Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple JWT Secrets Causing "Invalid Signature" Due to Incorrect Validation Order in KongConsumer #13701

Open
1 task done
yang-wang11 opened this issue Sep 23, 2024 · 0 comments

Comments

@yang-wang11
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Kong version ($ kong version)

kong:3.1.1

Current Behavior

I’ve encountered an issue with the JWT plugin when using multiple secrets under a KongConsumer during the JWT signing key rotation. Kong appears to process the secrets in reverse order (from bottom to top in the credentials list). If the first (bottom) secret is close to expiration but still technically valid, Kong will validate it first and ignore newer secrets, leading to an "Invalid signature" error once that secret expires. All these K8s secrets have the same issuer(.data.key).

Expected Behavior

Kong should search for a valid secret for JWT token validation, rather than use the fixed order.

Steps To Reproduce

  1. Configure a KongConsumer with multiple JWT secrets:
apiVersion: configuration.konghq.com/v1
credentials:
 - new-jwt-secret
 - old-jwt-secret
kind: KongConsumer
metadata:
  name: kc
username: username
  1. Add a JWT plugin to validate requests against the consumer.
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: default-jwt
plugin: jwt

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    konghq.com/plugins: default-jwt
    konghq.com/preserve-host: "false"
    kubernetes.io/ingress.class: kong
  1. Once the old-jwt-secret has expired, Kong still attempts to validate it first.

  2. Requests return "Invalid signature" errors despite credentials contain new-jwt-secret.

Anything else?

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants