pomerium / pomerium / 24363750164

52%

Build Type

push

github

Committed by web-flow

Commit Message

fix(identity): exclude AccessTokenAllowedAudiences from provider hash (#6263)

## Summary

- Routes with different `idp_access_token_allowed_audiences` but the
same IdP produced different provider IDs, forcing unnecessary re-logins
when users navigated between them
- `AccessTokenAllowedAudiences` is a per-route post-auth filtering
field, not a session identity field — it should not affect provider
identity
- One-line fix: exclude the field from `Provider.Hash()` alongside the
already-excluded `Id` field

## Test plan

- [x] Unit tests: 4 subtests on `Hash()` covering audience exclusion,
nil-vs-empty, and regression guard (`different ClientId → different
hash`)
- [x] Config integration test:
`TestPoliciesWithDifferentAudiencesShareProviderID` verifies
`GetIdentityProviderForPolicy` returns same provider ID with different
audiences
- [x] System integration test: `TestDifferentAudiencesShareSession` runs
full Pomerium instance with mock IdP, two routes with different
audiences linked via DependsOn, authenticates to route A and verifies
route B is accessible without re-login
- [x] `make build` / `make test` / `make lint` — all green
- [x] CI

AI-assisted: implementation drafted by Claude, reviewed by Go expert +
code reviewer agents, independently verified by Codex.

Fixes ENG-2977

Coverage Stats

1 of 1 new or added line in 1 file covered. (100.0%)

27 existing lines in 9 files now uncovered.

35130 of 77272 relevant lines covered (45.46%)

114.17 hits per line