identity: add access token support for github (#5615)

## Summary
Implement direct access token support for GitHub. GitHub doesn't have
identity tokens, so that isn't supported. The "IdP Access Token Allowed
Audiences" option is also not supported because GitHub doesn't populate
an `aud` claim.

## Related issues
-
[ENG-2137](https://linear.app/pomerium/issue/ENG-2137/core-implement-token-validation-for-github)

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review

pkg/identity/oauth/github/github.go

@@ -17,6 +17,7 @@ import (
 	"golang.org/x/oauth2"
 
 	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/jwtutil"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/internal/version"
@@ -258,8 +259,26 @@ func (p *Provider) SignOut(_ http.ResponseWriter, _ *http.Request, _, _, _ strin
 }
 
 // VerifyAccessToken verifies an access token.
-func (p *Provider) VerifyAccessToken(_ context.Context, _ string) (claims map[string]any, err error) {
-	return nil, identity.ErrVerifyAccessTokenNotSupported
+func (p *Provider) VerifyAccessToken(ctx context.Context, rawAccessToken string) (claims map[string]any, err error) {
+	claims = jwtutil.Claims(map[string]any{})
+
+	err = p.userInfo(ctx, &oauth2.Token{
+		TokenType:   "Bearer",
+		AccessToken: rawAccessToken,
+	}, &claims)
+	if err != nil {
+		return nil, fmt.Errorf("error retrieving user info with access token: %w", err)
+	}
+
+	err = p.userEmail(ctx, &oauth2.Token{
+		TokenType:   "Bearer",
+		AccessToken: rawAccessToken,
+	}, &claims)
+	if err != nil {
+		return nil, fmt.Errorf("error retrieving user email with access token: %w", err)
+	}
+
+	return claims, nil
 }
 
 // VerifyIdentityToken verifies an identity token.