JWKS support in the JWT plugin


#1

The JWT plugin currently requires a public key to be provided. But it would be better if we could provide a URL containing a JWKS document instead (that itself could contain multiple public keys). This would make key rotations a lot easier. Kong could either re-fetch the JWKS document periodically and use a cached copy between. Or it could pay attention to a key-id parameter in the JWT itself and if the cached JWKS document doesn’t include the key-id, then refetch.


#2

We do provide that in OpenID Connect Plugin which does have standard for such JWKS document, but the plugin is only included in commercial version of Kong. There is also a 3rd party plugin that might have similar feature: https://github.com/nokia/kong-oidc (at least they say that “Introspection functionality add capability for already authenticated users and/or applications that already posses acces token to go through Kong” and that they support “Discovery”) . The library they use behind the plugin does have these features. But I haven’t tried that.