Separate authentication from authorization in IDP providers

Providers now only fetch identity — access control (domain/org checks)
is centralized in a single validateAccess method on the auth handler.
This means IDP errors (unreachable provider) produce ErrServerError
while policy rejections produce ErrAccessDenied, and adding new access
rules no longer requires touching every provider.

GitHub always fetches orgs now (scope was already requested
unconditionally). UserInfo struct renamed to Identity to avoid collision
with the method name. ParseClientRequest relocated to oauth package as
ParseClientRegistration. Deleted deprecated ProtectedResourceMetadata
and inlined the workaround logic into the handler that used it.

Author: dgellow

internal/idp/azure.go

@@ -4,7 +4,7 @@ import "fmt"
 
 // NewAzureProvider creates an Azure AD provider using OIDC discovery.
 // Azure AD is OIDC-compliant, so we use the generic OIDC provider with Azure's tenant-specific discovery URL.
-func NewAzureProvider(tenantID, clientID, clientSecret, redirectURI string, allowedDomains []string) (*OIDCProvider, error) {
+func NewAzureProvider(tenantID, clientID, clientSecret, redirectURI string) (*OIDCProvider, error) {
 	if tenantID == "" {
 		return nil, fmt.Errorf("tenantId is required for Azure AD")
 	}
@@ -15,12 +15,11 @@ func NewAzureProvider(tenantID, clientID, clientSecret, redirectURI string, allo
 	)
 
 	return NewOIDCProvider(OIDCConfig{
-		ProviderType:   "azure",
-		DiscoveryURL:   discoveryURL,
-		ClientID:       clientID,
-		ClientSecret:   clientSecret,
-		RedirectURI:    redirectURI,
-		Scopes:         []string{"openid", "email", "profile"},
-		AllowedDomains: allowedDomains,
+		ProviderType: "azure",
+		DiscoveryURL: discoveryURL,
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		RedirectURI:  redirectURI,
+		Scopes:       []string{"openid", "email", "profile"},
 	})
 }

internal/idp/azure_test.go

@@ -8,7 +8,7 @@ import (
 )
 
 func TestNewAzureProvider_MissingTenantID(t *testing.T) {
-	_, err := NewAzureProvider("", "client-id", "client-secret", "https://example.com/callback", nil)
+	_, err := NewAzureProvider("", "client-id", "client-secret", "https://example.com/callback")
 
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "tenantId is required")

internal/idp/factory.go

@@ -7,15 +7,13 @@ import (
 )
 
 // NewProvider creates a Provider based on the IDPConfig.
-// allowedDomains configures domain-based access control for all provider types.
-func NewProvider(cfg config.IDPConfig, allowedDomains []string) (Provider, error) {
+func NewProvider(cfg config.IDPConfig) (Provider, error) {
 	switch cfg.Provider {
 	case "google":
 		return NewGoogleProvider(
 			cfg.ClientID,
 			string(cfg.ClientSecret),
 			cfg.RedirectURI,
-			allowedDomains,
 		), nil
 
 	case "azure":
@@ -24,16 +22,13 @@ func NewProvider(cfg config.IDPConfig, allowedDomains []string) (Provider, error
 			cfg.ClientID,
 			string(cfg.ClientSecret),
 			cfg.RedirectURI,
-			allowedDomains,
 		)
 
 	case "github":
 		return NewGitHubProvider(
 			cfg.ClientID,
 			string(cfg.ClientSecret),
 			cfg.RedirectURI,
-			allowedDomains,
-			cfg.AllowedOrgs,
 		), nil
 
 	case "oidc":
@@ -47,7 +42,6 @@ func NewProvider(cfg config.IDPConfig, allowedDomains []string) (Provider, error
 			ClientSecret:     string(cfg.ClientSecret),
 			RedirectURI:      cfg.RedirectURI,
 			Scopes:           cfg.Scopes,
-			AllowedDomains:   allowedDomains,
 		})
 
