You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: add OIDC support documentation for SinkBinding and ContainerSource
Fixes#6216
- Add SinkBinding and ContainerSource to the OIDC compatibility list
- Document the /oidc/token file mount feature
- Add practical example showing how to use the OIDC token in containers
When the `authentication-oidc` feature is enabled and a SinkBinding or ContainerSource has a sink with an OIDC audience, Knative Eventing automatically mounts the OIDC token to the container.
74
+
75
+
The token is available at the following path:
76
+
77
+
```
78
+
/oidc/token
79
+
```
80
+
81
+
This file contains a valid OIDC access token for the sink's audience. Your application can read this file and include the token in the `Authorization` header when sending events to the sink.
82
+
83
+
### Example: Sending authenticated events
84
+
85
+
The following example shows how to read the OIDC token and send an authenticated event to the sink in a container:
86
+
87
+
```bash
88
+
# Read the OIDC token and sink URL
89
+
TOKEN=$(cat /oidc/token)
90
+
91
+
# Send an authenticated CloudEvent to the sink
92
+
curl -X POST "$K_SINK" \
93
+
-H "Authorization: Bearer $TOKEN" \
94
+
-H "Content-Type: application/json" \
95
+
-H "Ce-Id: 1" \
96
+
-H "Ce-Source: my-container-source" \
97
+
-H "Ce-Type: my.event.type" \
98
+
-H "Ce-Specversion: 1.0" \
99
+
-d '{"message": "Hello from ContainerSource"}'
100
+
```
101
+
102
+
!!! note
103
+
The token is automatically refreshed by Knative Eventing before it expires. Your application should read the token from the file for each request, or implement token refresh logic.
104
+
69
105
## Verifying that the feature is working
70
106
71
107
Save the following YAML into a file called `default-broker-example.yaml`
0 commit comments