How to handle a JWT signing key rotation scenario?

I am using jwt plugin JWT - Plugin | Kong Docs and I am in a dbless mode with Kong ingress controller using the Kongconsumer resources and an associated secret holding the public key of JWT signing key.

Basically, I have a situation that I am getting requests with an incoming JWT that are signed by jwtkey1 by the auth server. I have a Kongconsumer for the iss and Kong is trusting the token.

However, the authentication server is now deciding to rotate the signing key (every few weeks). So from now the tokens are signed by jwtkey2 ! However everything else in the token is the same including iss value (which I believe is the key and has to be unique for the Kongconsumer). Ideally, the previous tokens signed by jwtkey1 still need to be able to authenticate in Kong until they expire. However now the new tokens signed by jwtkey2 are also coming in and need to authenticate with Kong.

Currently though there is a limitation, I can’t even make a Kongconsumer which has a secret with the same iss. It won’t trust one of the signing keys (or in case of Kong 3.4.2 that I have tested, ingress controller will just simply not accept the same iss key value for two Kongconsumers and fail with:

level=error msg=“could not update kong admin” error=“performing update for failed: failed posting new config to /config: got status code 400” subsystem=dataplane-synchronizer
level=error msg=“failed parsing resource errors” error=“could not unmarshal config error: json: cannot unmarshal object into Go struct field ConfigError.flattened_errors of type sendconfig.FlatEntityError” update_strategy=InMemory url=“

How can I handle this situation? Trust two signing keys for tokens that has the same iss ?

Does Kong Enterprise support it ? If not, what is the solution in these type of rotation scenarios?


Kong doesn’t support multiple keys for the same iss out of the box. Below are a few options pls check -

-Use an endpoint that lists both keys and configure Kong to use it.
-Create a custom Kong plugin to handle multiple keys.
-Validate JWTs with another service before Kong.
-Check if the Enterprise version supports this feature.
-Manually update Kong with the new key after old tokens expire.

Hope this helps!

Thank you