integration: fix multi-stateless configuration (#4845)

Commit 08c186a contains a bug in the integration configuration template, preventing the multi-stateless cluster from actually setting the DEBUG_FORCE_AUTHENTICATE_FLOW environment variable. As a result this cluster was not exercising the stateless authentication flow. Fix the template so that this variable is applied as intended. Add an integration test case to verify that the intended authentication flow is in use: for the stateful flow, different routes should share the same underlying session, but for the stateless flow, different routes should receive different sessions.
2025-05-13 09:07:44 +02:00 · 2023-12-08 09:12:15 -08:00 · 2023-12-08 09:12:15 -08:00 · e0ac870442
commit e0ac870442
parent 08c186a72e
3 changed files with 94 additions and 9 deletions
--- a/integration/authentication_test.go
+++ b/integration/authentication_test.go
@ -0,0 +1,77 @@
 package main
 import (
 	"context"
 	"net/http"
 	"net/url"
 	"testing"
 	"time"
 	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/pomerium/pomerium/integration/flows"
 )
 func TestRouteSessions(t *testing.T) {
 	ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second*30)
 	defer clearTimeout()
 	client := getClient(t)
 	// Sign in to access one route.
 	url1 := mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain")
 	res, err := flows.Authenticate(ctx, client, url1, flows.WithEmail("user1@dogs.test"))
 	require.NoError(t, err)
 	require.Equal(t, http.StatusOK, res.StatusCode, "expected OK for httpdetails")
 	// Now request a different route. This should not require signing in again,
 	// but will redirect through the authenticate service if using the
 	// stateless authentication flow.
 	client.CheckRedirect = nil
 	url2 := mustParseURL("https://restricted-httpdetails.localhost.pomerium.io/by-domain")
 	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, url2.String(), nil)
 	res, err = client.Do(req)
 	require.NoError(t, err)
 	require.Equal(t, http.StatusOK, res.StatusCode, "expected OK for restricted-httpdetails")
 	// Now examine the session cookies saved for each route.
 	claims1 := getSessionCookieJWTClaims(t, client, url1)
 	claims2 := getSessionCookieJWTClaims(t, client, url2)
 	if AuthenticateFlow == "stateless" {
 		// Under the stateless authenticate flow, each route should have its
 		// own session.
 		assert.NotEqual(t, claims1.ID, claims2.ID)
 	} else {
 		// Under the stateful authenticate flow, the two routes should share
 		// the same session.
 		assert.Equal(t, claims1.ID, claims2.ID)
 	}
 }
 func getSessionCookieJWTClaims(t *testing.T, client *http.Client, u *url.URL) *jwt.Claims {
 	t.Helper()
 	cookie := getSessionCookie(t, client, u)
 	token, err := jwt.ParseSigned(cookie.Value)
 	require.NoError(t, err)
 	var claims jwt.Claims
 	err = token.UnsafeClaimsWithoutVerification(&claims)
 	require.NoError(t, err)
 	return &claims
 }
 func getSessionCookie(t *testing.T, client *http.Client, u *url.URL) *http.Cookie {
 	t.Helper()
 	for _, c := range client.Jar.Cookies(u) {
 		if c.Name == "_pomerium" {
 			return c
 		}
 	}
 	t.Fatalf("no session cookie found for URL %q", u.String())
 	return nil
 }
--- a/integration/clusters/multi-stateless/compose.yml
+++ b/integration/clusters/multi-stateless/compose.yml
@ -166,6 +166,7 @@ services:
      DATABROKER_SERVICE_URL: https://pomerium-databroker:5443
      DATABROKER_STORAGE_CONNECTION_STRING: postgres://pomerium:password@postgres:5432/test
      DATABROKER_STORAGE_TYPE: postgres
      DEBUG_FORCE_AUTHENTICATE_FLOW: stateless
      DOWNSTREAM_MTLS_CRL: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUNXakNCd3dJQkFUQU5CZ2txaGtpRzl3MEJBUXNGQURBNk1SNHdIQVlEVlFRS0V4VnRhMk5sY25RZ1pHVjIKWld4dmNHMWxiblFnUTBFeEdEQVdCZ05WQkFNVEQyUnZkMjV6ZEhKbFlXMGdRMEVnTVJjTk1qTXdOekU1TWpFeApPRFExV2hjTk16TXdOekUyTWpFeE9EUTFXakFqTUNFQ0VFWTlqblU4Vmt0Mk1ZdWVza1JkN2J3WERUSXpNRGN4Ck9USXhNVGMwTjFxZ01EQXVNQjhHQTFVZEl3UVlNQmFBRk5IMU5BejhVajI0UGhDR2RCa0dpMENNUUdNTE1Bc0cKQTFVZEZBUUVBZ0lRQURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVlFQTR3M293NGoxRGF1ZmlCQlhoZEMwRUN5WQp6RHhPdUFDZFI0enlvWWJqTjFnMmtjMGJ1Y2hKNytWMGVUWS9SblNOYyt1cU5ZK0xZcHJYUXF1WktscjlkRlVyCnZKL3BYSit1eUxSL016ZWhpVHIzSG9UTENQbGlLWkREYXlQbW9admFxSEQ4SW9HRW5RWDZrQ0Vob3BiN2d0cUoKVTdUZkhhZXhpMHA0M0ZIMDBnblpmYURNa2NBZDh6Q2xzRVhVckFGQ1FSRDFNNVB1Q09UTzdDZVFjSTUzdUJ2ZAo4YUd2eUhsS0EvMk8xN2duaU1uZ2NvQ083Mk5BVWx0SnpNYnVncWVYT29pR0hZb1NzS1RiWTdNZExoWTNNRUJhCjNaa0NGZ3QzSExIVHo1UzBQZUJWclQ3L3k3U3o1Y2owUUEwSktMM0ozcHNuZ1ZicFM0b0h1NmN5dmcvLzdOZEcKS05CcWRhcytLUEFzbVYrM3k2NENyMmhuditXc1dqaXV4RGdJRUZ6cFFPY3lOT1p6bUlTQUN3N1lYandGdUluZQpPaWlNdVlzLzJOdndRMU9QZnEzamczSWY4a0JVY1NWaCtUZTRGSTMrMDd0V1V2TjZuVllDNFZtWEFjRzFIdXhRCkdubmU5ZjVoZ0VKUFZmTFQrdUozMVZWMTYrdkJuWkQ4NURaSlRyRE0KLS0tLS1FTkQgWDUwOSBDUkwtLS0tLQotLS0tLUJFR0lOIFg1MDkgQ1JMLS0tLS0KTUlJQ05UQ0JuZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREE2TVI0d0hBWURWUVFLRXhWdGEyTmxjblFnWkdWMgpaV3h2Y0cxbGJuUWdRMEV4R0RBV0JnTlZCQU1URDJSdmQyNXpkSEpsWVcwZ1EwRWdNaGNOTWpNd056RTVNakUxCk1ERTFXaGNOTXpNd056RTJNakUxTURFMVdxQXdNQzR3SHdZRFZSMGpCQmd3Rm9BVUN4UTJjQmE1WXpxVnphbXAKaU5DeDhLd0ZGeVF3Q3dZRFZSMFVCQVFDQWhBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQmdRQ1lhbXg4cE0rUgpDbHlza2N1N291aHUvUjFKeTFuV0d5V3RLcGhZcTBYRmJPTGxuazJaN2VEZkFYOEVlajJGYXZxeHphcFIyeDJPCjRpSk5EQ21pd1lZWVVTMlgyTEozclJSSlh5WHZXaHRmSHJ4VVJkNkJpdEMySVhweWtCdFZsZjN6QW5aOEdaRlEKUzFqZGZ5TE11RUFpRHdJYWkzWXQ4SHNEcC9xRzA4OW9YY29TdHlRZy91UnBtV3kwNUE5dUNWT2ZOSFNMU1p1OApscjRxYXRsZXUwd1diVjFhbUw4dE85eDRDUmtPMG8xWWFRcTREb09ydVByKzNOa1RtUHZHaWRoM0Y3MVY2SUVBCmgrS3pkYlJYeEZtQ0NXTFdtcEpEY3JnUjdLVXFaT2hVVXQrRFVxYXFoVjQ0cUkwbnJwUitRWkxvaG9Eb3I5THcKSyt1ZmozbjI5ZVNSWCszUHgrb1ZXUFQ4WVpQMnVLUGRpemk5Nm1lMmpXVHI1MXg5QWpFb0pEc1RuWVJsOSt1WQpTaGlVeFduVGRRc29va25JZmNTLzB6ZmdaODdHdlVWemluQ1F6SnB3VnhkNEFsdDhBbFIrZlhBcU5Jb09ndXl2CnAvQ3RSVm5qVkU3bDdIVy9oUVJxMUowaWpDQ0t3bXlmL0tUZDZFSzRUZHJ2YlgvVTltc1ZNOFk9Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K
      ENVOY_ADMIN_ADDRESS: 0.0.0.0:9901
      GOOGLE_CLOUD_SERVERLESS_AUTHENTICATION_SERVICE_ACCOUNT: ewoiYXV0aF9wcm92aWRlcl94NTA5X2NlcnRfdXJsIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKImF1dGhfdXJpIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKImNsaWVudF9lbWFpbCI6ICJyZWRhY3RlZEBwb21lcml1bS1yZWRhY3RlZC5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsCiJjbGllbnRfaWQiOiAiMTAxMjE1OTkwNDU4MDAwMzM0Mzg3IiwKImNsaWVudF94NTA5X2NlcnRfdXJsIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKInByaXZhdGVfa2V5IjogIi0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLVxuTUlJRXZRSUJBREFOQmdrcWhraUc5dzBCQVFFRkFBU0NCS2N3Z2dTakFnRUFBb0lCQVFDOEhMQkFJelhrUGVlZ1xubGRVZlJLSzJqUXhTVlpENWcrcXNqQXpwbXJxL0F0bXdlSzFjR2NPdFo2ZU9MK3A4YnJQRHlWaERUMFFsSS9PL1xuRUtnQ09GRnhVRHFvUjgyaVkwNlNhY0FqSG5pNitQTzl0VlJiRlYwdzE0QkRBSlNwQitWdld5bCtGb1BEVi92c1xuWjMxRnRZdytFd3FrYkR4L2thVDl1emYrTEpkbGtmMTRuUVFqOEVreS84ZDNtV0piYi85dGpPYnNhUWdKNUxMeFxuQ1lkSW1rcjc3WDJMTXVEdy8xdHBINjQyR0UyNU5yZ202UUhseUtTZllYbzM4djgzZWJFcWJaVURHK1ppb0FyUFxubXFta2F3VVd3M2VraGo4MFNKZy9USzlQUmFOL1Z2Y0kxUGdBZDdMWnp0VVJlU21UeTVoZDlyNnJPQnhweHduVFxuRHZIa0JuNnZBZ01CQUFFQ2dnRUFCMjhpMEFZVU5TYjFKbldGYkt6cnVVY3R1M3RDTlhvdkpnNkszQmlQVk1rcVxuRFQxWHJKSWdGNVJISE9scjNPc0xFNnU3WHoyY3RkTUw2UHNoaUtUdEl3dEdwaXZnUnBDaUpFc2xtcjJ6aThBV1xuOGVKZXFSTFpFZnNTU0pPWFRHN1JkR3NuNHFIRkowMHMyWlRsY0lIU1B3bkZtK1hqSmk5OVU4RzRYc1VvWG8wclxuR3krMFZDdVU3TThnSUNFSEhzclFPOVhERDNuVDJqaXU1VGpyS3dqdXQzRW1vSnNzSTVicXgzMytPQnU1QnBDUFxuQ1Q0NzNENDNQOXAzcWkvWG5mdnFHU0cyT2o0T2FqVjRmcjBvOUIzS3ZJeGtNZW03V2xJM2p5eTFrQXB5WHFWVFxuYkxrTEZ5V0JOVFdVWjJSLzJ3eG11b0M2bUxadzg3OU1MQ0tNdmsxZG9RS0JnUURobXdHYWZKTnltVGlFUVpSSVxuU3NReDRzZXFmT0tmZ0ZDN29ocUg5Y1JPT3U4SUoxbzdxMnBNMlc0WGlWK1Mzd1RkUEdtY2E2SU9qWDIzaXNWQlxuMnVxTmk5UzRNbkkyL2QyMkdkL0JSOXJ2QncxZUdKb0ticld4MjJmRThRQ0VXVDFBbk8rRHVEMGpDODV5UmxzN1xuYXh6bGFNcnhFdTNMSTlVRTdOdHJkUWlCeVFLQmdRRFZkSTZjZUlWQlQ2Umd2Vkd0OHprTGpQSUZqaFFFSEFJcFxudWhpcmdxcFM2Q1g5Qmx5ZjIrbzQwem1majNoZTVyQ2NFb0I1TXNlTStEZ0ZiY1ZoMmUvTVZuWWlOTnc2SkNEQlxuQlFrRjQwOHBacFNlS1h2TC9veVYva0ltTVRKL3RVRFkwRVh4TXdTUEpCMFdsdGJXcmVWSUhvcGlnWFJDYmFleVxudUJIVkJ2LzR0d0tCZ0h3SHVlUHk1U1UxczJxU216RDdXYzJMUGZZdTNuQ09ITlJyRkdiMjZNdVJmdVJlcmk3clxuMkc4VGdvRVNGeWNwMFFUSU44KzFKTTBYWUt4TmNKRDZCOFYxd0tiYnBRc3ltbmVJMWdqdXRpQi9JZ3cvUGtES1xuQ0w0VlA0RjRkYTVOV1cxeVdnTnlnTG9KdlovNXFpS0tpc0pjMEdXazRIS3o2bUxnek9qUTJMSnhBb0dCQUxIWlxuZk4yWWVZYnlZY2FNMTFwMVZpbHVsVlRWalkzaS9GWmlEUjRTTC9JR0pXak4vU3pnNGlYWXNLRm11K2R1bE9abFxuY0JBTHBFS3JxcG16WFl0ck42YnN2MTgrNWVPM3FHYksyRHJFcTNlV1ZldjJLb1RNb2J4ejdnKytYQklXSm1MQVxuSGhhYTZJaVBrWUQ1eXlWeUhLRGJlWGdiM285ZXFDUjd3N2ZZTGp5L0FvR0FJNEQrTUZraXZ3VUY3aHFmNWVkU1xuS3JsdHdtb2RIaXFYTmJWa3diVzFBRlBKYmlZYWk0WUZmSzRJQWJpZi9ZbXhmOUc3OGFPa3I5WnBDSXpPa0RQWlxuWXBFd1FHV3NBaEVsQ0Z2YzhFLzVkSEVTU3ArdFd0UCtObHVpbXBGcWlEZzMvU1VuTXdPMnhIMG5oTGEwemVqaFxuZ21MaDR3L0NjUHliOVp5WGNlV1UvblU9XG4tLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tXG4iLAoicHJpdmF0ZV9rZXlfaWQiOiAiZTA3ZjdjOTM4NzBjN2UwM2Y4ODM1NjBlY2Q4ZmQwZjRkMjdiMDA4MSIsCiJwcm9qZWN0X2lkIjogInBvbWVyaXVtLXJlZGFjdGVkIiwKInRva2VuX3VyaSI6ICJodHRwOi8vbW9jay1pZHA6ODAyNC90b2tlbiIsCiJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIKfQ==
@ -226,6 +227,7 @@ services:
      DATABROKER_SERVICE_URL: https://pomerium-databroker:5443
      DATABROKER_STORAGE_CONNECTION_STRING: postgres://pomerium:password@postgres:5432/test
      DATABROKER_STORAGE_TYPE: postgres
      DEBUG_FORCE_AUTHENTICATE_FLOW: stateless
      DOWNSTREAM_MTLS_CRL: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUNXakNCd3dJQkFUQU5CZ2txaGtpRzl3MEJBUXNGQURBNk1SNHdIQVlEVlFRS0V4VnRhMk5sY25RZ1pHVjIKWld4dmNHMWxiblFnUTBFeEdEQVdCZ05WQkFNVEQyUnZkMjV6ZEhKbFlXMGdRMEVnTVJjTk1qTXdOekU1TWpFeApPRFExV2hjTk16TXdOekUyTWpFeE9EUTFXakFqTUNFQ0VFWTlqblU4Vmt0Mk1ZdWVza1JkN2J3WERUSXpNRGN4Ck9USXhNVGMwTjFxZ01EQXVNQjhHQTFVZEl3UVlNQmFBRk5IMU5BejhVajI0UGhDR2RCa0dpMENNUUdNTE1Bc0cKQTFVZEZBUUVBZ0lRQURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVlFQTR3M293NGoxRGF1ZmlCQlhoZEMwRUN5WQp6RHhPdUFDZFI0enlvWWJqTjFnMmtjMGJ1Y2hKNytWMGVUWS9SblNOYyt1cU5ZK0xZcHJYUXF1WktscjlkRlVyCnZKL3BYSit1eUxSL016ZWhpVHIzSG9UTENQbGlLWkREYXlQbW9admFxSEQ4SW9HRW5RWDZrQ0Vob3BiN2d0cUoKVTdUZkhhZXhpMHA0M0ZIMDBnblpmYURNa2NBZDh6Q2xzRVhVckFGQ1FSRDFNNVB1Q09UTzdDZVFjSTUzdUJ2ZAo4YUd2eUhsS0EvMk8xN2duaU1uZ2NvQ083Mk5BVWx0SnpNYnVncWVYT29pR0hZb1NzS1RiWTdNZExoWTNNRUJhCjNaa0NGZ3QzSExIVHo1UzBQZUJWclQ3L3k3U3o1Y2owUUEwSktMM0ozcHNuZ1ZicFM0b0h1NmN5dmcvLzdOZEcKS05CcWRhcytLUEFzbVYrM3k2NENyMmhuditXc1dqaXV4RGdJRUZ6cFFPY3lOT1p6bUlTQUN3N1lYandGdUluZQpPaWlNdVlzLzJOdndRMU9QZnEzamczSWY4a0JVY1NWaCtUZTRGSTMrMDd0V1V2TjZuVllDNFZtWEFjRzFIdXhRCkdubmU5ZjVoZ0VKUFZmTFQrdUozMVZWMTYrdkJuWkQ4NURaSlRyRE0KLS0tLS1FTkQgWDUwOSBDUkwtLS0tLQotLS0tLUJFR0lOIFg1MDkgQ1JMLS0tLS0KTUlJQ05UQ0JuZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREE2TVI0d0hBWURWUVFLRXhWdGEyTmxjblFnWkdWMgpaV3h2Y0cxbGJuUWdRMEV4R0RBV0JnTlZCQU1URDJSdmQyNXpkSEpsWVcwZ1EwRWdNaGNOTWpNd056RTVNakUxCk1ERTFXaGNOTXpNd056RTJNakUxTURFMVdxQXdNQzR3SHdZRFZSMGpCQmd3Rm9BVUN4UTJjQmE1WXpxVnphbXAKaU5DeDhLd0ZGeVF3Q3dZRFZSMFVCQVFDQWhBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQmdRQ1lhbXg4cE0rUgpDbHlza2N1N291aHUvUjFKeTFuV0d5V3RLcGhZcTBYRmJPTGxuazJaN2VEZkFYOEVlajJGYXZxeHphcFIyeDJPCjRpSk5EQ21pd1lZWVVTMlgyTEozclJSSlh5WHZXaHRmSHJ4VVJkNkJpdEMySVhweWtCdFZsZjN6QW5aOEdaRlEKUzFqZGZ5TE11RUFpRHdJYWkzWXQ4SHNEcC9xRzA4OW9YY29TdHlRZy91UnBtV3kwNUE5dUNWT2ZOSFNMU1p1OApscjRxYXRsZXUwd1diVjFhbUw4dE85eDRDUmtPMG8xWWFRcTREb09ydVByKzNOa1RtUHZHaWRoM0Y3MVY2SUVBCmgrS3pkYlJYeEZtQ0NXTFdtcEpEY3JnUjdLVXFaT2hVVXQrRFVxYXFoVjQ0cUkwbnJwUitRWkxvaG9Eb3I5THcKSyt1ZmozbjI5ZVNSWCszUHgrb1ZXUFQ4WVpQMnVLUGRpemk5Nm1lMmpXVHI1MXg5QWpFb0pEc1RuWVJsOSt1WQpTaGlVeFduVGRRc29va25JZmNTLzB6ZmdaODdHdlVWemluQ1F6SnB3VnhkNEFsdDhBbFIrZlhBcU5Jb09ndXl2CnAvQ3RSVm5qVkU3bDdIVy9oUVJxMUowaWpDQ0t3bXlmL0tUZDZFSzRUZHJ2YlgvVTltc1ZNOFk9Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K
      ENVOY_ADMIN_ADDRESS: 0.0.0.0:9901
      GOOGLE_CLOUD_SERVERLESS_AUTHENTICATION_SERVICE_ACCOUNT: ewoiYXV0aF9wcm92aWRlcl94NTA5X2NlcnRfdXJsIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKImF1dGhfdXJpIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKImNsaWVudF9lbWFpbCI6ICJyZWRhY3RlZEBwb21lcml1bS1yZWRhY3RlZC5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsCiJjbGllbnRfaWQiOiAiMTAxMjE1OTkwNDU4MDAwMzM0Mzg3IiwKImNsaWVudF94NTA5X2NlcnRfdXJsIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKInByaXZhdGVfa2V5IjogIi0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLVxuTUlJRXZRSUJBREFOQmdrcWhraUc5dzBCQVFFRkFBU0NCS2N3Z2dTakFnRUFBb0lCQVFDOEhMQkFJelhrUGVlZ1xubGRVZlJLSzJqUXhTVlpENWcrcXNqQXpwbXJxL0F0bXdlSzFjR2NPdFo2ZU9MK3A4YnJQRHlWaERUMFFsSS9PL1xuRUtnQ09GRnhVRHFvUjgyaVkwNlNhY0FqSG5pNitQTzl0VlJiRlYwdzE0QkRBSlNwQitWdld5bCtGb1BEVi92c1xuWjMxRnRZdytFd3FrYkR4L2thVDl1emYrTEpkbGtmMTRuUVFqOEVreS84ZDNtV0piYi85dGpPYnNhUWdKNUxMeFxuQ1lkSW1rcjc3WDJMTXVEdy8xdHBINjQyR0UyNU5yZ202UUhseUtTZllYbzM4djgzZWJFcWJaVURHK1ppb0FyUFxubXFta2F3VVd3M2VraGo4MFNKZy9USzlQUmFOL1Z2Y0kxUGdBZDdMWnp0VVJlU21UeTVoZDlyNnJPQnhweHduVFxuRHZIa0JuNnZBZ01CQUFFQ2dnRUFCMjhpMEFZVU5TYjFKbldGYkt6cnVVY3R1M3RDTlhvdkpnNkszQmlQVk1rcVxuRFQxWHJKSWdGNVJISE9scjNPc0xFNnU3WHoyY3RkTUw2UHNoaUtUdEl3dEdwaXZnUnBDaUpFc2xtcjJ6aThBV1xuOGVKZXFSTFpFZnNTU0pPWFRHN1JkR3NuNHFIRkowMHMyWlRsY0lIU1B3bkZtK1hqSmk5OVU4RzRYc1VvWG8wclxuR3krMFZDdVU3TThnSUNFSEhzclFPOVhERDNuVDJqaXU1VGpyS3dqdXQzRW1vSnNzSTVicXgzMytPQnU1QnBDUFxuQ1Q0NzNENDNQOXAzcWkvWG5mdnFHU0cyT2o0T2FqVjRmcjBvOUIzS3ZJeGtNZW03V2xJM2p5eTFrQXB5WHFWVFxuYkxrTEZ5V0JOVFdVWjJSLzJ3eG11b0M2bUxadzg3OU1MQ0tNdmsxZG9RS0JnUURobXdHYWZKTnltVGlFUVpSSVxuU3NReDRzZXFmT0tmZ0ZDN29ocUg5Y1JPT3U4SUoxbzdxMnBNMlc0WGlWK1Mzd1RkUEdtY2E2SU9qWDIzaXNWQlxuMnVxTmk5UzRNbkkyL2QyMkdkL0JSOXJ2QncxZUdKb0ticld4MjJmRThRQ0VXVDFBbk8rRHVEMGpDODV5UmxzN1xuYXh6bGFNcnhFdTNMSTlVRTdOdHJkUWlCeVFLQmdRRFZkSTZjZUlWQlQ2Umd2Vkd0OHprTGpQSUZqaFFFSEFJcFxudWhpcmdxcFM2Q1g5Qmx5ZjIrbzQwem1majNoZTVyQ2NFb0I1TXNlTStEZ0ZiY1ZoMmUvTVZuWWlOTnc2SkNEQlxuQlFrRjQwOHBacFNlS1h2TC9veVYva0ltTVRKL3RVRFkwRVh4TXdTUEpCMFdsdGJXcmVWSUhvcGlnWFJDYmFleVxudUJIVkJ2LzR0d0tCZ0h3SHVlUHk1U1UxczJxU216RDdXYzJMUGZZdTNuQ09ITlJyRkdiMjZNdVJmdVJlcmk3clxuMkc4VGdvRVNGeWNwMFFUSU44KzFKTTBYWUt4TmNKRDZCOFYxd0tiYnBRc3ltbmVJMWdqdXRpQi9JZ3cvUGtES1xuQ0w0VlA0RjRkYTVOV1cxeVdnTnlnTG9KdlovNXFpS0tpc0pjMEdXazRIS3o2bUxnek9qUTJMSnhBb0dCQUxIWlxuZk4yWWVZYnlZY2FNMTFwMVZpbHVsVlRWalkzaS9GWmlEUjRTTC9JR0pXak4vU3pnNGlYWXNLRm11K2R1bE9abFxuY0JBTHBFS3JxcG16WFl0ck42YnN2MTgrNWVPM3FHYksyRHJFcTNlV1ZldjJLb1RNb2J4ejdnKytYQklXSm1MQVxuSGhhYTZJaVBrWUQ1eXlWeUhLRGJlWGdiM285ZXFDUjd3N2ZZTGp5L0FvR0FJNEQrTUZraXZ3VUY3aHFmNWVkU1xuS3JsdHdtb2RIaXFYTmJWa3diVzFBRlBKYmlZYWk0WUZmSzRJQWJpZi9ZbXhmOUc3OGFPa3I5WnBDSXpPa0RQWlxuWXBFd1FHV3NBaEVsQ0Z2YzhFLzVkSEVTU3ArdFd0UCtObHVpbXBGcWlEZzMvU1VuTXdPMnhIMG5oTGEwemVqaFxuZ21MaDR3L0NjUHliOVp5WGNlV1UvblU9XG4tLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tXG4iLAoicHJpdmF0ZV9rZXlfaWQiOiAiZTA3ZjdjOTM4NzBjN2UwM2Y4ODM1NjBlY2Q4ZmQwZjRkMjdiMDA4MSIsCiJwcm9qZWN0X2lkIjogInBvbWVyaXVtLXJlZGFjdGVkIiwKInRva2VuX3VyaSI6ICJodHRwOi8vbW9jay1pZHA6ODAyNC90b2tlbiIsCiJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIKfQ==
@ -285,6 +287,7 @@ services:
      DATABROKER_SERVICE_URL: https://pomerium-databroker:5443
      DATABROKER_STORAGE_CONNECTION_STRING: postgres://pomerium:password@postgres:5432/test
      DATABROKER_STORAGE_TYPE: postgres
      DEBUG_FORCE_AUTHENTICATE_FLOW: stateless
      DOWNSTREAM_MTLS_CRL: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUNXakNCd3dJQkFUQU5CZ2txaGtpRzl3MEJBUXNGQURBNk1SNHdIQVlEVlFRS0V4VnRhMk5sY25RZ1pHVjIKWld4dmNHMWxiblFnUTBFeEdEQVdCZ05WQkFNVEQyUnZkMjV6ZEhKbFlXMGdRMEVnTVJjTk1qTXdOekU1TWpFeApPRFExV2hjTk16TXdOekUyTWpFeE9EUTFXakFqTUNFQ0VFWTlqblU4Vmt0Mk1ZdWVza1JkN2J3WERUSXpNRGN4Ck9USXhNVGMwTjFxZ01EQXVNQjhHQTFVZEl3UVlNQmFBRk5IMU5BejhVajI0UGhDR2RCa0dpMENNUUdNTE1Bc0cKQTFVZEZBUUVBZ0lRQURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVlFQTR3M293NGoxRGF1ZmlCQlhoZEMwRUN5WQp6RHhPdUFDZFI0enlvWWJqTjFnMmtjMGJ1Y2hKNytWMGVUWS9SblNOYyt1cU5ZK0xZcHJYUXF1WktscjlkRlVyCnZKL3BYSit1eUxSL016ZWhpVHIzSG9UTENQbGlLWkREYXlQbW9admFxSEQ4SW9HRW5RWDZrQ0Vob3BiN2d0cUoKVTdUZkhhZXhpMHA0M0ZIMDBnblpmYURNa2NBZDh6Q2xzRVhVckFGQ1FSRDFNNVB1Q09UTzdDZVFjSTUzdUJ2ZAo4YUd2eUhsS0EvMk8xN2duaU1uZ2NvQ083Mk5BVWx0SnpNYnVncWVYT29pR0hZb1NzS1RiWTdNZExoWTNNRUJhCjNaa0NGZ3QzSExIVHo1UzBQZUJWclQ3L3k3U3o1Y2owUUEwSktMM0ozcHNuZ1ZicFM0b0h1NmN5dmcvLzdOZEcKS05CcWRhcytLUEFzbVYrM3k2NENyMmhuditXc1dqaXV4RGdJRUZ6cFFPY3lOT1p6bUlTQUN3N1lYandGdUluZQpPaWlNdVlzLzJOdndRMU9QZnEzamczSWY4a0JVY1NWaCtUZTRGSTMrMDd0V1V2TjZuVllDNFZtWEFjRzFIdXhRCkdubmU5ZjVoZ0VKUFZmTFQrdUozMVZWMTYrdkJuWkQ4NURaSlRyRE0KLS0tLS1FTkQgWDUwOSBDUkwtLS0tLQotLS0tLUJFR0lOIFg1MDkgQ1JMLS0tLS0KTUlJQ05UQ0JuZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREE2TVI0d0hBWURWUVFLRXhWdGEyTmxjblFnWkdWMgpaV3h2Y0cxbGJuUWdRMEV4R0RBV0JnTlZCQU1URDJSdmQyNXpkSEpsWVcwZ1EwRWdNaGNOTWpNd056RTVNakUxCk1ERTFXaGNOTXpNd056RTJNakUxTURFMVdxQXdNQzR3SHdZRFZSMGpCQmd3Rm9BVUN4UTJjQmE1WXpxVnphbXAKaU5DeDhLd0ZGeVF3Q3dZRFZSMFVCQVFDQWhBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQmdRQ1lhbXg4cE0rUgpDbHlza2N1N291aHUvUjFKeTFuV0d5V3RLcGhZcTBYRmJPTGxuazJaN2VEZkFYOEVlajJGYXZxeHphcFIyeDJPCjRpSk5EQ21pd1lZWVVTMlgyTEozclJSSlh5WHZXaHRmSHJ4VVJkNkJpdEMySVhweWtCdFZsZjN6QW5aOEdaRlEKUzFqZGZ5TE11RUFpRHdJYWkzWXQ4SHNEcC9xRzA4OW9YY29TdHlRZy91UnBtV3kwNUE5dUNWT2ZOSFNMU1p1OApscjRxYXRsZXUwd1diVjFhbUw4dE85eDRDUmtPMG8xWWFRcTREb09ydVByKzNOa1RtUHZHaWRoM0Y3MVY2SUVBCmgrS3pkYlJYeEZtQ0NXTFdtcEpEY3JnUjdLVXFaT2hVVXQrRFVxYXFoVjQ0cUkwbnJwUitRWkxvaG9Eb3I5THcKSyt1ZmozbjI5ZVNSWCszUHgrb1ZXUFQ4WVpQMnVLUGRpemk5Nm1lMmpXVHI1MXg5QWpFb0pEc1RuWVJsOSt1WQpTaGlVeFduVGRRc29va25JZmNTLzB6ZmdaODdHdlVWemluQ1F6SnB3VnhkNEFsdDhBbFIrZlhBcU5Jb09ndXl2CnAvQ3RSVm5qVkU3bDdIVy9oUVJxMUowaWpDQ0t3bXlmL0tUZDZFSzRUZHJ2YlgvVTltc1ZNOFk9Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K
