JWT

Release date 2025/07/03

Bugfix

• Fixed an issue where the WWW-Authenticate header used an incorrect delimiter, now using a comma as specified by RFC 7235.

Performance

• refactored plugin code to be more performant (measured to be at least three times faster).

Release date 2025/03/27

Bugfix

• Improved the error message which occurred when an anonymous consumer was configured but did not exist.

Release date 2024/12/12

Bugfix

• ensure rsa_public_key isn’t base64-decoded.

Release date 2024/09/11

Bugfix

• Add WWW-Authenticate headers to 401 responses.

Release date 2024/05/28

Feature

• Addded support for EdDSA algorithms in JWT plugin

• Added support for ES512, PS256, PS384, PS512 algorithms in JWT plugin

Bugfix

• Fixed an issue where the plugin would fail when using invalid public keys for ES384 and ES512 algorithms.

Release date 2023/02/28

Bugfix

• This plugin now denies requests that have different tokens in the JWT token search locations.

  Thanks Jackson ‘Che-Chun’ Kuo from Latacora for reporting this issue.#9946

Release date 2022/12/06

Feature

• The anonymous field can now be configured as the username of the consumer. This field allows you to configure a string to use as an “anonymous” consumer if authentication fails.

Release date 2022/09/09

Breaking Change

• Updated the priority for some plugins.: jwt changed from 1005 to 1450

• The authenticated JWT is no longer put into the nginx context (ngx.ctx.authenticated_jwt_token). Custom plugins which depend on that value being set under that name must be updated to use Kong’s shared context instead (kong.ctx.shared.authenticated_jwt_token) before upgrading to 3.0.

Release date 2023/01/06

Bugfix

• Fixed an issue where the JWT plugin could potentially forward an unverified token to the upstream.