Handling two JWT signing keys for same iss #13089
Labels
pending author feedback
Waiting for the issue author to get back to a maintainer with findings, more details, etc...
plugins/jwt
Is there an existing issue for this?
Kong version (
$ kong version
)Kong 3.4.2
Current Behavior
I am using jwt plugin https://docs.konghq.com/hub/kong-inc/jwt/?_ga=2.53180716.589797142.1716798760-147226938.1680633234 and I am in a dbless mode with Kong ingress controller 2.12.3 using the Kongconsumer resources and an associated secret holding the public key of JWT signing key.
Basically, I have a situation that I am getting requests with an incoming JWT that are signed by jwtkey1 by the auth server. I have a Kongconsumer for the iss and Kong is trusting the token.
However, the authentication server is now deciding to rotate the signing key (every few weeks). So from now the tokens are signed by jwtkey2 ! However everything else in the token is the same including iss value (which I believe is the key and has to be unique for the Kongconsumer). Ideally, the previous tokens signed by jwtkey1 still need to be able to authenticate in Kong until they expire. However now the new tokens signed by jwtkey2 are also coming in and need to authenticate with Kong.
Currently though there is a limitation, I can’t even make a Kongconsumer which has a secret with the same iss. It won’t trust one of the signing keys (or in case of Kong 3.4.2 that I have tested, ingress controller will just simply not accept the same iss key value for two Kongconsumers and fail with:
How can I handle this situation? Trust two signing keys for tokens that has the same iss ?
Expected Behavior
Be able to make the separate Kongconsumers with the same iss but different token signing key.
Steps To Reproduce
Anything else?
No response
The text was updated successfully, but these errors were encountered: