InMemoryChannel ingress: added getOIDC #8104
Conversation
knative-prow
bot
added
the
do-not-merge/work-in-progress
|
Hi @7h3-3mp7y-m4n. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
knative-prow
bot
added
size/S
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: 7h3-3mp7y-m4n The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
I'm working on the further tasks, please let me know if I implemented the wrong approach. |
|
Thank you for your PR! @7h3-3mp7y-m4n /cc @rahulii |
pkg/channel/event_receiver.go
Outdated
| @@ -256,12 +256,13 @@ func (r *EventReceiver) ServeHTTP(response nethttp.ResponseWriter, request *neth | |||
| features := feature.FromContext(ctx) | |||
| if features.IsOIDCAuthentication() { | |||
| r.logger.Debug("OIDC authentication is enabled") | |||
| err = r.tokenVerifier.VerifyJWTFromRequest(ctx, request, &r.audience, response) | |||
| oidcToken, err := r.tokenVerifier.GetOIDCIdentity(ctx, request, r.audience) | |||
There was a problem hiding this comment.
The goal here is to verify the the request, I'd not change the existing code instead use a seperate function to get the OIDC Token!
There was a problem hiding this comment.
Okay , I'll add a separate function to do that and leave it as it was ..
Thanks !
| @@ -179,3 +179,19 @@ type openIDMetadata struct { | |||
| SubjectTypes []string `json:"subject_types_supported"` | |||
| SigningAlgs []string `json:"id_token_signing_alg_values_supported"` | |||
| } | |||
|
|
|||
| // Getting the OIDCIdentity | |||
| func (c *OIDCTokenVerifier) GetOIDCIdentity(ctx context.Context, r *http.Request, audience string) (*IDToken, error) { | |||
There was a problem hiding this comment.
As mentioned in the other comment, the goal if your function is to get OIDC Identity and not verify the request as you are doing on line 191.
|
Thanks for reaching out for help @7h3-3mp7y-m4n , I'm replying on GitHub to make our conversation more open! Let's walk through this step by step. Let me provide more explaination on that description first.
This logic provides a flexible authorization mechanism:
|
|
Next, regarding your question:
In this PR, @rahulii has tried to put the event policies into .status.policies. If you want to list all the eventPolicies, take a look here: Lmk if you have any further questions, and I hope this help. cc @rahulii |
knative-prow
bot
added
size/M
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8104 +/- ##
==========================================
- Coverage 69.30% 67.71% -1.59%
==========================================
Files 345 368 +23
Lines 16113 17597 +1484
==========================================
+ Hits 11167 11916 +749
- Misses 4257 4935 +678
- Partials 689 746 +57 ☔ View full report in Codecov by Sentry. |
|
Hey @Leo6Leo can you guide me to the InmemoryChannel Code, it would be helpful to retrieve the policies and check according to that, and also a few more details about the default-authorization-mode |
hi @7h3-3mp7y-m4n if you want to read more about the feature - please read Knative Eventing Authorization |
|
hey @7h3-3mp7y-m4n , do you need any help here? or Please LMK if you plan to complete this PR, if you are busy, I can take this up if you want. |
Thanks @rahulii I read the documentation of the feature as you provided it to me, I'll get this done today itself, No worries. |
|
Closing this in favor of #8123 |
Fixes #7981
Proposed Changes
Pre-review Checklist