mt-broker-filter: reject request for wrong audience

[creydr]

As an implementation detail, we describe in https://gist.github.com/creydr/8b694956f27b0cb338b3576f3a893879, the broker filter gets its own dedicated Audience, named mt-broker-filter (in #7292 we will expose this audience in the Triggers Subscription as the subscribers audience).

When receiving an event, the mt-broker-filter receiver must:

• when the feature flag (see Add authentication.oidc feature flag #7174) is disabled:
  • no change in behavior
• when the feature flag (see Add authentication.oidc feature flag #7174) is enabled:
  • when no / no valid Authorization header is provided
    • decline the request with a 401 (The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. (https://www.rfc-editor.org/rfc/rfc9110#name-401-unauthorized))
  • when a valid Authorization header is provided
    • check, if the provided OIDC tokens Audience is mt-broker-filter
      • If not: decline the request with a 401
      • If it aligns: no change in behavior

Additional Information:

• requires Use mt-broker-filter audience for a Triggers Subscriptions as subscribers audience #7292
• requires Provide a library for OIDC token management #7175 to verify a token

[xiangpingjiang]

/assign

[Cali0707]

Hey @xiangpingjiang any updates here? Is there anything I can help you with?

If you aren't interested in this issue anymore let me know so that someone else can work on it. Thanks!

[xiangpingjiang]

hello, @Cali0707
I'm still interested in this issue, I will submit a pr this week. Thanks

[Cali0707]

Great @xiangpingjiang - let me know if you need any help