Home / Kong Plugin Hub
Edit
Report

OpenID Connect

Enterprise only
Overview Examples Configuration reference Changelog API reference
Related Documentation
Gateway Documentation
Made by
Kong Inc.
Supported Gateway Topologies
hybrid db-less traditional
Supported Konnect Deployments
hybrid cloud-gateways serverless
Compatible Protocols
grpc grpcs http https
Minimum Version
Kong Gateway - 1.0
Tags
#authentication
Related Resources
OpenID Connect in Kong Gateway
Authentication in Kong Gateway
OpenID Connect tutorials

3.13.0.0

Release date 2025/12/18

Feature

  • added support to the tls_certificate_verify global option. When this option is enabled the plugin’s flags ssl_verify, tls_client_auth_ssl_verify, and session_memcached_ssl_verify cannot be disabled.

  • added the flags session_memcached_ssl and session_memcached_ssl_verify to switch certificate verification when connecting to Memcached server.

Bugfix

  • Fixed an issue where for incremental sync, consumer related caches may not be properly invalidated, causing stale data to be served.

  • Fixed an issue where the issuer mismatch error message for the token’s iss claim did not reflect the correct token type and expected issuers.

  • Fixed an issue where the client_credentials/authorization_code auth would not auto-recover if IdP was not accessible during Kong startup.

  • Improved claim validation logic to correctly handle timestamp claims (exp, nbf, iat) even when provided as non-numeric types.

  • Fixed an issue where TLS client certificate loading failed in non-default workspaces. The certificate lookup now explicitly specifies the plugin’s workspace when querying the database during configuration initialization.

3.12.0.1

Release date 2025/11/18

Bugfix

  • Fixed an issue where for incremental sync, consumer related caches may not be properly invalidated, causing stale data to be served.

  • Fixed an issue where the client_credentials/authorization_code auth would not auto-recover if IdP was not accessible during Kong startup.

3.12.0.0

Release date 2025/10/01

Feature

  • Added support for session binding (IP, scheme, and/or User-Agent header).

  • Added support for claim to consumer groups mapping.

Bugfix

  • Fixed an issue where upstream_session_id_header and downstream_session_id_header mistakenly required the downstream_headers_claims and downstream_headers_names to be present.

3.11.0.6

Release date 2025/11/03

Bugfix

  • Fixed an issue where for incremental sync, consumer related caches may not be properly invalidated, causing stale data to be served.

  • Fixed an issue where the client_credentials/authorization_code auth would not auto-recover if IdP was not accessible during Kong startup.

3.11.0.0

Release date 2025/07/03

Bugfix

  • Fixed an issue where caused IdP to report invalid redirect_uri errors when config.redirect_uri was not configured and the uri path contained spaces.

  • Fixed an issue where the OIDC plugin caused the third-party IDP to throw an error during logout attempts if the session had already been invalidated. Added the client_id to the logout URL to ensure the logout request is sent to the correct client, preventing such errors.

Performance

  • improved the performance of signature verification.

3.10.0.7

Release date 2025/12/09

Bugfix

  • Fixed an issue where for incremental sync, consumer related caches may not be properly invalidated, causing stale data to be served.

  • Fixed an issue where the client_credentials/authorization_code auth would not auto-recover if IdP was not accessible during Kong startup.

  • Fixed an issue where the OIDC plugin caused the third-party IDP to throw an error during logout attempts if the session had already been invalidated. Added the client_id to the logout URL to ensure the logout request is sent to the correct client, preventing such errors.

3.10.0.2

Release date 2025/05/20

Bugfix

  • Fixed an issue which caused an IdP to report invalid redirect_uri errors when config.redirect_uri was not configured and the URI path contained spaces.

3.10.0.0

Release date 2025/03/27

Breaking Change

  • Fixed an issue where forbidden requests were redirected to unauthorized_redirect_uri if configured. After the fix, forbidden requests will be redirected to forbidden_redirect_uri if configured.

Performance

  • Removed issuer discovery from schema to improve performance upon plugin initialization or updating. The issuer discovery will only be triggerd by client requests.

3.9.1.2

Release date 2025/07/07

Bugfix

  • Fixed an issue where caused IdP to report invalid redirect_uri errors when config.redirect_uri was not configured and the uri path contained spaces.

3.9.0.0

Release date 2024/12/12

Feature

  • Allowed http_proxy_authorization and https_proxy_authorization to be referenceable.

  • Added the introspection_post_args_client_headers config option, allowing you to pass client headers as introspection POST body arguments.

Bugfix

  • Fixed an 500 error caused by JSON null from the request body when parsing bearer tokens or client IDs.

  • Fixed an issue where the configured Redis database was ignored.

  • Fixed an issue where the token_cache_key_include_scope feature was not considering scopes defined via config.scopes to generate the cache key.

