/oidc/gitlab"
+	"github.com/pomerium/pomerium/pkg/identity/oidc/google"
+	"github.com/pomerium/pomerium/pkg/identity/oidc/okta"
+	"github.com/pomerium/pomerium/pkg/identity/oidc/onelogin"
+	"github.com/pomerium/pomerium/pkg/identity/oidc/ping"
+)
+
+// State is the identity state.
+type State = identity.State
+
+// Authenticator is an interface representing the ability to authenticate with an identity provider.
+type Authenticator interface {
+	Authenticate(context.Context, string, State) (*oauth2.Token, error)
+	Refresh(context.Context, *oauth2.Token, State) (*oauth2.Token, error)
+	Revoke(context.Context, *oauth2.Token) error
+	Name() string
+	UpdateUserInfo(ctx context.Context, t *oauth2.Token, v any) error
+
+	SignIn(w http.ResponseWriter, r *http.Request, state string) error
+	SignOut(w http.ResponseWriter, r *http.Request, idTokenHint, authenticateSignedOutURL, redirectToURL string) error
+}
+
+// AuthenticatorConstructor makes an Authenticator from the given options.
+type AuthenticatorConstructor func(context.Context, *oauth.Options) (Authenticator, error)
+
+var registry = map[string]AuthenticatorConstructor{}
+
+// RegisterAuthenticator registers a new Authenticator.
+func RegisterAuthenticator(name string, ctor AuthenticatorConstructor) {
+	registry[name] = ctor
+}
+
+func init() {
+	RegisterAuthenticator(apple.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return apple.New(ctx, o) })
+	RegisterAuthenticator(auth0.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return auth0.New(ctx, o) })
+	RegisterAuthenticator(azure.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return azure.New(ctx, o) })
+	RegisterAuthenticator(cognito.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return cognito.New(ctx, o) })
+	RegisterAuthenticator(github.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return github.New(ctx, o) })
+	RegisterAuthenticator(gitlab.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return gitlab.New(ctx, o) })
+	RegisterAuthenticator(google.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return google.New(ctx, o) })
+	RegisterAuthenticator(oidc.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return oidc.New(ctx, o) })
+	RegisterAuthenticator(okta.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return okta.New(ctx, o) })
+	RegisterAuthenticator(onelogin.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return onelogin.New(ctx, o) })
+	RegisterAuthenticator(ping.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return ping.New(ctx, o) })
+}
+
+// NewAuthenticator returns a new identity provider based on its name.
+func NewAuthenticator(o oauth.Options) (a Authenticator, err error) {
+	ctx := context.Background()
+
+	if o.ProviderName == "" {
+		return nil, fmt.Errorf("identity: provider is not defined")
+	}
+
+	ctor, ok := registry[o.ProviderName]
+	if !ok {
+		return nil, fmt.Errorf("identity: unknown provider: %s", o.ProviderName)
+	}
+
+	return ctor(ctx, &o)
+}