Revert the refactoring

Signed-off-by: Leo Li <[email protected]>
knative · Dec 4, 2023 · c01f073 · c01f073
1 parent 250b3df
commit c01f073
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 16 deletions.
diff --git a/pkg/auth/token_verifier.go b/pkg/auth/token_verifier.go
@@ -158,18 +158,3 @@ type openIDMetadata struct {
 	SubjectTypes  []string `json:"subject_types_supported"`
 	SigningAlgs   []string `json:"id_token_signing_alg_values_supported"`
 }
-
-func ValidateEventAuthHeader(ctx context.Context, request *http.Request) error {
-	features := feature.FromContext(ctx)
-	if features.IsOIDCAuthentication() {
-		token := GetJWTFromHeader(request.Header)
-		if token == "" {
-			return fmt.Errorf("no JWT in %s header provided while feature %s is enabled", AuthHeaderKey, feature.OIDCAuthentication)
-		}
-		tokenVerifier := NewOIDCTokenVerifier(ctx)
-		if _, err := tokenVerifier.VerifyJWT(ctx, token, "audience"); err != nil {
-			return fmt.Errorf("no valid JWT provided: %w", err)
-		}
-	}
-	return nil
-}
diff --git a/pkg/channel/event_receiver.go b/pkg/channel/event_receiver.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"knative.dev/eventing/pkg/apis/feature"
 	nethttp "net/http"
 	"time"
 
@@ -245,7 +246,27 @@ func (r *EventReceiver) ServeHTTP(response nethttp.ResponseWriter, request *neth
 	}
 
 	/// Here we do the OIDC audience verification
-	auth.ValidateEventAuthHeader(ctx, request)
+	features := feature.FromContext(ctx)
+	if features.IsOIDCAuthentication() {
+		r.logger.Debug("OIDC authentication is enabled")
+
+		token := auth.GetJWTFromHeader(request.Header)
+		if token == "" {
+			r.logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication))
+			response.WriteHeader(nethttp.StatusUnauthorized)
+			return
+		}
+
+		if _, err := r.tokenVerifier.VerifyJWT(ctx, token, r.audience); err != nil {
+			r.logger.Warn("no valid JWT provided", zap.Error(err))
+			response.WriteHeader(nethttp.StatusUnauthorized)
+			return
+		}
+
+		r.logger.Debug("Request contained a valid JWT. Continuing...")
+	} else {
+		r.logger.Debug("OIDC authentication is disabled")
+	}
 
 	err = r.receiverFunc(request.Context(), channel, *event, utils.PassThroughHeaders(request.Header))
 	if err != nil {