Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make auth package indepent from eventpolicy informer #8195

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions cmd/broker/filter/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ import (
"fmt"
"log"

eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy"

"github.com/google/uuid"
"github.com/kelseyhightower/envconfig"
"go.uber.org/zap"
Expand Down Expand Up @@ -152,9 +154,9 @@ func main() {
oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
// We are running both the receiver (takes messages in from the Broker) and the dispatcher (send
// the messages to the triggers' subscribers) in this binary.
oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
authVerifier := auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister())
trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
handler, err = filter.NewHandler(logger, oidcTokenVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), subscriptioninformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc)
handler, err = filter.NewHandler(logger, authVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), subscriptioninformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc)
if err != nil {
logger.Fatal("Error creating Handler", zap.Error(err))
}
Expand Down
5 changes: 3 additions & 2 deletions cmd/broker/ingress/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ import (
"knative.dev/eventing/pkg/broker/ingress"
eventingclient "knative.dev/eventing/pkg/client/injection/client"
brokerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker"
eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy"
eventtypeinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1beta2/eventtype"
"knative.dev/eventing/pkg/eventingtls"
"knative.dev/eventing/pkg/eventtype"
Expand Down Expand Up @@ -167,9 +168,9 @@ func main() {
reporter := ingress.NewStatsReporter(env.ContainerName, kmeta.ChildName(env.PodName, uuid.New().String()))

oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
authVerifier := auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister())
trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, oidcTokenVerifier, oidcTokenProvider, trustBundleConfigMapInformer, ctxFunc)
handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, authVerifier, oidcTokenProvider, trustBundleConfigMapInformer, ctxFunc)
if err != nil {
logger.Fatal("Error creating Handler", zap.Error(err))
}
Expand Down
21 changes: 11 additions & 10 deletions cmd/jobsink/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ import (
"knative.dev/eventing/pkg/apis/sinks"
sinksv "knative.dev/eventing/pkg/apis/sinks/v1alpha1"
"knative.dev/eventing/pkg/auth"
eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy"
"knative.dev/eventing/pkg/client/injection/informers/sinks/v1alpha1/jobsink"
sinkslister "knative.dev/eventing/pkg/client/listers/sinks/v1alpha1"
"knative.dev/eventing/pkg/eventingtls"
Expand Down Expand Up @@ -114,10 +115,10 @@ func main() {
}

h := &Handler{
k8s: kubeclient.Get(ctx),
lister: jobsink.Get(ctx).Lister(),
withContext: ctxFunc,
oidcTokenVerifier: auth.NewOIDCTokenVerifier(ctx),
k8s: kubeclient.Get(ctx),
lister: jobsink.Get(ctx).Lister(),
withContext: ctxFunc,
authVerifier: auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()),
}

tlsConfig, err := getServerTLSConfig(ctx)
Expand Down Expand Up @@ -158,10 +159,10 @@ func main() {
}

type Handler struct {
k8s kubernetes.Interface
lister sinkslister.JobSinkLister
withContext func(ctx context.Context) context.Context
oidcTokenVerifier *auth.OIDCTokenVerifier
k8s kubernetes.Interface
lister sinkslister.JobSinkLister
withContext func(ctx context.Context) context.Context
authVerifier *auth.Verifier
}

func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
Expand Down Expand Up @@ -200,7 +201,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {

logger.Debug("Handling POST request", zap.String("URI", r.RequestURI))

err = h.oidcTokenVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
err = h.authVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
if err != nil {
logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err))
return
Expand Down Expand Up @@ -373,7 +374,7 @@ func (h *Handler) handleGet(ctx context.Context, w http.ResponseWriter, r *http.

logger.Debug("Handling GET request", zap.String("URI", r.RequestURI))

err = h.oidcTokenVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
err = h.authVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
if err != nil {
logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err))
return
Expand Down
26 changes: 13 additions & 13 deletions pkg/auth/token_verifier.go → pkg/auth/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ import (
"time"

duckv1 "knative.dev/eventing/pkg/apis/duck/v1"
eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy"
"knative.dev/eventing/pkg/client/listers/eventing/v1alpha1"

"github.com/cloudevents/sdk-go/v2/binding"
Expand All @@ -37,6 +36,7 @@ import (
"k8s.io/client-go/rest"
eventingv1 "knative.dev/eventing/pkg/apis/eventing/v1"
"knative.dev/eventing/pkg/apis/feature"
listerseventingv1alpha1 "knative.dev/eventing/pkg/client/listers/eventing/v1alpha1"
"knative.dev/pkg/injection"
"knative.dev/pkg/logging"
)
Expand All @@ -45,7 +45,7 @@ const (
kubernetesOIDCDiscoveryBaseURL = "https://kubernetes.default.svc"
)

type OIDCTokenVerifier struct {
type Verifier struct {
logger *zap.SugaredLogger
restConfig *rest.Config
provider *oidc.Provider
Expand All @@ -61,11 +61,11 @@ type IDToken struct {
AccessTokenHash string
}

func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier {
tokenHandler := &OIDCTokenVerifier{
func NewVerifier(ctx context.Context, eventPolicyLister listerseventingv1alpha1.EventPolicyLister) *Verifier {
tokenHandler := &Verifier{
logger: logging.FromContext(ctx).With("component", "oidc-token-handler"),
restConfig: injection.GetConfig(ctx),
eventPolicyLister: eventpolicyinformer.Get(ctx).Lister(),
eventPolicyLister: eventPolicyLister,
}

if err := tokenHandler.initOIDCProvider(ctx); err != nil {
Expand All @@ -77,7 +77,7 @@ func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier {

// VerifyRequest verifies AuthN and AuthZ in the request. On verification errors, it sets the
// responses HTTP status and returns an error
func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
func (v *Verifier) VerifyRequest(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
if !features.IsOIDCAuthentication() {
return nil
}
Expand All @@ -100,7 +100,7 @@ func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature.
// On verification errors, it sets the responses HTTP status and returns an error.
// This method is similar to VerifyRequest() except that VerifyRequestFromSubject()
// verifies in the AuthZ part that the request comes from a given subject.
func (v *OIDCTokenVerifier) VerifyRequestFromSubject(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubject string, req *http.Request, resp http.ResponseWriter) error {
func (v *Verifier) VerifyRequestFromSubject(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubject string, req *http.Request, resp http.ResponseWriter) error {
if !features.IsOIDCAuthentication() {
return nil
}
Expand All @@ -119,7 +119,7 @@ func (v *OIDCTokenVerifier) VerifyRequestFromSubject(ctx context.Context, featur
}

// verifyAuthN verifies if the incoming request contains a correct JWT token
func (v *OIDCTokenVerifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) {
func (v *Verifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) {
token := GetJWTFromHeader(req.Header)
if token == "" {
resp.WriteHeader(http.StatusUnauthorized)
Expand All @@ -141,7 +141,7 @@ func (v *OIDCTokenVerifier) verifyAuthN(ctx context.Context, audience *string, r
}

// verifyAuthZ verifies if the given idToken is allowed by the resources eventPolicyStatus
func (v *OIDCTokenVerifier) verifyAuthZ(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
func (v *Verifier) verifyAuthZ(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
if len(policyRefs) > 0 {
req, err := copyRequest(req)
if err != nil {
Expand Down Expand Up @@ -195,7 +195,7 @@ func (v *OIDCTokenVerifier) verifyAuthZ(ctx context.Context, features feature.Fl
}

// verifyJWT verifies the given JWT for the expected audience and returns the parsed ID token.
func (v *OIDCTokenVerifier) verifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) {
func (v *Verifier) verifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) {
if v.provider == nil {
return nil, fmt.Errorf("provider is nil. Is the OIDC provider config correct?")
}
Expand All @@ -219,7 +219,7 @@ func (v *OIDCTokenVerifier) verifyJWT(ctx context.Context, jwt, audience string)
}, nil
}

func (v *OIDCTokenVerifier) initOIDCProvider(ctx context.Context) error {
func (v *Verifier) initOIDCProvider(ctx context.Context) error {
discovery, err := v.getKubernetesOIDCDiscovery()
if err != nil {
return fmt.Errorf("could not load Kubernetes OIDC discovery information: %w", err)
Expand Down Expand Up @@ -247,7 +247,7 @@ func (v *OIDCTokenVerifier) initOIDCProvider(ctx context.Context) error {
return nil
}

func (v *OIDCTokenVerifier) getHTTPClientForKubeAPIServer() (*http.Client, error) {
func (v *Verifier) getHTTPClientForKubeAPIServer() (*http.Client, error) {
client, err := rest.HTTPClientFor(v.restConfig)
if err != nil {
return nil, fmt.Errorf("could not create HTTP client from rest config: %w", err)
Expand All @@ -256,7 +256,7 @@ func (v *OIDCTokenVerifier) getHTTPClientForKubeAPIServer() (*http.Client, error
return client, nil
}

func (v *OIDCTokenVerifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error) {
func (v *Verifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error) {
client, err := v.getHTTPClientForKubeAPIServer()
if err != nil {
return nil, fmt.Errorf("could not get HTTP client for API server: %w", err)
Expand Down
4 changes: 2 additions & 2 deletions pkg/broker/filter/filter_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -90,12 +90,12 @@ type Handler struct {
logger *zap.Logger
withContext func(ctx context.Context) context.Context
filtersMap *subscriptionsapi.FiltersMap
tokenVerifier *auth.OIDCTokenVerifier
tokenVerifier *auth.Verifier
EventTypeCreator *eventtype.EventTypeAutoHandler
}

// NewHandler creates a new Handler and its associated EventReceiver.
func NewHandler(logger *zap.Logger, tokenVerifier *auth.OIDCTokenVerifier, oidcTokenProvider *auth.OIDCTokenProvider, triggerInformer v1.TriggerInformer, brokerInformer v1.BrokerInformer, subscriptionInformer messaginginformers.SubscriptionInformer, reporter StatsReporter, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, wc func(ctx context.Context) context.Context) (*Handler, error) {
func NewHandler(logger *zap.Logger, tokenVerifier *auth.Verifier, oidcTokenProvider *auth.OIDCTokenProvider, triggerInformer v1.TriggerInformer, brokerInformer v1.BrokerInformer, subscriptionInformer messaginginformers.SubscriptionInformer, reporter StatsReporter, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, wc func(ctx context.Context) context.Context) (*Handler, error) {
kncloudevents.ConfigureConnectionArgs(&kncloudevents.ConnectionArgs{
MaxIdleConns: defaultMaxIdleConnections,
MaxIdleConnsPerHost: defaultMaxIdleConnectionsPerHost,
Expand Down
9 changes: 5 additions & 4 deletions pkg/broker/filter/filter_handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ import (

brokerinformerfake "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker/fake"
triggerinformerfake "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger/fake"
eventpolicyinformerfake "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/fake"
subscriptioninformerfake "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake"

// Fake injection client
Expand Down Expand Up @@ -443,7 +444,7 @@ func TestReceiver(t *testing.T) {

logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller()))
oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())

for _, trig := range tc.triggers {
// Replace the SubscriberURI to point at our fake server.
Expand Down Expand Up @@ -479,7 +480,7 @@ func TestReceiver(t *testing.T) {
reporter := &mockReporter{}
r, err := NewHandler(
logger,
oidcTokenVerifier,
authVerifier,
oidcTokenProvider,
triggerinformerfake.Get(ctx),
brokerinformerfake.Get(ctx),
Expand Down Expand Up @@ -652,7 +653,7 @@ func TestReceiver_WithSubscriptionsAPI(t *testing.T) {

logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller()))
oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())

// Replace the SubscriberURI to point at our fake server.
for _, trig := range tc.triggers {
Expand Down Expand Up @@ -688,7 +689,7 @@ func TestReceiver_WithSubscriptionsAPI(t *testing.T) {
reporter := &mockReporter{}
r, err := NewHandler(
logger,
oidcTokenVerifier,
authVerifier,
oidcTokenProvider,
triggerinformerfake.Get(ctx),
brokerinformerfake.Get(ctx),
Expand Down
4 changes: 2 additions & 2 deletions pkg/broker/ingress/ingress_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,12 +73,12 @@ type Handler struct {

eventDispatcher *kncloudevents.Dispatcher

tokenVerifier *auth.OIDCTokenVerifier
tokenVerifier *auth.Verifier

withContext func(ctx context.Context) context.Context
}

func NewHandler(logger *zap.Logger, reporter StatsReporter, defaulter client.EventDefaulter, brokerInformer v1.BrokerInformer, tokenVerifier *auth.OIDCTokenVerifier, oidcTokenProvider *auth.OIDCTokenProvider, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, withContext func(ctx context.Context) context.Context) (*Handler, error) {
func NewHandler(logger *zap.Logger, reporter StatsReporter, defaulter client.EventDefaulter, brokerInformer v1.BrokerInformer, tokenVerifier *auth.Verifier, oidcTokenProvider *auth.OIDCTokenProvider, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, withContext func(ctx context.Context) context.Context) (*Handler, error) {
connectionArgs := kncloudevents.ConnectionArgs{
MaxIdleConns: defaultMaxIdleConnections,
MaxIdleConnsPerHost: defaultMaxIdleConnectionsPerHost,
Expand Down
5 changes: 3 additions & 2 deletions pkg/broker/ingress/ingress_handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ import (
"knative.dev/eventing/pkg/broker"

brokerinformerfake "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker/fake"
eventpolicyinformerfake "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/fake"

// Fake injection client
_ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/fake"
Expand Down Expand Up @@ -290,13 +291,13 @@ func TestHandler_ServeHTTP(t *testing.T) {
}

tokenProvider := auth.NewOIDCTokenProvider(ctx)
tokenVerifier := auth.NewOIDCTokenVerifier(ctx)
authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())

h, err := NewHandler(logger,
&mockReporter{},
tc.defaulter,
brokerinformerfake.Get(ctx),
tokenVerifier,
authVerifier,
tokenProvider,
configmapinformer.Get(ctx).Lister().ConfigMaps("ns"),
func(ctx context.Context) context.Context {
Expand Down
4 changes: 2 additions & 2 deletions pkg/channel/event_receiver.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ type EventReceiver struct {
hostToChannelFunc ResolveChannelFromHostFunc
pathToChannelFunc ResolveChannelFromPathFunc
reporter StatsReporter
tokenVerifier *auth.OIDCTokenVerifier
tokenVerifier *auth.Verifier
audience string
getPoliciesForFunc GetPoliciesForFunc
withContext func(context.Context) context.Context
Expand Down Expand Up @@ -120,7 +120,7 @@ func ReceiverWithGetPoliciesForFunc(fn GetPoliciesForFunc) EventReceiverOptions
}
}

func OIDCTokenVerification(tokenVerifier *auth.OIDCTokenVerifier, audience string) EventReceiverOptions {
func OIDCTokenVerification(tokenVerifier *auth.Verifier, audience string) EventReceiverOptions {
return func(r *EventReceiver) error {
r.tokenVerifier = tokenVerifier
r.audience = audience
Expand Down
3 changes: 2 additions & 1 deletion pkg/reconciler/inmemorychannel/dispatcher/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ import (
"knative.dev/eventing/pkg/apis/feature"
"knative.dev/eventing/pkg/channel"
eventingclient "knative.dev/eventing/pkg/client/injection/client"
eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy"
eventtypeinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1beta2/eventtype"
inmemorychannelinformer "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/inmemorychannel"
inmemorychannelreconciler "knative.dev/eventing/pkg/client/injection/reconciler/messaging/v1/inmemorychannel"
Expand Down Expand Up @@ -136,7 +137,7 @@ func NewController(
eventingClient: eventingclient.Get(ctx).EventingV1beta2(),
eventTypeLister: eventtypeinformer.Get(ctx).Lister(),
eventDispatcher: kncloudevents.NewDispatcher(clientConfig, oidcTokenProvider),
tokenVerifier: auth.NewOIDCTokenVerifier(ctx),
authVerifier: auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()),
clientConfig: clientConfig,
inMemoryChannelLister: inmemorychannelInformer.Lister(),
}
Expand Down
8 changes: 4 additions & 4 deletions pkg/reconciler/inmemorychannel/dispatcher/inmemorychannel.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,8 @@ type Reconciler struct {
featureStore *feature.Store
eventDispatcher *kncloudevents.Dispatcher

tokenVerifier *auth.OIDCTokenVerifier
clientConfig eventingtls.ClientConfig
authVerifier *auth.Verifier
clientConfig eventingtls.ClientConfig
}

// Check the interfaces Reconciler should implement
Expand Down Expand Up @@ -134,7 +134,7 @@ func (r *Reconciler) reconcile(ctx context.Context, imc *v1.InMemoryChannel) rec
channelRef,
UID,
r.eventDispatcher,
channel.OIDCTokenVerification(r.tokenVerifier, audience(imc)),
channel.OIDCTokenVerification(r.authVerifier, audience(imc)),
channel.ReceiverWithContextFunc(wc),
channel.ReceiverWithGetPoliciesForFunc(r.getAppliedEventPolicyRef),
)
Expand Down Expand Up @@ -167,7 +167,7 @@ func (r *Reconciler) reconcile(ctx context.Context, imc *v1.InMemoryChannel) rec
UID,
r.eventDispatcher,
channel.ResolveChannelFromPath(channel.ParseChannelFromPath),
channel.OIDCTokenVerification(r.tokenVerifier, audience(imc)),
channel.OIDCTokenVerification(r.authVerifier, audience(imc)),
channel.ReceiverWithContextFunc(wc),
channel.ReceiverWithGetPoliciesForFunc(r.getAppliedEventPolicyRef),
)
Expand Down
Loading