 	default:

internal/idp/factory_test.go

@@ -87,7 +87,7 @@ func TestNewProvider(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			provider, err := NewProvider(tt.cfg, nil)
+			provider, err := NewProvider(tt.cfg)
 
 			if tt.wantErr {
 				require.Error(t, err)

internal/idp/github.go

@@ -14,10 +14,8 @@ import (
 // GitHubProvider implements the Provider interface for GitHub OAuth.
 // GitHub uses OAuth 2.0 (not OIDC) and has its own API for user info and org membership.
 type GitHubProvider struct {
-	config         oauth2.Config
-	apiBaseURL     string   // defaults to https://api.github.com, can be overridden for testing
-	allowedDomains []string // email domains users must belong to (empty = no restriction)
-	allowedOrgs    []string // organizations users must be members of (empty = no restriction)
+	config     oauth2.Config
+	apiBaseURL string // defaults to https://api.github.com, can be overridden for testing
 }
 
 // githubUserResponse represents GitHub's user API response.
@@ -42,7 +40,7 @@ type githubOrgResponse struct {
 }
 
 // NewGitHubProvider creates a new GitHub OAuth provider.
-func NewGitHubProvider(clientID, clientSecret, redirectURI string, allowedDomains, allowedOrgs []string) *GitHubProvider {
+func NewGitHubProvider(clientID, clientSecret, redirectURI string) *GitHubProvider {
 	return &GitHubProvider{
 		config: oauth2.Config{
 			ClientID:     clientID,
@@ -51,9 +49,7 @@ func NewGitHubProvider(clientID, clientSecret, redirectURI string, allowedDomain
 			Scopes:       []string{"user:email", "read:org"},
 			Endpoint:     github.Endpoint,
 		},
-		apiBaseURL:     "https://api.github.com",
-		allowedDomains: allowedDomains,
-		allowedOrgs:    allowedOrgs,
+		apiBaseURL: "https://api.github.com",
 	}
 }
 
@@ -72,13 +68,11 @@ func (p *GitHubProvider) ExchangeCode(ctx context.Context, code string) (*oauth2
 	return p.config.Exchange(ctx, code)
 }
 
-// UserInfo fetches user information from GitHub's API.
-// Validates domain and organization membership based on construction-time config.
-// TODO: Consider caching org membership to reduce API calls.
-func (p *GitHubProvider) UserInfo(ctx context.Context, token *oauth2.Token) (*UserInfo, error) {
+// UserInfo fetches user identity from GitHub's API.
+// Always fetches organizations so the authorization layer can check membership.
+func (p *GitHubProvider) UserInfo(ctx context.Context, token *oauth2.Token) (*Identity, error) {
 	client := p.config.Client(ctx, token)
 
-	// Fetch user profile
 	user, err := p.fetchUser(client)
 	if err != nil {
 		return nil, err
@@ -99,38 +93,12 @@ func (p *GitHubProvider) UserInfo(ctx context.Context, token *oauth2.Token) (*Us
 
 	domain := emailutil.ExtractDomain(email)
 
-	// Validate domain if configured
-	if err := ValidateDomain(domain, p.allowedDomains); err != nil {
-		return nil, err
-	}
-
-	// Fetch organizations only if org validation is configured
-	var orgs []string
-	if len(p.allowedOrgs) > 0 {
-		orgs, err = p.fetchOrganizations(client)
-		if err != nil {
-			return nil, fmt.Errorf("failed to get user organizations: %w", err)
-		}
-
-		// Validate org membership
-		hasAllowedOrg := false
-		for _, org := range orgs {
-			for _, allowed := range p.allowedOrgs {
-				if org == allowed {
-					hasAllowedOrg = true
-					break
-				}
-			}
-			if hasAllowedOrg {
-				break
-			}
-		}
-		if !hasAllowedOrg {
-			return nil, fmt.Errorf("user is not a member of any allowed organization. Contact your administrator")
-		}
+	orgs, err := p.fetchOrganizations(client)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get user organizations: %w", err)
 	}
 
-	return &UserInfo{
+	return &Identity{
 		ProviderType:  "github",
 		Subject:       fmt.Sprintf("%d", user.ID),
 		Email:         email,

internal/idp/github_test.go

@@ -13,12 +13,12 @@ import (
 )
 
 func TestGitHubProvider_Type(t *testing.T) {
-	provider := NewGitHubProvider("client-id", "client-secret", "https://example.com/callback", nil, nil)
+	provider := NewGitHubProvider("client-id", "client-secret", "https://example.com/callback")
 	assert.Equal(t, "github", provider.Type())
 }
 
 func TestGitHubProvider_AuthURL(t *testing.T) {
-	provider := NewGitHubProvider("client-id", "client-secret", "https://example.com/callback", nil, nil)
+	provider := NewGitHubProvider("client-id", "client-secret", "https://example.com/callback")
 
 	authURL := provider.AuthURL("test-state")
 
@@ -33,10 +33,6 @@ func TestGitHubProvider_UserInfo(t *testing.T) {
 		userResp              githubUserResponse
 		emailsResp            []githubEmailResponse
 		orgsResp              []githubOrgResponse
-		allowedDomains        []string
-		allowedOrgs           []string
-		wantErr               bool
-		errContains           string
 		expectedEmail         string
 		expectedEmailVerified bool
 		expectedDomain        string
@@ -51,10 +47,11 @@ func TestGitHubProvider_UserInfo(t *testing.T) {
 				Name:      "Test User",
 				AvatarURL: "https://github.com/avatar.jpg",
 			},
+			orgsResp:              []githubOrgResponse{{Login: "my-org"}},
 			expectedEmail:         "user@company.com",
-			expectedEmailVerified: true, // Public emails in GitHub profile are verified
+			expectedEmailVerified: true,
 			expectedDomain:        "company.com",
-			expectedOrgs:          nil, // Orgs not fetched when allowedOrgs is empty
+			expectedOrgs:          []string{"my-org"},
 		},
 		{
 			name: "user_without_public_email_fetches_from_api",
@@ -67,10 +64,11 @@ func TestGitHubProvider_UserInfo(t *testing.T) {
 				{Email: "secondary@other.com", Primary: false, Verified: true},
 				{Email: "primary@company.com", Primary: true, Verified: true},
 			},
+			orgsResp:              []githubOrgResponse{},
 			expectedEmail:         "primary@company.com",
 			expectedEmailVerified: true,
 			expectedDomain:        "company.com",
-			expectedOrgs:          nil, // Orgs not fetched when allowedOrgs is empty
+			expectedOrgs:          []string{},
 		},
 		{
 			name: "user_with_unverified_primary_falls_back_to_verified",
@@ -82,72 +80,24 @@ func TestGitHubProvider_UserInfo(t *testing.T) {
 				{Email: "primary@company.com", Primary: true, Verified: false},
 				{Email: "verified@company.com", Primary: false, Verified: true},
 			},
+			orgsResp:              []githubOrgResponse{},
 			expectedEmail:         "verified@company.com",
 			expectedEmailVerified: true,
 			expectedDomain:        "company.com",
-			expectedOrgs:          nil, // Orgs not fetched when allowedOrgs is empty
-		},
-		{
-			name: "domain_validation_success",
-			userResp: githubUserResponse{
-				ID:    12345,
-				Login: "testuser",
-				Email: "user@company.com",
-			},
-			allowedDomains:        []string{"company.com"},
-			expectedEmail:         "user@company.com",
-			expectedEmailVerified: true,
-			expectedDomain:        "company.com",
-			expectedOrgs:          nil, // Orgs not fetched when allowedOrgs is empty
+			expectedOrgs:          []string{},
 		},
 		{
-			name: "domain_validation_failure",
-			userResp: githubUserResponse{
-				ID:    12345,
-				Login: "testuser",
-				Email: "user@other.com",
-			},
-			allowedDomains: []string{"company.com"},
-			wantErr:        true,
-			errContains:    "domain 'other.com' is not allowed",
-		},
-		{
-			name: "org_validation_success",
+			name: "orgs_always_populated",
 			userResp: githubUserResponse{
 				ID:    12345,
 				Login: "testuser",
 				Email: "user@gmail.com",
 			},
-			orgsResp:              []githubOrgResponse{{Login: "allowed-org"}, {Login: "other-org"}},
-			allowedOrgs:           []string{"allowed-org"},
+			orgsResp:              []githubOrgResponse{{Login: "org-a"}, {Login: "org-b"}},
 			expectedEmail:         "user@gmail.com",
 			expectedEmailVerified: true,
 			expectedDomain:        "gmail.com",
-			expectedOrgs:          []string{"allowed-org", "other-org"},
-		},
-		{
-			name: "org_validation_failure",
-			userResp: githubUserResponse{
-				ID:    12345,
-				Login: "testuser",
-				Email: "user@gmail.com",
-			},
-			orgsResp:    []githubOrgResponse{{Login: "other-org"}},
-			allowedOrgs: []string{"required-org"},
-			wantErr:     true,
-			errContains: "not a member of any allowed organization",
-		},
-		{
-			name: "user_with_no_orgs_restriction",
-			userResp: githubUserResponse{
-				ID:    12345,
-				Login: "testuser",
-				Email: "user@gmail.com",
-			},
-			expectedEmail:         "user@gmail.com",
-			expectedEmailVerified: true,
-			expectedDomain:        "gmail.com",
-			expectedOrgs:          nil, // Orgs not fetched when allowedOrgs is empty
+			expectedOrgs:          []string{"org-a", "org-b"},
 		},
 	}
 
@@ -172,7 +122,6 @@ func TestGitHubProvider_UserInfo(t *testing.T) {
 			}))
 			defer server.Close()
 
-			// Create provider with test server endpoints and allowedOrgs
 			provider := &GitHubProvider{
 				config: oauth2.Config{
 					ClientID:     "test-client",
@@ -184,29 +133,19 @@ func TestGitHubProvider_UserInfo(t *testing.T) {
 						TokenURL: server.URL + "/token",
 					},
 				},
-				apiBaseURL:     server.URL,
-				allowedDomains: tt.allowedDomains,
-				allowedOrgs:    tt.allowedOrgs,
+				apiBaseURL: server.URL,
 			}
 
 			token := &oauth2.Token{AccessToken: "test-token"}
-			userInfo, err := provider.UserInfo(context.Background(), token)
-
-			if tt.wantErr {
-				require.Error(t, err)
-				if tt.errContains != "" {
-					assert.Contains(t, err.Error(), tt.errContains)
-				}
-				return
-			}
+			identity, err := provider.UserInfo(context.Background(), token)
 
 			require.NoError(t, err)
-			require.NotNil(t, userInfo)
-			assert.Equal(t, "github", userInfo.ProviderType)
-			assert.Equal(t, tt.expectedEmail, userInfo.Email)
-			assert.Equal(t, tt.expectedEmailVerified, userInfo.EmailVerified)
-			assert.Equal(t, tt.expectedDomain, userInfo.Domain)
-			assert.Equal(t, tt.expectedOrgs, userInfo.Organizations)
+			require.NotNil(t, identity)
+			assert.Equal(t, "github", identity.ProviderType)
+			assert.Equal(t, tt.expectedEmail, identity.Email)
+			assert.Equal(t, tt.expectedEmailVerified, identity.EmailVerified)
+			assert.Equal(t, tt.expectedDomain, identity.Domain)
+			assert.Equal(t, tt.expectedOrgs, identity.Organizations)
 		})
 	}
 }