Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple JWT Secrets Causing "Invalid Signature" Due to Incorrect Validation Order in KongConsumer #13701

Open
1 task done
yang-wang11 opened this issue Sep 23, 2024 · 2 comments
Labels
pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... plugins/jwt stale

Comments

@yang-wang11
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Kong version ($ kong version)

kong:3.1.1

Current Behavior

I’ve encountered an issue with the JWT plugin when using multiple secrets under a KongConsumer during the JWT signing key rotation. Kong appears to process the secrets in reverse order (from bottom to top in the credentials list). If the first (bottom) secret is close to expiration but still technically valid, Kong will validate it first and ignore newer secrets, leading to an "Invalid signature" error once that secret expires. All these K8s secrets have the same issuer(.data.key).

Expected Behavior

Kong should search for a valid secret for JWT token validation, rather than use the fixed order.

Steps To Reproduce

  1. Configure a KongConsumer with multiple JWT secrets:
apiVersion: configuration.konghq.com/v1
credentials:
 - new-jwt-secret
 - old-jwt-secret
kind: KongConsumer
metadata:
  name: kc
username: username
  1. Add a JWT plugin to validate requests against the consumer.
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: default-jwt
plugin: jwt

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    konghq.com/plugins: default-jwt
    konghq.com/preserve-host: "false"
    kubernetes.io/ingress.class: kong
  1. Once the old-jwt-secret has expired, Kong still attempts to validate it first.

  2. Requests return "Invalid signature" errors despite credentials contain new-jwt-secret.

Anything else?

No response

@Oyami-Srk
Copy link
Member

I cannot reproduce it under Kong 3.8.0. Could you please upgrade Kong to see if the problem still exists?
In my opinion, JWT cannot determine whether a token has expired if you don't explicitly pass an expired token to it. Have you tried manually crafting a JWT token using https://jwt.io to see if an expired key can affect other unexpired keys?
We would appreciate it if you could post the full requests with expired and unexpired tokens to help us reproduce this issue.

@Oyami-Srk Oyami-Srk added the pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... label Nov 4, 2024
Copy link
Contributor

This issue is marked as stale because it has been open for 14 days with no activity.

@github-actions github-actions bot added the stale label Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... plugins/jwt stale
Projects
None yet
Development

No branches or pull requests

3 participants