Release date 2025/11/18
Fixed an issue where for incremental sync, consumer related caches may not be properly invalidated, causing stale data to be served.
Fixed an issue where the client_credentials/authorization_code auth would not auto-recover if IdP was not accessible during Kong startup.
Release date 2025/10/01
Added support for session binding (IP, scheme, and/or User-Agent header).
Added support for claim to consumer groups mapping.
Fixed an issue where upstream_session_id_header and downstream_session_id_header mistakenly required the downstream_headers_claims and downstream_headers_names to be present.
Release date 2025/11/03
Fixed an issue where for incremental sync, consumer related caches may not be properly invalidated, causing stale data to be served.
Fixed an issue where the client_credentials/authorization_code auth would not auto-recover if IdP was not accessible during Kong startup.
Release date 2025/07/03
Fixed an issue where caused IdP to report invalid redirect_uri errors when config.redirect_uri was not configured and the uri path contained spaces.
Fixed an issue where the OIDC plugin caused the third-party IDP to throw an error during logout attempts if the session had already been invalidated.
Added the client_id to the logout URL to ensure the logout request is sent to the correct client, preventing such errors.
improved the performance of signature verification.
Release date 2025/05/20
Fixed an issue which caused an IdP to report invalid redirect_uri errors when config.redirect_uri was not configured and the URI path contained spaces.
Release date 2025/03/27
Fixed an issue where forbidden requests were redirected to unauthorized_redirect_uri if configured. After the fix, forbidden requests will be redirected to forbidden_redirect_uri if configured.
Removed issuer discovery from schema to improve performance upon plugin initialization or updating. The issuer discovery will only be triggerd by client requests.
Release date 2025/07/07
Fixed an issue where caused IdP to report invalid redirect_uri errors when config.redirect_uri was not configured and the uri path contained spaces.
Release date 2024/12/12
Allowed http_proxy_authorization and https_proxy_authorization to be referenceable.
Added the introspection_post_args_client_headers config option,
allowing you to pass client headers as introspection POST body arguments.
Fixed an 500 error caused by JSON null from the request body when parsing bearer tokens or client IDs.
Fixed an issue where the configured Redis database was ignored.
Fixed an issue where the token_cache_key_include_scope feature was not considering scopes defined via config.scopes to generate the cache key.
Release date 2025/07/02
Fixed an 500 error caused by JSON null from the request body when parsing bearer tokens or client IDs.
Fixed an issue where caused IdP to report invalid redirect_uri errors when config.redirect_uri was not configured and the uri path contained spaces.
Release date 2024/09/11
Standardized Redis configuration across plugins. The Redis configuration now follows a common schema shared with other plugins.
Added claims_forbidden property to restrict access.
Added support for redis cache for introspection result with new fields cluster_cache_strategy and cluster_cache_redis. When configured, the plugin will share the tokens introspection responses cache across nodes configured to use the same Redis Database.
Fixed a bug where anonymous consumers may be cached as nil under a certain condition.
Updated the rediscovery to use a short lifetime (5s) if the last discovery failed.
Fixed an issue where using_pseudo_issuer does not work when patching.
Release date 2024/06/18
Fixed a bug where anonymous consumers may be cached as nil under a certain condition.
Release date 2024/05/28
Added support for DPoP (Demonstrating Proof-of-Possession) tokens validation. The feature is available by enabling proof_of_possession_dpop
Add support for JWT Secured Authorization Requests (JAR) on Authorization and Pushed Authorization (PAR) endpoints, see: config.require_signed_request_object
Add support for JARM response modes: query.jwt, form_post.jwt, fragment.jwt, jwt
Release date 2024/06/18
Fixed a bug where anonymous consumers may be cached as nil under a certain condition.
Release date 2024/02/12
configurations scopes, login_redirect_uri, logout_redirect_uri can now be referenced as a secret in the Kong Vault
extend token_post_args_client to support injection from headers
add support for explicit proof key for code exchange (PKCE).
add support for pushed authorization requests (PAR).
