knative · 7h3-3mp7y-m4n · Jul 17, 2024 · Jul 19, 2024 · rahulii · Jul 19, 2024
diff --git a/pkg/auth/token_verifier.go b/pkg/auth/token_verifier.go
@@ -18,10 +18,12 @@ package auth
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
@@ -179,3 +181,53 @@ type openIDMetadata struct {
 	SubjectTypes  []string `json:"subject_types_supported"`
 	SigningAlgs   []string `json:"id_token_signing_alg_values_supported"`
 }
+
+// Getting the OIDCIdentity
+func (c *OIDCTokenVerifier) GetOIDCIdentity(ctx context.Context, r *http.Request, audience string) (*IDToken, error) {
+	token := GetJWTFromHeader(r.Header)
+	if token == "" {
+		return nil, fmt.Errorf("no JWT token found in request")
+	}
+	parsedToken, err := ParseJWT(token)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse JWT: %v", err)
+	}
+
+	var claims struct {
+		Issuer   string   `json:"iss"`
+		Audience []string `json:"aud"`
+		Subject  string   `json:"sub"`
+		Expiry   int64    `json:"exp"`
+		IssuedAt int64    `json:"iat"`
+	}
+
+	if err := parsedToken.Claims(&claims); err != nil {
+		return nil, fmt.Errorf("failed to parse claims: %v", err)
+	}
+
+	return &IDToken{
+		Issuer:   claims.Issuer,
+		Audience: claims.Audience,
+		Subject:  claims.Subject,
+		Expiry:   time.Unix(claims.Expiry, 0),
+		IssuedAt: time.Unix(claims.IssuedAt, 0),
+	}, nil
+}
+func ParseJWT(token string) (*oidc.IDToken, error) {
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
+		return nil, fmt.Errorf("invalid JWT token format")
+	}
+
+	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode JWT payload: %v", err)
+	}
+
+	var claims oidc.IDToken
+	if err := json.Unmarshal(payload, &claims); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal JWT claims: %v", err)
+	}
+
+	return &claims, nil
+}
diff --git a/pkg/channel/event_receiver.go b/pkg/channel/event_receiver.go
@@ -252,6 +252,13 @@ func (r *EventReceiver) ServeHTTP(response nethttp.ResponseWriter, request *neth
 		return
 	}
 
+	// Extract OIDC identity
+	_, err = r.ExtractOIDCIdentity(ctx, request)
+	if err != nil {
+		response.WriteHeader(nethttp.StatusUnauthorized)
+		return
+	}
+
 	/// Here we do the OIDC audience verification
 	features := feature.FromContext(ctx)
 	if features.IsOIDCAuthentication() {
@@ -263,7 +270,6 @@ func (r *EventReceiver) ServeHTTP(response nethttp.ResponseWriter, request *neth
 		}
 		r.logger.Debug("Request contained a valid JWT. Continuing...")
 	}
-
 	err = r.receiverFunc(request.Context(), channel, *event, utils.PassThroughHeaders(request.Header))
 	if err != nil {
 		if _, ok := err.(*UnknownChannelError); ok {
@@ -289,3 +295,18 @@ func ReportEventCountMetricsForDispatchError(err error, reporter StatsReporter,
 }
 
 var _ nethttp.Handler = (*EventReceiver)(nil)
+
+func (r *EventReceiver) ExtractOIDCIdentity(ctx context.Context, request *nethttp.Request) (*auth.IDToken, error) {
+	if r.tokenVerifier == nil {
+		return nil, nil
+	}
+
+	identity, err := r.tokenVerifier.GetOIDCIdentity(ctx, request, r.audience)
+	if err != nil {
+		r.logger.Warn("Error getting OIDC identity", zap.Error(err))
+		return nil, err
+	}
+
+	r.logger.Debug("Successfully retrieved OIDC identity", zap.String("identity", identity.Subject))
+	return identity, nil
+}