3.8.1.2

Release date 2025/07/02

Bugfix

  • Fixed an 500 error caused by JSON null from the request body when parsing bearer tokens or client IDs.

  • Fixed an issue where caused IdP to report invalid redirect_uri errors when config.redirect_uri was not configured and the uri path contained spaces.

3.8.0.0

Release date 2024/09/11

Deprecation

  • Standardized Redis configuration across plugins. The Redis configuration now follows a common schema shared with other plugins.

Feature

  • Added claims_forbidden property to restrict access.

  • Added support for redis cache for introspection result with new fields cluster_cache_strategy and cluster_cache_redis. When configured, the plugin will share the tokens introspection responses cache across nodes configured to use the same Redis Database.

Bugfix

  • Fixed a bug where anonymous consumers may be cached as nil under a certain condition.

  • Updated the rediscovery to use a short lifetime (5s) if the last discovery failed.

  • Fixed an issue where using_pseudo_issuer does not work when patching.

3.7.1.0

Release date 2024/06/18

Bugfix

  • Fixed a bug where anonymous consumers may be cached as nil under a certain condition.

3.7.0.0

Release date 2024/05/28

Feature

  • Added support for DPoP (Demonstrating Proof-of-Possession) tokens validation. The feature is available by enabling proof_of_possession_dpop

  • Add support for JWT Secured Authorization Requests (JAR) on Authorization and Pushed Authorization (PAR) endpoints, see: config.require_signed_request_object

  • Add support for JARM response modes: query.jwt, form_post.jwt, fragment.jwt, jwt

3.6.1.5

Release date 2024/06/18

Bugfix

  • Fixed a bug where anonymous consumers may be cached as nil under a certain condition.

3.6.0.0

Release date 2024/02/12

Feature

  • configurations scopes, login_redirect_uri, logout_redirect_uri can now be referenced as a secret in the Kong Vault

  • extend token_post_args_client to support injection from headers

  • add support for explicit proof key for code exchange (PKCE).

  • add support for pushed authorization requests (PAR).

  • Support the tls_client_auth and self_signed_tls_client_auth auth methods in the OpenID Connect plugin, allowing to do mTLS Client Authentication with the IdP.

Bugfix

  • Mark the introspection_headers_values in the openid-connect plugin as an encrypted and referenceable field

  • Fix logout uri suffix detection by using normalized version of kong.request.get_forwarded_path() instead of ngx.var.request_uri (especially when passing query strings to logout)

  • remove unwanted argument ignore_signature.userinfo from the userinfo_load function

  • support for consumer group scoping by using pdk kong.client.authenticate function

  • fix the cache key collision when config issuer and extra_jwks_uris contain the same uri

  • Correctly handle boundary conditions for token expiration time checking

  • update time when calculating token expire

3.5.0.5

Release date 2024/06/18

Bugfix

  • Fixed a bug where anonymous consumers may be cached as nil under a certain condition.

3.5.0.4

Release date 2024/05/20

Bugfix

  • Mark the introspection_headers_values in the openid-connect plugin as an encrypted and referenceable field

  • support for consumer group scoping by using pdk kong.client.authenticate function

3.5.0.2

Release date 2023/12/21

Feature

  • Openid-Connect configurations scopes, login_redirect_uri, logout_redirect_uri can now be referenced as a secret in the Kong Vault

  • extend token_post_args_client to support injection from headers

Bugfix

  • Fix logout uri suffix detection by using normalized version of kong.request.get_forwarded_path() instead of ngx.var.request_uri (especially when passing query strings to logout)

  • update time when calculating token expire

3.5.0.0

Release date 2023/11/08

Feature

  • New field unauthorized_destroy_session, which when set to true, we destory the session (delete the user’s session cookie) when the request is unauthorized. Default to true. Set to false to preserve the session.

  • New field using_pseudo_issuer. When set to true, the plugin instance will not discover configuration from the issuer.

  • ‘openid-connect’ plugin now supports public client

  • Fix when the Dev portal OIDC is enabled, a 500 error is thrown when the administrator login successfully and then retrieves the session

  • OpenID-Connect now support designate parameter name of token for introspection and revocation with introspection_token_param_name and revocation_token_param_name respectively.

Bugfix

  • Fix issue on token revocation on logout where the code was revoking refresh token when it was supposed to revoke access token when using the discovered revocation endpoint.

  • Fix the issue where using_pseudo_issuer does not work.

Dependency

  • bump the dependency kong-openid-connect of oidc plugin from 2.5.5 to 2.5.7.

3.4.3.22

Release date 2025/11/24

Bugfix

  • Fixed an issue where the client_credentials/authorization_code auth would not auto-recover if IdP was not accessible during Kong startup.

  • OpenID Connect Updated the rediscovery to use a short lifetime (5s) if the last discovery failed.

3.4.3.20

Release date 2025/06/25

Bugfix

  • Fixed an 500 error caused by receiving a JSON null from the request body when parsing bearer tokens or client IDs.

3.4.3.18

Release date 2025/04/29

Bugfix

  • Fixed an issue which caused IdPs to report invalid redirect_uri errors when config.redirect_uri was not configured and the URI path contained spaces.

3.4.3.9

Release date 2024/06/08

Bugfix

  • Fixed a bug where anonymous consumers may be cached as nil under a certain condition.

3.4.3.5

Release date 2024/03/21

Bugfix

  • Mark the introspection_headers_values in the openid-connect plugin as an encrypted and referenceable field

  • support for consumer group scoping by using pdk kong.client.authenticate function

3.4.3.1

Release date 2023/12/15

Feature

  • configurations scopes, login_redirect_uri, logout_redirect_uri can now be referenced as a secret in the Kong Vault

  • extend token_post_args_client to support injection from headers

  • Fix when the Dev portal OIDC is enabled, a 500 error is thrown when the administrator login successfully and then retrieves the session

Bugfix

  • update time when calculating token expire

3.4.2.0

Release date 2023/11/10

Bugfix

  • Fix the issue where using_pseudo_issuer does not work.

3.4.1.0

Release date 2023/09/28

Feature

  • New field unauthorized_destroy_session, which when set to true, we destory the session (delete the user’s session cookie) when the request is unauthorized. Default to true. Set to false to preserve the session.

  • New field using_pseudo_issuer. When set to true, the plugin instance will not discover configuration from the issuer.

Bugfix

  • Fix issue on token revocation on logout where the code was revoking refresh token when it was supposed to revoke access token when using the discovered revocation endpoint.

3.4.0.0

Release date 2023/08/09

Feature

  • This plugin now supports the error reason header. This header can be turned off by setting expose_error_code to false.

  • OpenID Connect now supports adding scope to the token cache key by setting token_cache_key_include_scope to true.

Bugfix

  • Changed some log levels from notice to error for better visibility.

  • Correctly set the right table key on log and message.

  • If an invalid opaque token is provided but verification fails, the plugin now prints the correct error.

3.2.2.4

Release date 2023/09/15

Bugfix

  • Correctly set the right table key on log and message.

  • If an invalid opaque token is provided but verification fails, print the correct error.

3.2.1.0

Release date 2023/02/28

Feature

Bugfix

  • Fixed an issue where it was not possible to specify an anonymous consumer by name.

  • Fixed an issue where the authorization_cookie_httponly and session_cookie_httponly parameters would always be set to true, even if they were configured as false.

3.1.0.0

Release date 2022/12/06

Feature

  • The anonymous field can now be configured as the username of the consumer. This field allows you to configure a string to use as an “anonymous” consumer if authentication fails.

3.0.0.0

Release date 2022/09/09

Bugfix

  • Fixed an issue with kong_oauth2 consumer mapping.

Breaking Change

  • Updated the priority for some plugins.: openid-connect changed from 1000 to 1050

2.8.4.6

Release date 2024/01/17

Bugfix

  • update time when calculating token expire

2.8.4.5

Release date 2023/11/28

Feature

  • New field unauthorized_destroy_session, which when set to true, we destory the session (delete the user’s session cookie) when the request is unauthorized. Default to true. Set to false to preserve the session.

Bugfix

  • Fix issue on token revocation on logout where the code was revoking refresh token when it was supposed to revoke access token when using the discovered revocation endpoint.

2.8.4.3

Release date 2023/09/18

Bugfix

  • If an invalid opaque token is provided but verified failed, print the correct error.

2.8.2.0

Release date 2022/10/12

Bugfix

  • Fixed issues with OIDC role mapping where admins couldn’t be added to more than one workspace, and permissions were not being updated.

2.8.1.0

Release date 2022/04/07

Bugfix

  • Provide valid upstream headers e.g. X-Consumer-Id, X-Consumer-Username

2.8.0.0

Release date 2022/03/02

Feature

  • Added Redis ACL support (Redis v6.0.0+) for storing and retrieving a session. Use the session_redis_username and session_redis_password configuration parameters to configure it.

    These parameters replace the session_redis_auth field, which is now deprecated and planned to be removed in 3.x.x.

  • Added support for distributed claims. Set the resolve_distributed_claims configuration parameter to true to tell OIDC to explicitly resolve distributed claims.

    Distributed claims are represented by the _claim_names and _claim_sources members of the JSON object containing the claims.

  • Beta feature: The client_id, client_secret, session_secret, session_redis_username, and session_redis_password configuration fields are now marked as referenceable, which means they can be securely stored assecretsin a vault. References must follow a specific format.

Bugfix

  • Fixed negative caching, which was loading wrong a configuration value.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support