Problem

Weonly revalidate group membershipwhen the session is refreshed or revalidated, which means that if a user were to successfully authorize with upstream 'foo', then they can effectively skip group membership validation on adifferent upstream by making the request with a slightly altered version of the saved cookie from the 'foo' upstream (providing the session is still valid and hasn't expired).

Solution

Add a newAuthorizedUpstream value to the session which is used to compare the upstream the session has been validated against, to the requested upstream.
TheAuthorizedUpstream value is checked against the request host on each request. For the time being, when caught this check will re-trigger the start of the oauth flow, primarily to help introduce this additional check in a graceful manner.

Example log line when triggered:

{"authorized_upstream":"upstream-1.foo.io","level":"warning","msg":"session authorized against different upstream; restarting authentication","proxy_host":"upstream-2.foo.io","remote_address":"x.x.x.x","service":"sso-proxy","time":"2020-01-02 13:26:31.502","user":"foo.bar@email.com"}

upstream-1.foo.io being the original upstream the session was used against, andupstream-2.foo.io being the newly
requested upstream.

Notes

• This change was originally made and approved as part ofsso_proxy: reduce direct calls to ValidateGroup() and clean up logic #275, however that pull request was found to also introduce some bugs, so this smaller change has been pulled out to reduce the complexity there and allow for easier troubleshooting. (the bugs arenot present in this pull request!)