-
Notifications
You must be signed in to change notification settings - Fork 590
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
InMemoryChannel ingress: added getOIDC #8104
Conversation
Hi @7h3-3mp7y-m4n. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: 7h3-3mp7y-m4n The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I'm working on the further tasks, please let me know if I implemented the wrong approach. |
Thank you for your PR! @7h3-3mp7y-m4n /cc @rahulii |
pkg/channel/event_receiver.go
Outdated
@@ -256,12 +256,13 @@ func (r *EventReceiver) ServeHTTP(response nethttp.ResponseWriter, request *neth | |||
features := feature.FromContext(ctx) | |||
if features.IsOIDCAuthentication() { | |||
r.logger.Debug("OIDC authentication is enabled") | |||
err = r.tokenVerifier.VerifyJWTFromRequest(ctx, request, &r.audience, response) | |||
oidcToken, err := r.tokenVerifier.GetOIDCIdentity(ctx, request, r.audience) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The goal here is to verify the the request, I'd not change the existing code instead use a seperate function to get the OIDC Token!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay , I'll add a separate function to do that and leave it as it was ..
Thanks !
@@ -179,3 +179,19 @@ type openIDMetadata struct { | |||
SubjectTypes []string `json:"subject_types_supported"` | |||
SigningAlgs []string `json:"id_token_signing_alg_values_supported"` | |||
} | |||
|
|||
// Getting the OIDCIdentity | |||
func (c *OIDCTokenVerifier) GetOIDCIdentity(ctx context.Context, r *http.Request, audience string) (*IDToken, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned in the other comment, the goal if your function is to get OIDC Identity and not verify the request as you are doing on line 191.
Thanks for reaching out for help @7h3-3mp7y-m4n , I'm replying on GitHub to make our conversation more open! Let's walk through this step by step. Let me provide more explaination on that description first.
This logic provides a flexible authorization mechanism:
|
Next, regarding your question:
In this PR, @rahulii has tried to put the event policies into .status.policies. If you want to list all the eventPolicies, take a look here: Lmk if you have any further questions, and I hope this help. cc @rahulii |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8104 +/- ##
==========================================
- Coverage 69.30% 67.71% -1.59%
==========================================
Files 345 368 +23
Lines 16113 17597 +1484
==========================================
+ Hits 11167 11916 +749
- Misses 4257 4935 +678
- Partials 689 746 +57 ☔ View full report in Codecov by Sentry. |
Hey @Leo6Leo can you guide me to the InmemoryChannel Code, it would be helpful to retrieve the policies and check according to that, and also a few more details about the default-authorization-mode |
hi @7h3-3mp7y-m4n if you want to read more about the feature - please read Knative Eventing Authorization |
hey @7h3-3mp7y-m4n , do you need any help here? or Please LMK if you plan to complete this PR, if you are busy, I can take this up if you want. |
Thanks @rahulii I read the documentation of the feature as you provided it to me, I'll get this done today itself, No worries. |
Closing this in favor of #8123 |
Fixes #7981
Proposed Changes
Pre-review Checklist