Add remote report authorization

Author: csweichel

cmd/build.go

@@ -254,7 +254,7 @@ func getBuildOpts(cmd *cobra.Command) ([]leeway.BuildOption, *leeway.FilesystemC
 	if ep, err := cmd.Flags().GetString("remote-report"); err != nil {
 		log.Fatal(err)
 	} else if ep != "" {
-		reporter = append(reporter, remotereporter.NewReporter(ep))
+		reporter = append(reporter, remotereporter.NewReporter(ep, os.Getenv("LEEWAY_REMOTE_REPORT_TOKEN")))
 	}
 
 	dontTest, err := cmd.Flags().GetBool("dont-test")

pkg/remotereporter/reporter.go

@@ -15,14 +15,21 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-func NewReporter(endpoint string) *Reporter {
+func NewReporter(endpoint, token string) *Reporter {
 	id, err := uuid.NewRandom()
 	if err != nil {
 		panic(fmt.Sprintf("cannot create remote reporting sesison UUID: %v.\nTry running without --remote-report", err))
 	}
 
 	httpclient := &http.Client{Timeout: 2 * time.Second}
-	client := v1connect.NewReporterServiceClient(httpclient, endpoint)
+	client := v1connect.NewReporterServiceClient(httpclient, endpoint, connect_go.WithInterceptors(connect_go.UnaryInterceptorFunc(func(uf connect_go.UnaryFunc) connect_go.UnaryFunc {
+		return func(ctx context.Context, req connect_go.AnyRequest) (connect_go.AnyResponse, error) {
+			if token != "" {
+				req.Header().Set("Authorization", token)
+			}
+			return uf(ctx, req)
+		}
+	})))
 	return &Reporter{
 		sessionID: id.String(),
 		times:     make(map[string]time.Time),

tracker/backend/ingestor/go.mod

@@ -4,6 +4,7 @@ go 1.19
 
 require (
 	github.com/InfluxCommunity/influxdb3-go v0.1.0
+	github.com/MicahParks/keyfunc v1.9.0
 	github.com/aws/aws-lambda-go v1.41.0
 	github.com/aws/aws-sdk-go-v2 v1.18.1
 	github.com/aws/aws-sdk-go-v2/config v1.18.27
@@ -12,8 +13,11 @@ require (
 	github.com/bufbuild/connect-go v1.9.0
 	github.com/bufbuild/connect-grpcreflect-go v1.1.0
 	github.com/gitpod-io/leeway v0.0.0-00010101000000-000000000000
+	github.com/golang-jwt/jwt/v4 v4.4.2
 	github.com/segmentio/analytics-go/v3 v3.2.1
 	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/pflag v1.0.5
+	github.com/zitadel/oidc v1.13.4
 )
 
 require (
@@ -36,6 +40,8 @@ require (
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/flatbuffers v2.0.8+incompatible // indirect
 	github.com/google/uuid v1.3.0 // indirect
+	github.com/gorilla/schema v1.2.0 // indirect
+	github.com/gorilla/securecookie v1.1.1 // indirect
 	github.com/influxdata/line-protocol/v2 v2.2.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/klauspost/asmfmt v1.3.2 // indirect
@@ -46,16 +52,20 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.15 // indirect
 	github.com/segmentio/backo-go v1.0.0 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
+	golang.org/x/crypto v0.7.0 // indirect
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect
 	golang.org/x/mod v0.10.0 // indirect
 	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/oauth2 v0.6.0 // indirect
 	golang.org/x/sys v0.8.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/tools v0.9.3 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230320184635-7606e756e683 // indirect
 	google.golang.org/grpc v1.55.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 )
 
 replace github.com/gitpod-io/leeway => ../../.. // leeway

tracker/backend/ingestor/go.sum

@@ -47,6 +47,8 @@ github.com/InfluxCommunity/influxdb3-go v0.1.0 h1:c+5H7qD7WZ0KSTCtCrVjBoMEspIP8K
 github.com/InfluxCommunity/influxdb3-go v0.1.0/go.mod h1:6hVZLGqLyfEvXu14JRm4Ai938q8BzJ73TGQ7VKh8qPA=
 github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c h1:RGWPOewvKIROun94nF7v2cua9qP+thov/7M50KEoeSU=
 github.com/Joker/hpp v1.0.0/go.mod h1:8x5n+M1Hp5hC0g8okX3sR3vFQwynaX/UgSOM9MeBKzY=
+github.com/MicahParks/keyfunc v1.9.0 h1:lhKd5xrFHLNOWrDc4Tyb/Q1AJ4LCzQ48GVJyVIID3+o=
+github.com/MicahParks/keyfunc v1.9.0/go.mod h1:IdnCilugA0O/99dW+/MkvlyrsX8+L8+x95xuVNtM5jw=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/Shopify/goreferrer v0.0.0-20210630161223-536fa16abd6f/go.mod h1:a1uqRtAwp2Xwc6WNPJEufxJ7fx3npB4UV/JOLmbu5I0=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
@@ -179,6 +181,8 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x
 github.com/gofiber/fiber/v2 v2.1.0/go.mod h1:aG+lMkwy3LyVit4CnmYUbUdgjpc3UYOltvlJZ78rgQ0=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
+github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -259,6 +263,10 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORR
 github.com/gopherjs/gopherjs v0.0.0-20220221023154-0b2280d3ff96/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
 github.com/gorilla/mux v1.7.4/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/schema v1.2.0 h1:YufUaxZYCKGFuAq3c96BOhjgd5nmXiOY9NGzF247Tsc=
+github.com/gorilla/schema v1.2.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
@@ -449,6 +457,7 @@ github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t6
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
@@ -499,6 +508,8 @@ github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQ
 github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
+github.com/zitadel/oidc v1.13.4 h1:+k2GKqP9Ld9S2MSFlj+KaNsoZ3J9oy+Ezw51EzSFuC8=
+github.com/zitadel/oidc v1.13.4/go.mod h1:3h2DhUcP02YV6q/CA/BG4yla0o6rXjK+DkJGK/dwJfw=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
@@ -527,6 +538,8 @@ golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -626,6 +639,8 @@ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw=
+golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -819,6 +834,7 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -912,6 +928,8 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.4/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
+gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

tracker/backend/ingestor/handler/auth.go

@@ -0,0 +1,77 @@
+package handler
+
+import (
+	context "context"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/MicahParks/keyfunc"
+	"github.com/bufbuild/connect-go"
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/sirupsen/logrus"
+
+	oidc "github.com/zitadel/oidc/pkg/client"
+)
+
+func NewOIDCInterceptor(idp, audience string, allowedSubs []string) (connect.Interceptor, error) {
+	cfg, err := oidc.Discover(idp, &http.Client{Timeout: 10 * time.Second})
+	if err != nil {
+		return nil, err
+	}
+	jwks, err := keyfunc.Get(cfg.JwksURI, keyfunc.Options{
+		Ctx: context.Background(),
+		RefreshErrorHandler: func(err error) {
+			logrus.WithError(err).WithField("identityProvider", idp).Warn("cannot refresh JWKS")
+		},
+		RefreshInterval:   time.Hour,
+		RefreshRateLimit:  time.Minute * 5,
+		RefreshTimeout:    time.Second * 10,
+		RefreshUnknownKID: true,
+	})
+	if err != nil {
+		return nil, err
+	}
+	logrus.WithField("issuer", idp).WithField("audience", audience).WithField("sub", allowedSubs).Info("enabled OIDC authorisation")
+
+	return connect.UnaryInterceptorFunc(func(uf connect.UnaryFunc) connect.UnaryFunc {
+		return func(ctx context.Context, ar connect.AnyRequest) (connect.AnyResponse, error) {
+			rawToken := ar.Header().Get("Authorization")
+			if rawToken == "" {
+				return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("missing Authorization header"))
+			}
+			token, err := jwt.Parse(rawToken, jwks.Keyfunc)
+			if err != nil {
+				return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("cannot parse token: %w", err))
+			}
+			if !token.Valid {
+				return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("invalid JWT token"))
+			}
+			claims, ok := token.Claims.(jwt.MapClaims)
+			if !ok {
+				return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("cannot extract claims from JWT"))
+			}
+			if !claims.VerifyAudience(audience, true) {
+				return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("audience does not match (expected %s, got %s)", audience, claims["aud"]))
+			}
+			if !claims.VerifyIssuer(idp, true) {
+				return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("issuer does not match (expected %s, got %s)", idp, claims["iss"]))
+			}
+			if !claims.VerifyExpiresAt(time.Now().Unix(), true) {
+				return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("token has expired"))
+			}
+			var validSub bool
+			for _, sub := range allowedSubs {
+				if claims["sub"] == sub {
+					validSub = true
+					break
+				}
+			}
+			if !validSub {
+				return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("unexpected subject %s", claims["sub"]))
+			}
+
+			return uf(ctx, ar)
+		}
+	}), nil
+}

tracker/backend/ingestor/main.go

@@ -2,17 +2,19 @@ package main
 
 import (
 	"context"
-	"flag"
 	"log"
 	"net/http"
 	"os"
 	"time"
 
+	flag "github.com/spf13/pflag"
+
 	"github.com/InfluxCommunity/influxdb3-go/influx"
 	"github.com/aws/aws-lambda-go/lambda"
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/cloudwatch"
 	"github.com/awslabs/aws-lambda-go-api-proxy/httpadapter"
+	"github.com/bufbuild/connect-go"
 	grpcreflect "github.com/bufbuild/connect-grpcreflect-go"
 	segment "github.com/segmentio/analytics-go/v3"
 	"github.com/sirupsen/logrus"
@@ -22,9 +24,12 @@ import (
 )
 
 var (
-	listen  = flag.String("listen", ":8080", "address to listen on when not running as lambda")
-	verbose = flag.Bool("verbose", false, "enable verbose logging")
-	sink    = flag.String("sink", "console", "where to write samples to. Valid values are: console, cloudwatch, influxdb, segment")
+	listen      = flag.String("listen", ":8080", "address to listen on when not running as lambda")
+	verbose     = flag.Bool("verbose", false, "enable verbose logging")
+	sink        = flag.String("sink", "console", "where to write samples to. Valid values are: console, cloudwatch, influxdb, segment")
+	idp         = flag.String("idp", "", "if set incoming requests must carry a valid ID token from this IDP in their Authorization header")
+	idpAudience = flag.String("idp-aud", "leeway.gitpod.io", "use in combination with --idp to control the audience the ID token must carry")
+	idpSub      = flag.StringArray("idp-sub", nil, "use in combination with --idp to control the subject the ID token must carry; if any subject matches the token is accepted")
 )
 
 func main() {
@@ -62,9 +67,18 @@ func main() {
 		client := segment.New(os.Getenv("SEGMENT_KEY"))
 		store = handler.WriteToSegment(client)
 	default:
-		logrus.Fatalf("unsupported --sample-sink: %s", *sink)
+		logrus.Fatalf("unsupported --sink: %s", *sink)
+	}
+
+	var interceptors []connect.Interceptor
+	if *idp != "" {
+		ic, err := handler.NewOIDCInterceptor(*idp, *idpAudience, *idpSub)
+		if err != nil {
+			logrus.Fatalf("cannot setup OIDC auth with %s: %v", err)
+		}
+		interceptors = append(interceptors, ic)
 	}
-	mux.Handle(v1connect.NewReporterServiceHandler(handler.NewBuildReportHandler(store)))
+	mux.Handle(v1connect.NewReporterServiceHandler(handler.NewBuildReportHandler(store), connect.WithInterceptors(interceptors...)))
 
 	reflector := grpcreflect.NewStaticReflector(
 		v1connect.ReporterServiceName,