kong icon indicating copy to clipboard operation
kong copied to clipboard
Published 3 weeks ago ā€¢ verified publisher icon Kong

JWT Plugin bypasses validation process occasionally on frequent requests

Open ram-appsentinels opened this issue 1 year ago ā€¢ 3 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Kong version ($ kong version)

2.8.1

Current Behavior

Dear Team, Iā€™m currently running Kong within a Docker container, along with the JWT plugin. My setup involves a Flask web server operating behind Kong, with JWT validation enabled at the Kong level. When I send a request via Postman with an invalid signature bearer token or an invalid algorithm, I receive an ā€œInvalid alg or invalid signatureā€ response. However, upon frequent requests, Iā€™ve observed occasional bypassing of the validation process from Kong side and reaches my flask server. Thanks in Advance.

Expected Behavior

It should throw exception.

Steps To Reproduce

Took the valid bearer token, made a request and it passed through it. With the same valid token, i manually tampered the token making invalid algorithm and made a request using postman. Initial request got a exception, but on frequent request occasionally getting bypassed

Anything else?

No response

ram-appsentinels avatar May 20 '24 09:05 ram-appsentinels

@ram-appsentinels Could you share your JWT plugin config?

brentos avatar May 20 '24 20:05 brentos

Sure @brentos

{
  "id": "336655f6-f9cf-406e-9bda-2206ea1a8ed3",
  "service": {
    "id": "80da1c7e-5006-452e-b5a6-b09add7465ec"
  },
  "created_at": 1715827820,
  "tags": null,
  "name": "jwt",
  "enabled": true,
  "consumer": null,
  "protocols": [
    "grpc",
    "grpcs",
    "http",
    "https"
  ],
  "config": {
    "uri_param_names": [
      "jwt"
    ],
    "cookie_names": [],
    "header_names": [
      "authorization"
    ],
    "claims_to_verify": [
      "exp"
    ],
    "maximum_expiration": 0,
    "run_on_preflight": true,
    "anonymous": null,
    "key_claim_name": "iss",
    "secret_is_base64": false
  },
  "route": null
}

ram-appsentinels avatar May 21 '24 05:05 ram-appsentinels

@ram-appsentinels I'm not able to reproduce this, can you provide all reproduction steps? Kong configuration, consumer creation, jwt creation, etc?

brentos avatar May 21 '24 18:05 brentos

This issue is marked as stale because it has been open for 14 days with no activity.

github-actions[bot] avatar Jun 05 '24 01:06 github-actions[bot]

Dear contributor,

We are automatically closing this issue because it has not seen any activity for three weeks. We're sorry that your issue could not be resolved. If any new information comes up that could help resolving it, please feel free to reopen it.

Your contribution is greatly appreciated!

Please have a look our pledge to the community for more information.

Sincerely, Your Kong Gateway team

github-actions[bot] avatar Jun 12 '24 01:06 github-actions[bot]

Similar issue on my end, this is happening on 3.7.1 but it was working on 3.4.2

dvidben avatar Oct 15 '24 22:10 dvidben