You are browsing unreleased documentation.
Changelog
Kong Gateway 3.8.x
- Added support for Redis caching introspection results with the new fields
cluster_cache_strategy
andcluster_cache_redis
. When configured, the plugin will share the token introspection response cache across nodes configured to use the same Redis database. - Added the
claims_forbidden
property to restrict access. - Fixed an issue where anonymous consumers could be cached as nil under a certain condition.
- Updated the rediscovery to use a short lifetime (5s) if the last discovery failed.
- Fixed an issue where
using_pseudo_issuer
didn’t work when sendingPATCH
requests.
Kong Gateway 3.7.x
- Added support for DPoP (Demonstrating Proof-of-Possession) token validation.
You can enable it using the configuration parameter
proof_of_possession_dpop
. - Added support for JWT Secured Authorization Requests (JAR) on Authorization and Pushed Authorization (PAR) endpoints.
See the configuration parameter
require_signed_request_object
. - Added support for JARM response modes:
query.jwt
,form_post.jwt
,fragment.jwt
, andjwt
.
Kong Gateway 3.6.x
Features:
- The configuration parameters
scopes
,login_redirect_uri
,logout_redirect_uri
, andintrospection_headers_values
can now be referenced as secrets in the Kong Vault. - Extended the
token_post_args_client
configuration parameter to support injection from headers. - Added support for explicit proof key for code exchange (PKCE).
- Added support for pushed authorization requests (PAR).
- Added support for the
tls_client_auth
andself_signed_tls_client_auth
authentication methods, allowing mTLS client authentication with the IdP.
Fixes:
- Fixed logout URI suffix detection by using the normalized version of
kong.request.get_forwarded_path()
instead ofngx.var.request_uri
, especially when passing query strings to logout. - The
introspection_headers_values
configuration parameter can now be encrypted. - Removed the unwanted argument
ignore_signature.userinfo
from theuserinfo_load
function. - Added support for consumer group scoping by using the PDK
kong.client.authenticate
function. - Fixed the cache key collision when config
issuer
andextra_jwks_uris
contain the same URI. - The plugin now correctly handled boundary conditions for token expiration time checking.
- The plugin now updates the time when calculating token expiration.
Kong Gateway 3.5.x
- Added the new field
unauthorized_destroy_session
. When set totrue
, it destroys the session when receiving an unauthorized request by deleting the user’s session cookie. - Added the new field
using_pseudo_issuer
. When set totrue
, the plugin instance will not discover configuration from the issuer. - Added support for public clients for token revocation and introspection.
- Added support for designating parameter names
introspection_token_param_name
andrevocation_token_param_name
. - Added support for mTLS proof of possession. The feature is available by enabling
proof_of_possession_mtls
.
Kong Gateway 3.4.x
- This plugin now supports the error reason header.
This header can be turned off by setting
expose_error_code
tofalse
. - OpenID Connect now supports adding scope to the token cache key by
setting
token_cache_key_include_scope
totrue
. - Changed some log levels from
notice
toerror
for better visibility. - Correctly set the right table key on
log
andmessage
. - If an invalid opaque token is provided but verification fails, the plugin now prints the correct error.
Kong Gateway 3.2.x
- The plugin has been updated to use version 4.0.0 of the
lua-resty-session
library which introduced several new features such as the possibility to specify audiences. The following configuration parameters have been affected:
Added:
session_audience
session_remember
session_remember_cookie_name
session_remember_rolling_timeout
session_remember_absolute_timeout
session_absolute_timeout
session_request_headers
session_response_headers
session_store_metadata
session_enforce_same_subject
session_hash_subject
session_hash_storage_key
Renamed:
-
authorization_cookie_lifetime
toauthorization_rolling_timeout
-
authorization_cookie_samesite
toauthorization_cookie_same_site
-
authorization_cookie_httponly
toauthorization_cookie_http_only
-
session_cookie_lifetime
tosession_rolling_timeout
-
session_cookie_idletime
tosession_idling_timeout
-
session_cookie_samesite
tosession_cookie_same_site
-
session_cookie_httponly
tosession_cookie_http_only
-
session_memcache_prefix
tosession_memcached_prefix
-
session_memcache_socket
tosession_memcached_socket
-
session_memcache_host
tosession_memcached_host
-
session_memcache_port
tosession_memcached_port
-
session_redis_cluster_maxredirections
tosession_redis_cluster_max_redirections
Removed:
session_cookie_renew
session_cookie_maxsize
session_strategy
session_compressor
Kong Gateway 3.0.x
- The deprecated
session_redis_auth
field has been removed from the plugin.
Kong Gateway 2.8.x
-
Added the
session_redis_username
andsession_redis_password
configuration parameters.These parameters replace the
session_redis_auth
field, which is now deprecated and planned to be removed in 3.x.x. -
Added the
resolve_distributed_claims
configuration parameter. -
The
client_id
,client_secret
,session_secret
,session_redis_username
, andsession_redis_password
configuration fields are now marked as referenceable, which means they can be securely stored as secrets in a vault. References must follow a specific format.
Kong Gateway 2.7.x
-
Starting with Kong Gateway 2.7.0.0, if keyring encryption is enabled, the
config.client_id
,config.client_secret
,config.session_auth
, andconfig.session_redis_auth
parameter values will be encrypted.Additionally, the
d
,p
,q
,dp
,dq
,qi
,oth
,r
,t
, andk
fields insideopenid_connect_jwks.previous[...].
andopenid_connect_jwks.keys[...]
will be marked as encrypted.There’s a bug in Kong Gateway that prevents keyring encryption from working on deeply nested fields, so the
encrypted=true
setting does not currently have any effect on the nested fields in this plugin. -
The plugin now allows Redis cluster nodes to be specified by hostname through the
session_redis_cluster_nodes
field, which is helpful if the cluster IPs are not static.
Kong Gateway 2.6.x
- The OpenID Connect plugin can now handle JWT responses from a
userinfo
endpoint. - Added support for JWE introspection.
- Added a new parameter,
by_username_ignore_case
, which allowsconsumer_by
username values to be matched case-insensitive with identity provider (IdP) claims.