Multiple JWT Secrets Causing "Invalid Signature" Due to Incorrect Validation Order in KongConsumer #13701
Labels
pending author feedback
Waiting for the issue author to get back to a maintainer with findings, more details, etc...
plugins/jwt
stale
Is there an existing issue for this?
Kong version (
$ kong version
)kong:3.1.1
Current Behavior
I’ve encountered an issue with the JWT plugin when using multiple secrets under a KongConsumer during the JWT signing key rotation. Kong appears to process the secrets in reverse order (from bottom to top in the credentials list). If the first (bottom) secret is close to expiration but still technically valid, Kong will validate it first and ignore newer secrets, leading to an "Invalid signature" error once that secret expires. All these K8s secrets have the same issuer(.data.key).
Expected Behavior
Kong should search for a valid secret for JWT token validation, rather than use the fixed order.
Steps To Reproduce
Once the
old-jwt-secret
has expired, Kong still attempts to validate it first.Requests return "Invalid signature" errors despite credentials contain
new-jwt-secret
.Anything else?
No response
The text was updated successfully, but these errors were encountered: