JWT Plugin bypasses validation process occasionally on frequent requests

[ram-appsentinels]

Is there an existing issue for this?

• I have searched the existing issues

Kong version ($ kong version)

2.8.1

Current Behavior

Dear Team,
I’m currently running Kong within a Docker container, along with the JWT plugin. My setup involves a Flask web server operating behind Kong, with JWT validation enabled at the Kong level. When I send a request via Postman with an invalid signature bearer token or an invalid algorithm, I receive an “Invalid alg or invalid signature” response. However, upon frequent requests, I’ve observed occasional bypassing of the validation process from Kong side and reaches my flask server.
Thanks in Advance.

Expected Behavior

It should throw exception.

Steps To Reproduce

Took the valid bearer token, made a request and it passed through it. With the same valid token, i manually tampered the token making invalid algorithm and made a request using postman. Initial request got a exception, but on frequent request occasionally getting bypassed

Anything else?

No response

[brentos]

@ram-appsentinels Could you share your JWT plugin config?

[ram-appsentinels]

Sure @brentos

{
  "id": "336655f6-f9cf-406e-9bda-2206ea1a8ed3",
  "service": {
    "id": "80da1c7e-5006-452e-b5a6-b09add7465ec"
  },
  "created_at": 1715827820,
  "tags": null,
  "name": "jwt",
  "enabled": true,
  "consumer": null,
  "protocols": [
    "grpc",
    "grpcs",
    "http",
    "https"
  ],
  "config": {
    "uri_param_names": [
      "jwt"
    ],
    "cookie_names": [],
    "header_names": [
      "authorization"
    ],
    "claims_to_verify": [
      "exp"
    ],
    "maximum_expiration": 0,
    "run_on_preflight": true,
    "anonymous": null,
    "key_claim_name": "iss",
    "secret_is_base64": false
  },
  "route": null
}

[brentos]

@ram-appsentinels I'm not able to reproduce this, can you provide all reproduction steps? Kong configuration, consumer creation, jwt creation, etc?

[github-actions]

This issue is marked as stale because it has been open for 14 days with no activity.

[github-actions]

Dear contributor,

We are automatically closing this issue because it has not seen any activity for three weeks.
We're sorry that your issue could not be resolved. If any new information comes up that could
help resolving it, please feel free to reopen it.

Your contribution is greatly appreciated!

Please have a look
our pledge to the community
for more information.

Sincerely,
Your Kong Gateway team