Check status code of OIDC discovery response (#3707)

* Check status code of OIDC discovery endpoint * Run update-codegen.sh * Only allow 200 status code on OIDC discovery endpoint
knative-extensions · Feb 20, 2024 · 6596c48 · 6596c48
1 parent ec4fa35
commit 6596c48
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/...e/core/src/main/java/dev/knative/eventing/kafka/broker/core/oidc/OIDCDiscoveryConfig.java b/...e/core/src/main/java/dev/knative/eventing/kafka/broker/core/oidc/OIDCDiscoveryConfig.java
@@ -34,6 +34,8 @@ public class OIDCDiscoveryConfig {
 
     private static final Logger logger = LoggerFactory.getLogger(TokenVerifier.class);
 
+    private static final String OIDC_DISCOVERY_URL = "https://kubernetes.default.svc/.well-known/openid-configuration";
+
     private String issuer;
 
     private JwksVerificationKeyResolver jwksVerificationKeyResolver;
@@ -58,13 +60,18 @@ public static Future<OIDCDiscoveryConfig> build(Vertx vertx) {
         OIDCDiscoveryConfig oidcDiscoveryConfig = new OIDCDiscoveryConfig();
 
         return webClient
-                .getAbs("https://kubernetes.default.svc/.well-known/openid-configuration")
+                .getAbs(OIDC_DISCOVERY_URL)
                 .bearerTokenAuthentication(kubeConfig.getAutoOAuthToken())
                 .send()
                 .compose(res -> {
                     logger.debug("Got raw OIDC discovery info: " + res.bodyAsString());
 
                     try {
+                        if (res.statusCode() != 200) {
+                            return Future.failedFuture("Unexpected status (" + res.statusCode()
+                                    + ") on OIDC discovery endpoint: " + res.bodyAsString());
+                        }
+
                         ObjectMapper mapper = new ObjectMapper();
                         OIDCInfo oidcInfo = mapper.readValue(res.bodyAsString(), OIDCInfo.class);