      ENVOY_ADMIN_ADDRESS: 0.0.0.0:9901
      GOOGLE_CLOUD_SERVERLESS_AUTHENTICATION_SERVICE_ACCOUNT: ewoiYXV0aF9wcm92aWRlcl94NTA5X2NlcnRfdXJsIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKImF1dGhfdXJpIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKImNsaWVudF9lbWFpbCI6ICJyZWRhY3RlZEBwb21lcml1bS1yZWRhY3RlZC5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsCiJjbGllbnRfaWQiOiAiMTAxMjE1OTkwNDU4MDAwMzM0Mzg3IiwKImNsaWVudF94NTA5X2NlcnRfdXJsIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKInByaXZhdGVfa2V5IjogIi0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLVxuTUlJRXZRSUJBREFOQmdrcWhraUc5dzBCQVFFRkFBU0NCS2N3Z2dTakFnRUFBb0lCQVFDOEhMQkFJelhrUGVlZ1xubGRVZlJLSzJqUXhTVlpENWcrcXNqQXpwbXJxL0F0bXdlSzFjR2NPdFo2ZU9MK3A4YnJQRHlWaERUMFFsSS9PL1xuRUtnQ09GRnhVRHFvUjgyaVkwNlNhY0FqSG5pNitQTzl0VlJiRlYwdzE0QkRBSlNwQitWdld5bCtGb1BEVi92c1xuWjMxRnRZdytFd3FrYkR4L2thVDl1emYrTEpkbGtmMTRuUVFqOEVreS84ZDNtV0piYi85dGpPYnNhUWdKNUxMeFxuQ1lkSW1rcjc3WDJMTXVEdy8xdHBINjQyR0UyNU5yZ202UUhseUtTZllYbzM4djgzZWJFcWJaVURHK1ppb0FyUFxubXFta2F3VVd3M2VraGo4MFNKZy9USzlQUmFOL1Z2Y0kxUGdBZDdMWnp0VVJlU21UeTVoZDlyNnJPQnhweHduVFxuRHZIa0JuNnZBZ01CQUFFQ2dnRUFCMjhpMEFZVU5TYjFKbldGYkt6cnVVY3R1M3RDTlhvdkpnNkszQmlQVk1rcVxuRFQxWHJKSWdGNVJISE9scjNPc0xFNnU3WHoyY3RkTUw2UHNoaUtUdEl3dEdwaXZnUnBDaUpFc2xtcjJ6aThBV1xuOGVKZXFSTFpFZnNTU0pPWFRHN1JkR3NuNHFIRkowMHMyWlRsY0lIU1B3bkZtK1hqSmk5OVU4RzRYc1VvWG8wclxuR3krMFZDdVU3TThnSUNFSEhzclFPOVhERDNuVDJqaXU1VGpyS3dqdXQzRW1vSnNzSTVicXgzMytPQnU1QnBDUFxuQ1Q0NzNENDNQOXAzcWkvWG5mdnFHU0cyT2o0T2FqVjRmcjBvOUIzS3ZJeGtNZW03V2xJM2p5eTFrQXB5WHFWVFxuYkxrTEZ5V0JOVFdVWjJSLzJ3eG11b0M2bUxadzg3OU1MQ0tNdmsxZG9RS0JnUURobXdHYWZKTnltVGlFUVpSSVxuU3NReDRzZXFmT0tmZ0ZDN29ocUg5Y1JPT3U4SUoxbzdxMnBNMlc0WGlWK1Mzd1RkUEdtY2E2SU9qWDIzaXNWQlxuMnVxTmk5UzRNbkkyL2QyMkdkL0JSOXJ2QncxZUdKb0ticld4MjJmRThRQ0VXVDFBbk8rRHVEMGpDODV5UmxzN1xuYXh6bGFNcnhFdTNMSTlVRTdOdHJkUWlCeVFLQmdRRFZkSTZjZUlWQlQ2Umd2Vkd0OHprTGpQSUZqaFFFSEFJcFxudWhpcmdxcFM2Q1g5Qmx5ZjIrbzQwem1majNoZTVyQ2NFb0I1TXNlTStEZ0ZiY1ZoMmUvTVZuWWlOTnc2SkNEQlxuQlFrRjQwOHBacFNlS1h2TC9veVYva0ltTVRKL3RVRFkwRVh4TXdTUEpCMFdsdGJXcmVWSUhvcGlnWFJDYmFleVxudUJIVkJ2LzR0d0tCZ0h3SHVlUHk1U1UxczJxU216RDdXYzJMUGZZdTNuQ09ITlJyRkdiMjZNdVJmdVJlcmk3clxuMkc4VGdvRVNGeWNwMFFUSU44KzFKTTBYWUt4TmNKRDZCOFYxd0tiYnBRc3ltbmVJMWdqdXRpQi9JZ3cvUGtES1xuQ0w0VlA0RjRkYTVOV1cxeVdnTnlnTG9KdlovNXFpS0tpc0pjMEdXazRIS3o2bUxnek9qUTJMSnhBb0dCQUxIWlxuZk4yWWVZYnlZY2FNMTFwMVZpbHVsVlRWalkzaS9GWmlEUjRTTC9JR0pXak4vU3pnNGlYWXNLRm11K2R1bE9abFxuY0JBTHBFS3JxcG16WFl0ck42YnN2MTgrNWVPM3FHYksyRHJFcTNlV1ZldjJLb1RNb2J4ejdnKytYQklXSm1MQVxuSGhhYTZJaVBrWUQ1eXlWeUhLRGJlWGdiM285ZXFDUjd3N2ZZTGp5L0FvR0FJNEQrTUZraXZ3VUY3aHFmNWVkU1xuS3JsdHdtb2RIaXFYTmJWa3diVzFBRlBKYmlZYWk0WUZmSzRJQWJpZi9ZbXhmOUc3OGFPa3I5WnBDSXpPa0RQWlxuWXBFd1FHV3NBaEVsQ0Z2YzhFLzVkSEVTU3ArdFd0UCtObHVpbXBGcWlEZzMvU1VuTXdPMnhIMG5oTGEwemVqaFxuZ21MaDR3L0NjUHliOVp5WGNlV1UvblU9XG4tLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tXG4iLAoicHJpdmF0ZV9rZXlfaWQiOiAiZTA3ZjdjOTM4NzBjN2UwM2Y4ODM1NjBlY2Q4ZmQwZjRkMjdiMDA4MSIsCiJwcm9qZWN0X2lkIjogInBvbWVyaXVtLXJlZGFjdGVkIiwKInRva2VuX3VyaSI6ICJodHRwOi8vbW9jay1pZHA6ODAyNC90b2tlbiIsCiJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIKfQ==
@ -344,6 +347,7 @@ services:
      DATABROKER_SERVICE_URL: https://pomerium-databroker:5443
      DATABROKER_STORAGE_CONNECTION_STRING: postgres://pomerium:password@postgres:5432/test
      DATABROKER_STORAGE_TYPE: postgres
      DEBUG_FORCE_AUTHENTICATE_FLOW: stateless
      DOWNSTREAM_MTLS_CRL: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUNXakNCd3dJQkFUQU5CZ2txaGtpRzl3MEJBUXNGQURBNk1SNHdIQVlEVlFRS0V4VnRhMk5sY25RZ1pHVjIKWld4dmNHMWxiblFnUTBFeEdEQVdCZ05WQkFNVEQyUnZkMjV6ZEhKbFlXMGdRMEVnTVJjTk1qTXdOekU1TWpFeApPRFExV2hjTk16TXdOekUyTWpFeE9EUTFXakFqTUNFQ0VFWTlqblU4Vmt0Mk1ZdWVza1JkN2J3WERUSXpNRGN4Ck9USXhNVGMwTjFxZ01EQXVNQjhHQTFVZEl3UVlNQmFBRk5IMU5BejhVajI0UGhDR2RCa0dpMENNUUdNTE1Bc0cKQTFVZEZBUUVBZ0lRQURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVlFQTR3M293NGoxRGF1ZmlCQlhoZEMwRUN5WQp6RHhPdUFDZFI0enlvWWJqTjFnMmtjMGJ1Y2hKNytWMGVUWS9SblNOYyt1cU5ZK0xZcHJYUXF1WktscjlkRlVyCnZKL3BYSit1eUxSL016ZWhpVHIzSG9UTENQbGlLWkREYXlQbW9admFxSEQ4SW9HRW5RWDZrQ0Vob3BiN2d0cUoKVTdUZkhhZXhpMHA0M0ZIMDBnblpmYURNa2NBZDh6Q2xzRVhVckFGQ1FSRDFNNVB1Q09UTzdDZVFjSTUzdUJ2ZAo4YUd2eUhsS0EvMk8xN2duaU1uZ2NvQ083Mk5BVWx0SnpNYnVncWVYT29pR0hZb1NzS1RiWTdNZExoWTNNRUJhCjNaa0NGZ3QzSExIVHo1UzBQZUJWclQ3L3k3U3o1Y2owUUEwSktMM0ozcHNuZ1ZicFM0b0h1NmN5dmcvLzdOZEcKS05CcWRhcytLUEFzbVYrM3k2NENyMmhuditXc1dqaXV4RGdJRUZ6cFFPY3lOT1p6bUlTQUN3N1lYandGdUluZQpPaWlNdVlzLzJOdndRMU9QZnEzamczSWY4a0JVY1NWaCtUZTRGSTMrMDd0V1V2TjZuVllDNFZtWEFjRzFIdXhRCkdubmU5ZjVoZ0VKUFZmTFQrdUozMVZWMTYrdkJuWkQ4NURaSlRyRE0KLS0tLS1FTkQgWDUwOSBDUkwtLS0tLQotLS0tLUJFR0lOIFg1MDkgQ1JMLS0tLS0KTUlJQ05UQ0JuZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREE2TVI0d0hBWURWUVFLRXhWdGEyTmxjblFnWkdWMgpaV3h2Y0cxbGJuUWdRMEV4R0RBV0JnTlZCQU1URDJSdmQyNXpkSEpsWVcwZ1EwRWdNaGNOTWpNd056RTVNakUxCk1ERTFXaGNOTXpNd056RTJNakUxTURFMVdxQXdNQzR3SHdZRFZSMGpCQmd3Rm9BVUN4UTJjQmE1WXpxVnphbXAKaU5DeDhLd0ZGeVF3Q3dZRFZSMFVCQVFDQWhBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQmdRQ1lhbXg4cE0rUgpDbHlza2N1N291aHUvUjFKeTFuV0d5V3RLcGhZcTBYRmJPTGxuazJaN2VEZkFYOEVlajJGYXZxeHphcFIyeDJPCjRpSk5EQ21pd1lZWVVTMlgyTEozclJSSlh5WHZXaHRmSHJ4VVJkNkJpdEMySVhweWtCdFZsZjN6QW5aOEdaRlEKUzFqZGZ5TE11RUFpRHdJYWkzWXQ4SHNEcC9xRzA4OW9YY29TdHlRZy91UnBtV3kwNUE5dUNWT2ZOSFNMU1p1OApscjRxYXRsZXUwd1diVjFhbUw4dE85eDRDUmtPMG8xWWFRcTREb09ydVByKzNOa1RtUHZHaWRoM0Y3MVY2SUVBCmgrS3pkYlJYeEZtQ0NXTFdtcEpEY3JnUjdLVXFaT2hVVXQrRFVxYXFoVjQ0cUkwbnJwUitRWkxvaG9Eb3I5THcKSyt1ZmozbjI5ZVNSWCszUHgrb1ZXUFQ4WVpQMnVLUGRpemk5Nm1lMmpXVHI1MXg5QWpFb0pEc1RuWVJsOSt1WQpTaGlVeFduVGRRc29va25JZmNTLzB6ZmdaODdHdlVWemluQ1F6SnB3VnhkNEFsdDhBbFIrZlhBcU5Jb09ndXl2CnAvQ3RSVm5qVkU3bDdIVy9oUVJxMUowaWpDQ0t3bXlmL0tUZDZFSzRUZHJ2YlgvVTltc1ZNOFk9Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K
      ENVOY_ADMIN_ADDRESS: 0.0.0.0:9901
      GOOGLE_CLOUD_SERVERLESS_AUTHENTICATION_SERVICE_ACCOUNT: ewoiYXV0aF9wcm92aWRlcl94NTA5X2NlcnRfdXJsIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKImF1dGhfdXJpIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKImNsaWVudF9lbWFpbCI6ICJyZWRhY3RlZEBwb21lcml1bS1yZWRhY3RlZC5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsCiJjbGllbnRfaWQiOiAiMTAxMjE1OTkwNDU4MDAwMzM0Mzg3IiwKImNsaWVudF94NTA5X2NlcnRfdXJsIjogImh0dHA6Ly9tb2NrLWlkcDo4MDI0IiwKInByaXZhdGVfa2V5IjogIi0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLVxuTUlJRXZRSUJBREFOQmdrcWhraUc5dzBCQVFFRkFBU0NCS2N3Z2dTakFnRUFBb0lCQVFDOEhMQkFJelhrUGVlZ1xubGRVZlJLSzJqUXhTVlpENWcrcXNqQXpwbXJxL0F0bXdlSzFjR2NPdFo2ZU9MK3A4YnJQRHlWaERUMFFsSS9PL1xuRUtnQ09GRnhVRHFvUjgyaVkwNlNhY0FqSG5pNitQTzl0VlJiRlYwdzE0QkRBSlNwQitWdld5bCtGb1BEVi92c1xuWjMxRnRZdytFd3FrYkR4L2thVDl1emYrTEpkbGtmMTRuUVFqOEVreS84ZDNtV0piYi85dGpPYnNhUWdKNUxMeFxuQ1lkSW1rcjc3WDJMTXVEdy8xdHBINjQyR0UyNU5yZ202