[data-plane]: Kafka Broker receiver: reject requests for wrong audience

[creydr]

As the Eventing OIDC feature track describes, each Addressable gets its own Audience. Since #3520 the Audience of a Broker will be exposed in its status, so sources can create OIDC tokens dedicated for this Audience.

When receiving an event, the kafka-broker-receiver must:

• when the feature flag (see Add authentication.oidc feature flag knative/eventing#7174) is disabled:
  • no change in behavior
• when the feature flag is enabled:
  • when no / no valid Authorization header is provided
    • decline the request with a 401 (The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. (https://www.rfc-editor.org/rfc/rfc9110#name-401-unauthorized))
  • when a valid Authorization header is provided
    • check, if the provided OIDC tokens Audience aligns with the Brokers audience
      • If if does not align: decline the request with a 401
      • If it aligns: no change in behavior

Additional Information:

• requires [data-plane]: Add library for OIDC token management #3573 to verify a token
• Currently in draft state, as this this maybe can be done in [data-plane]: Kafka channel receiver: reject requests for wrong audience #3577

[creydr]

Done in #3577