Kong JWT Signer変更履歴 - Plugin

Changelog

This plugin now supports using the /jwt-signer/jwks/:jwt_signer_jwks endpoint in DB-less mode.

Added support for basic authentication and mTLS authentication to external JWKS services.
The plugin now supports periodically rotating the JWKS. For example, to automatically rotate access_token_jwks_uri, you can set the configuration option access_token_jwks_uri_rotate_period.
The plugin now supports adding the original JWT(s) to the upstream request header by specifying the names of the upstream request header with original_access_token_upstream_header and original_channel_token_upstream_header.
access_token_upstream_header, channel_token_upstream_header, original_access_token_upstream_header, and original_channel_token_upstream_header should not have the same value.
The plugin now supports pseudo JSON values in add_claims and set_claims. We can achieve the goal of passing multiple values to a key by passing a JSON string as the value.
Added add_access_token_claims, set_access_token_claims, add_channel_token_claims, set_channel_token_claims for individually adding claims to access tokens and channel tokens.
Added remove_access_token_claims and remove_channel_token_claims to support the removal of claims.

Added support for consumer group scoping by using the PDK kong.client.authenticate function.

handler.lua version: 1.9.0

Starting with Kong Gateway 2.7.0.0, if keyring encryption is enabled, the following fields d, p, q, dp, dq, qi, and kinside jwt_signer_jwks.previous[...]. and jwt_signer_jwks.keys[...] will be marked as encrypted.

There’s a bug in Kong Gateway that prevents keyring encryption from working on deeply nested fields, so the encrypted=true setting does not currently have any effect in this plugin.