Add library for OIDC token management

[creydr]

Fixes #7175

Proposed Changes

• 🎁 Add library for OIDC token management
  • Provide OIDCTokenProvider.GetJWT() method to return a JWT for a given service account and audience
  • Provide OIDCTokenVerifier.VerifyJWT() method to verify a token with the provider configured for the cluster

Open points:

• Add token caching (could also be done in a follow up PR to unblock other devs)

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [creydr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Attention: 105 lines in your changes are missing coverage. Please review.

Comparison is base (a78c626) 77.53% compared to head (243c52e) 76.91%.
Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7315      +/-   ##
==========================================
- Coverage   77.53%   76.91%   -0.62%     
==========================================
  Files         250      252       +2     
  Lines       13566    13671     +105     
==========================================
- Hits        10518    10515       -3     
- Misses       2523     2630     +107     
- Partials      525      526       +1     

Files	Coverage Δ
pkg/auth/token_provider.go	0.00% <0.00%> (ø)
pkg/auth/token_verifier.go	0.00% <0.00%> (ø)

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[creydr]

@pierDipi I changed this PR to only include the library. Will do the dispatcher changes in a separate PR. Also I split the library into a provider and a verifier. Could you PTAL?
Thanks in advance

/cc @pierDipi

[pierDipi]

Are you planning to add some unit tests?

[pierDipi]

Does that mean https:// is required? Could we infer it when it's missing since without it is considered valid by the k8s API server?

[pierDipi]

afaik, https for OIDC is required, so assuming scheme = https would work

[creydr]

When I setup a kind cluster without https://, I got a 404 on /.well-known/...
From the docs:

The issuer URL must comply with the OIDC Discovery Spec. In practice, this means it must use the https scheme, and should serve an OpenID provider configuration at {service-account-issuer}/.well-known/openid-configuration

[creydr]

Are you planning to add some unit tests?

The token_provider is mostly a wrapper around the TokenRequest API without much additional logic. So I don't see value here yet.
The token_verifier is mostly a wrapper around the coreos/oidc library. IMO only the loading of the config could be tested, but this would require some mocking of a OIDC config provider server (.well-known/ endpoints) and I am not sure if it is worth that, as we will have e2e tests for the whole flow.

[pierDipi]

/lgtm