UUhseUtTZllYbzM4djgzZWJFcWJaVURHK1ppb0FyUFxubXFta2F3VVd3M2VraGo4MFNKZy9USzlQUmFOL1Z2Y0kxUGdBZDdMWnp0VVJlU21UeTVoZDlyNnJPQnhweHduVFxuRHZIa0JuNnZBZ01CQUFFQ2dnRUFCMjhpMEFZVU5TYjFKbldGYkt6cnVVY3R1M3RDTlhvdkpnNkszQmlQVk1rcVxuRFQxWHJKSWdGNVJISE9scjNPc0xFNnU3WHoyY3RkTUw2UHNoaUtUdEl3dEdwaXZnUnBDaUpFc2xtcjJ6aThBV1xuOGVKZXFSTFpFZnNTU0pPWFRHN1JkR3NuNHFIRkowMHMyWlRsY0lIU1B3bkZtK1hqSmk5OVU4RzRYc1VvWG8wclxuR3krMFZDdVU3TThnSUNFSEhzclFPOVhERDNuVDJqaXU1VGpyS3dqdXQzRW1vSnNzSTVicXgzMytPQnU1QnBDUFxuQ1Q0NzNENDNQOXAzcWkvWG5mdnFHU0cyT2o0T2FqVjRmcjBvOUIzS3ZJeGtNZW03V2xJM2p5eTFrQXB5WHFWVFxuYkxrTEZ5V0JOVFdVWjJSLzJ3eG11b0M2bUxadzg3OU1MQ0tNdmsxZG9RS0JnUURobXdHYWZKTnltVGlFUVpSSVxuU3NReDRzZXFmT0tmZ0ZDN29ocUg5Y1JPT3U4SUoxbzdxMnBNMlc0WGlWK1Mzd1RkUEdtY2E2SU9qWDIzaXNWQlxuMnVxTmk5UzRNbkkyL2QyMkdkL0JSOXJ2QncxZUdKb0ticld4MjJmRThRQ0VXVDFBbk8rRHVEMGpDODV5UmxzN1xuYXh6bGFNcnhFdTNMSTlVRTdOdHJkUWlCeVFLQmdRRFZkSTZjZUlWQlQ2Umd2Vkd0OHprTGpQSUZqaFFFSEFJcFxudWhpcmdxcFM2Q1g5Qmx5ZjIrbzQwem1majNoZTVyQ2NFb0I1TXNlTStEZ0ZiY1ZoMmUvTVZuWWlOTnc2SkNEQlxuQlFrRjQwOHBacFNlS1h2TC9veVYva0ltTVRKL3RVRFkwRVh4TXdTUEpCMFdsdGJXcmVWSUhvcGlnWFJDYmFleVxudUJIVkJ2LzR0d0tCZ0h3SHVlUHk1U1UxczJxU216RDdXYzJMUGZZdTNuQ09ITlJyRkdiMjZNdVJmdVJlcmk3clxuMkc4VGdvRVNGeWNwMFFUSU44KzFKTTBYWUt4TmNKRDZCOFYxd0tiYnBRc3ltbmVJMWdqdXRpQi9JZ3cvUGtES1xuQ0w0VlA0RjRkYTVOV1cxeVdnTnlnTG9KdlovNXFpS0tpc0pjMEdXazRIS3o2bUxnek9qUTJMSnhBb0dCQUxIWlxuZk4yWWVZYnlZY2FNMTFwMVZpbHVsVlRWalkzaS9GWmlEUjRTTC9JR0pXak4vU3pnNGlYWXNLRm11K2R1bE9abFxuY0JBTHBFS3JxcG16WFl0ck42YnN2MTgrNWVPM3FHYksyRHJFcTNlV1ZldjJLb1RNb2J4ejdnKytYQklXSm1MQVxuSGhhYTZJaVBrWUQ1eXlWeUhLRGJlWGdiM285ZXFDUjd3N2ZZTGp5L0FvR0FJNEQrTUZraXZ3VUY3aHFmNWVkU1xuS3JsdHdtb2RIaXFYTmJWa3diVzFBRlBKYmlZYWk0WUZmSzRJQWJpZi9ZbXhmOUc3OGFPa3I5WnBDSXpPa0RQWlxuWXBFd1FHV3NBaEVsQ0Z2YzhFLzVkSEVTU3ArdFd0UCtObHVpbXBGcWlEZzMvU1VuTXdPMnhIMG5oTGEwemVqaFxuZ21MaDR3L0NjUHliOVp5WGNlV1UvblU9XG4tLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tXG4iLAoicHJpdmF0ZV9rZXlfaWQiOiAiZTA3ZjdjOTM4NzBjN2UwM2Y4ODM1NjBlY2Q4ZmQwZjRkMjdiMDA4MSIsCiJwcm9qZWN0X2lkIjogInBvbWVyaXVtLXJlZGFjdGVkIiwKInRva2VuX3VyaSI6ICJodHRwOi8vbW9jay1pZHA6ODAyNC90b2tlbiIsCiJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIKfQ==
--- a/integration/tpl/backends/pomerium.libsonnet
+++ b/integration/tpl/backends/pomerium.libsonnet
@ -98,15 +98,19 @@ local Environment(mode, idp, authentication_flow, dns_suffix) =
    SHARED_SECRET: 'UYgnt8bxxK5G2sFaNzyqi5Z+OgF8m2akNc0xdQx718w=',
    SIGNING_KEY: std.base64(importstr '../files/signing-key.pem'),
    SIGNING_KEY_ALGORITHM: 'ES256',
-  } + if mode == 'multi' then {
+  } + (
-    AUTHENTICATE_INTERNAL_SERVICE_URL: 'https://pomerium-authenticate',
+    if mode == 'multi' then {
-    AUTHORIZE_SERVICE_URL: 'https://pomerium-authorize:5443',
+      AUTHENTICATE_INTERNAL_SERVICE_URL: 'https://pomerium-authenticate',
-    DATABROKER_SERVICE_URL: 'https://pomerium-databroker:5443',
+      AUTHORIZE_SERVICE_URL: 'https://pomerium-authorize:5443',
-    GRPC_ADDRESS: ':5443',
+      DATABROKER_SERVICE_URL: 'https://pomerium-databroker:5443',
-    GRPC_INSECURE: 'false',
+      GRPC_ADDRESS: ':5443',
-  } else {} + if authentication_flow == 'stateless' then {
+      GRPC_INSECURE: 'false',
-    DEBUG_FORCE_AUTHENTICATE_FLOW: 'stateless',
+    } else {}
-  } else {};
+  ) + (
    if authentication_flow == 'stateless' then {
      DEBUG_FORCE_AUTHENTICATE_FLOW: 'stateless',
    } else {}
  );
 local ComposeService(name, definition, additionalAliases=[]) =
  utils.ComposeService(name, definition {