diff --git a/pkg/auth/token_verifier.go b/pkg/auth/token_verifier.go index a37f8060012..5571b67f2b1 100644 --- a/pkg/auth/token_verifier.go +++ b/pkg/auth/token_verifier.go @@ -151,6 +151,27 @@ func (c *OIDCTokenVerifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error return openIdConfig, nil } +// VerifyJWTFromRequest will verify the incoming request contains the correct JWT token +func (tokenVerifier *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter) error { + token := GetJWTFromHeader(r.Header) + if token == "" { + response.WriteHeader(http.StatusUnauthorized) + return fmt.Errorf("no JWT token found in request") + } + + if audience == nil { + response.WriteHeader(http.StatusInternalServerError) + return fmt.Errorf("no audience is provided") + } + + if _, err := tokenVerifier.VerifyJWT(ctx, token, *audience); err != nil { + response.WriteHeader(http.StatusUnauthorized) + return fmt.Errorf("failed to verify JWT: %w", err) + } + + return nil +} + type openIDMetadata struct { Issuer string `json:"issuer"` JWKSURI string `json:"jwks_uri"` diff --git a/pkg/broker/filter/filter_handler.go b/pkg/broker/filter/filter_handler.go index 9acb91a3845..e493c35b17c 100644 --- a/pkg/broker/filter/filter_handler.go +++ b/pkg/broker/filter/filter_handler.go @@ -193,16 +193,12 @@ func (h *Handler) ServeHTTP(writer http.ResponseWriter, request *http.Request) { features := feature.FromContext(ctx) if features.IsOIDCAuthentication() { h.logger.Debug("OIDC authentication is enabled") - token := auth.GetJWTFromHeader(request.Header) - if token == "" { - h.logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication)) - writer.WriteHeader(http.StatusUnauthorized) - return - } - if _, err := h.tokenVerifier.VerifyJWT(ctx, token, FilterAudience); err != nil { - h.logger.Warn("no valid JWT provided", zap.Error(err)) - writer.WriteHeader(http.StatusUnauthorized) + audience := FilterAudience + + err = h.tokenVerifier.VerifyJWTFromRequest(ctx, request, &audience, writer) + if err != nil { + h.logger.Warn("Error when validating the JWT token in the request", zap.Error(err)) return } diff --git a/pkg/broker/ingress/ingress_handler.go b/pkg/broker/ingress/ingress_handler.go index 89111289cae..c0aa4938b39 100644 --- a/pkg/broker/ingress/ingress_handler.go +++ b/pkg/broker/ingress/ingress_handler.go @@ -228,22 +228,9 @@ func (h *Handler) ServeHTTP(writer http.ResponseWriter, request *http.Request) { if features.IsOIDCAuthentication() { h.Logger.Debug("OIDC authentication is enabled") - if broker.Status.Address.Audience == nil { - h.Logger.Warn(fmt.Sprintf("Audience of broker %s/%s must not be nil, while feature %s is enabled", broker.Name, broker.Namespace, feature.OIDCAuthentication)) - writer.WriteHeader(http.StatusInternalServerError) - return - } - - token := auth.GetJWTFromHeader(request.Header) - if token == "" { - h.Logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication)) - writer.WriteHeader(http.StatusUnauthorized) - return - } - - if _, err := h.tokenVerifier.VerifyJWT(ctx, token, *broker.Status.Address.Audience); err != nil { - h.Logger.Warn("no valid JWT provided", zap.Error(err)) - writer.WriteHeader(http.StatusUnauthorized) + err = h.tokenVerifier.VerifyJWTFromRequest(ctx, request, broker.Status.Address.Audience, writer) + if err != nil { + h.Logger.Warn("Error when validating the JWT token in the request", zap.Error(err)) return } diff --git a/pkg/channel/event_receiver.go b/pkg/channel/event_receiver.go index f39e8facc32..1e3ff3c2cc7 100644 --- a/pkg/channel/event_receiver.go +++ b/pkg/channel/event_receiver.go @@ -250,23 +250,12 @@ func (r *EventReceiver) ServeHTTP(response nethttp.ResponseWriter, request *neth features := feature.FromContext(ctx) if features.IsOIDCAuthentication() { r.logger.Debug("OIDC authentication is enabled") - - token := auth.GetJWTFromHeader(request.Header) - if token == "" { - r.logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication)) - response.WriteHeader(nethttp.StatusUnauthorized) - return - } - - if _, err := r.tokenVerifier.VerifyJWT(ctx, token, r.audience); err != nil { - r.logger.Warn("no valid JWT provided", zap.Error(err)) - response.WriteHeader(nethttp.StatusUnauthorized) + err = r.tokenVerifier.VerifyJWTFromRequest(ctx, request, &r.audience, response) + if err != nil { + r.logger.Warn("Error when validating the JWT token in the request", zap.Error(err)) return } - r.logger.Debug("Request contained a valid JWT. Continuing...") - } else { - r.logger.Debug("OIDC authentication is disabled") } err = r.receiverFunc(request.Context(), channel, *event, utils.PassThroughHeaders(request.Header))