You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As the Eventing OIDC feature track describes, each Addressable gets its own Audience. Since #3520 the Audience of a Broker will be exposed in its status, so sources can create OIDC tokens dedicated for this Audience.
When receiving an event, the kafka-broker-receiver must:
when no / no valid Authorization header is provided
decline the request with a 401 (The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. (https://www.rfc-editor.org/rfc/rfc9110#name-401-unauthorized))
when a valid Authorization header is provided
check, if the provided OIDC tokens Audience aligns with the Brokers audience
If if does not align: decline the request with a 401
The text was updated successfully, but these errors were encountered:
creydr
changed the title
[data-plane]: Broker Ingress: reject requests for wrong audience
[data-plane]: Kafka Broker receiver: reject requests for wrong audience
Jan 9, 2024
As the Eventing OIDC feature track describes, each Addressable gets its own Audience. Since #3520 the Audience of a Broker will be exposed in its status, so sources can create OIDC tokens dedicated for this Audience.
When receiving an event, the kafka-broker-receiver must:
authentication.oidc
feature flag knative/eventing#7174) is disabled:Authorization
header is providedThe 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.
(https://www.rfc-editor.org/rfc/rfc9110#name-401-unauthorized))Authorization
header is providedAdditional Information:
The text was updated successfully, but these errors were encountered: