You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I’ve encountered an issue with the JWT plugin when using multiple secrets under a KongConsumer during the JWT signing key rotation. Kong appears to process the secrets in reverse order (from bottom to top in the credentials list). If the first (bottom) secret is close to expiration but still technically valid, Kong will validate it first and ignore newer secrets, leading to an "Invalid signature" error once that secret expires. All these K8s secrets have the same issuer(.data.key).
Expected Behavior
Kong should search for a valid secret for JWT token validation, rather than use the fixed order.
Steps To Reproduce
Configure a KongConsumer with multiple JWT secrets:
Is there an existing issue for this?
Kong version (
$ kong version
)kong:3.1.1
Current Behavior
I’ve encountered an issue with the JWT plugin when using multiple secrets under a KongConsumer during the JWT signing key rotation. Kong appears to process the secrets in reverse order (from bottom to top in the credentials list). If the first (bottom) secret is close to expiration but still technically valid, Kong will validate it first and ignore newer secrets, leading to an "Invalid signature" error once that secret expires. All these K8s secrets have the same issuer(.data.key).
Expected Behavior
Kong should search for a valid secret for JWT token validation, rather than use the fixed order.
Steps To Reproduce
Once the
old-jwt-secret
has expired, Kong still attempts to validate it first.Requests return "Invalid signature" errors despite credentials contain
new-jwt-secret
.Anything else?
No response
The text was updated successfully, but these errors were encountered: