The JWT plugin currently requires a public key to be provided. But it would be better if we could provide a URL containing a JWKS document instead (that itself could contain multiple public keys). This would make key rotations a lot easier. Kong could either re-fetch the JWKS document periodically and use a cached copy between. Or it could pay attention to a key-id parameter in the JWT itself and if the cached JWKS document doesn’t include the key-id, then refetch.
We do provide that in OpenID Connect Plugin which does have standard for such JWKS document, but the plugin is only included in commercial version of Kong. There is also a 3rd party plugin that might have similar feature: https://github.com/nokia/kong-oidc (at least they say that “Introspection functionality add capability for already authenticated users and/or applications that already posses acces token to go through Kong” and that they support “Discovery”) . The library they use behind the plugin does have these features. But I haven’t tried that.
I am not sure if we need OIDC part at all if we just need JWKS support for Kong to act as a Resource Server. Thoughts on that dependency?