Kong KWKS Verification

I have noticed that Kong API Gateway, when passed a JWT Access Token, it calls to the JWKS endpoint of the Authorization server to obtain the key data to validate the Access Token. It seems to want the alg: value to be RS256. This is an optional value under the OAUTH/JWKS/JWA specification but Kong seems to want it mandated. The JWT itself has the Alg value of RS256 in it so there is no need for the JWKS endpoint to include it - just the matching KID and keys.

Anyone know how to turn off the need for Kong to require the JWKS endpoint to have RS256 given it adds very little value.

Thanks


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