[data-plane]: Kafka channel receiver: reject requests for wrong audience

[creydr]

As the Eventing OIDC feature track describes, each Addressable gets its own Audience. In #3576 the Audience of a KafkaChannel will be exposed in its status, so sources can create OIDC tokens dedicated for this Audience.

When receiving an event, the kafka-channel-receiver must:

• when the requested channel has no audience set:
  • no change in behavior
• when the requested channel has an audience set:
  • when no / no valid Authorization header is provided
    • decline the request with a 401 (The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. (https://www.rfc-editor.org/rfc/rfc9110#name-401-unauthorized))
  • when a valid Authorization header is provided
    • check, if the provided OIDC tokens Audience aligns with the KafkaChannels audience
      • If if does not align: decline the request with a 401
      • If it aligns: no change in behavior

Additional Information:

• requires [data-plane]: Add library for OIDC token management #3573 to verify a token