InMemoryChannel: reject request for wrong audience

[creydr]

As the Eventing OIDC feature track describes, each Addressable gets its own Audience. Since #7187 the Audience of an InMemoryChannel will be exposed in its status, so sources can create OIDC tokens dedicated for this Audience.

When receiving an event, the InMemoryChannel receiver must:

• when the feature flag (see Add authentication.oidc feature flag #7174) is disabled:
  • no change in behavior
• when the feature flag (see Add authentication.oidc feature flag #7174) is enabled:
  • when no / no valid Authorization header is provided
    • decline the request with a 401 (The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. (https://www.rfc-editor.org/rfc/rfc9110#name-401-unauthorized))
  • when a valid Authorization header is provided
    • check, if the provided OIDC tokens Audience aligns with the InMemoryChannels audience
      • If if does not align: decline the request with a 401
      • If it aligns: no change in behavior

Additional Information:

• requires Support exposing the Audience of an InMemoryChannel #7187
• requires Provide a library for OIDC token management #7175

[Leo6Leo]

/assign