Currently, the Session proto id_token field is populated with Pomerium
session data during initial login, but with IdP ID token data after an
IdP session refresh.
Instead, store only IdP ID token data in this field.
Update the existing SetRawIDToken method to populate the structured data
fields based on the contents of the raw ID token. Remove the other code
that sets these fields (in the authenticateflow package and in
manager.sessionUnmarshaler).
Add a test for the identity manager, exercising the combined effect of
session claims unmarshaling and SetRawIDToken(), to verify that the
combined behavior is preserved unchanged.
Per the OIDC spec, section 2:
> NOTE: The ID Token expiration time is unrelated [to] the lifetime of
> the authenticated session between the RP and the OP.
A Pomerium session should remain valid for as long as the underlying
OAuth2 session.
Update the AccessTracker, WebAuthn handlers, and identity manager
refresh loop to perform their session record updates using the
databroker Patch() method.
This should prevent any of these updates from conflicting.
* databroker: add support for putting multiple records
* add OptimumPutRequestsFromRecords function
* replace GetAll with SyncLatest
* fix stream when there are no records
* session: add accessed at date
* authorize: track session and service account access times
* Revert "databroker: add support for field masks on Put (#3210)"
This reverts commit 2dc778035d.
* add test
* fix data race in test
* add deadline for update
* track dropped accesses
* sessions: add impersonate_session_id, remove legacy impersonation
* show impersonated user details
* fix headers
* address feedback
* only check impersonate id on non-nil pbSession
* Revert "only check impersonate id on non-nil pbSession"
This reverts commit a6f7ca5abd.
* refactor backend, implement encrypted store
* refactor in-memory store
* wip
* wip
* wip
* add syncer test
* fix redis expiry
* fix linting issues
* fix test by skipping non-config records
* fix backoff import
* fix init issues
* fix query
* wait for initial sync before starting directory sync
* add type to SyncLatest
* add more log messages, fix deadlock in in-memory store, always return server version from SyncLatest
* update sync types and tests
* add redis tests
* skip macos in github actions
* add comments to proto
* split getBackend into separate methods
* handle errors in initVersion
* return different error for not found vs other errors in get
* use exponential backoff for redis transaction retry
* rename raw to result
* use context instead of close channel
* store type urls as constants in databroker
* use timestampb instead of ptypes
* fix group merging not waiting
* change locked names
* update GetAll to return latest record version
* add method to grpcutil to get the type url for a protobuf type