Support the tls_client_auth and self_signed_tls_client_auth auth methods in the OpenID Connect plugin, allowing to do mTLS Client Authentication with the IdP.
Mark the introspection_headers_values in the openid-connect plugin as an encrypted and referenceable field
Fix logout uri suffix detection by using normalized version of kong.request.get_forwarded_path() instead of ngx.var.request_uri (especially when passing query strings to logout)
remove unwanted argument ignore_signature.userinfo from the userinfo_load function
support for consumer group scoping by using pdk kong.client.authenticate function
fix the cache key collision when config issuer and extra_jwks_uris contain the same uri
Correctly handle boundary conditions for token expiration time checking
update time when calculating token expire
Release date 2024/06/18
Fixed a bug where anonymous consumers may be cached as nil under a certain condition.
Release date 2024/05/20
Mark the introspection_headers_values in the openid-connect plugin as an encrypted and referenceable field
support for consumer group scoping by using pdk kong.client.authenticate function
Release date 2023/12/21
Openid-Connect configurations scopes, login_redirect_uri, logout_redirect_uri can now be referenced as a secret in the Kong Vault
extend token_post_args_client to support injection from headers
Fix logout uri suffix detection by using normalized version of kong.request.get_forwarded_path() instead of ngx.var.request_uri (especially when passing query strings to logout)
update time when calculating token expire
Release date 2023/11/08
New field unauthorized_destroy_session, which when set to true, we destory the session (delete the user’s session cookie) when the request is unauthorized. Default to true. Set to false to preserve the session.
New field using_pseudo_issuer. When set to true, the plugin instance will not discover configuration from the issuer.
‘openid-connect’ plugin now supports public client
Fix when the Dev portal OIDC is enabled, a 500 error is thrown when the administrator login successfully and then retrieves the session
OpenID-Connect now support designate parameter name of token for introspection and revocation with introspection_token_param_name and revocation_token_param_name respectively.
Fix issue on token revocation on logout where the code was revoking refresh token when it was supposed to revoke access token when using the discovered revocation endpoint.
Fix the issue where using_pseudo_issuer does not work.
bump the dependency kong-openid-connect of oidc plugin from 2.5.5 to 2.5.7.
Release date 2025/11/24
Fixed an issue where the client_credentials/authorization_code auth would not auto-recover if IdP was not accessible during Kong startup.
OpenID Connect Updated the rediscovery to use a short lifetime (5s) if the last discovery failed.
Release date 2025/06/25
Fixed an 500 error caused by receiving a JSON null from the request body when parsing bearer tokens or client IDs.
Release date 2025/04/29
Fixed an issue which caused IdPs to report invalid redirect_uri errors when config.redirect_uri was not configured and the URI path contained spaces.
Release date 2024/06/08
Fixed a bug where anonymous consumers may be cached as nil under a certain condition.
Release date 2024/03/21
Mark the introspection_headers_values in the openid-connect plugin as an encrypted and referenceable field
support for consumer group scoping by using pdk kong.client.authenticate function
Release date 2023/12/15
configurations scopes, login_redirect_uri, logout_redirect_uri can now be referenced as a secret in the Kong Vault
extend token_post_args_client to support injection from headers
Fix when the Dev portal OIDC is enabled, a 500 error is thrown when the administrator login successfully and then retrieves the session
update time when calculating token expire
Release date 2023/09/28
New field unauthorized_destroy_session, which when set to true, we destory the session (delete the user’s session cookie) when the request is unauthorized. Default to true. Set to false to preserve the session.
New field using_pseudo_issuer. When set to true, the plugin instance will not discover configuration from the issuer.
Fix issue on token revocation on logout where the code was revoking refresh token when it was supposed to revoke access token when using the discovered revocation endpoint.
Release date 2023/08/09
This plugin now supports the error reason header. This header can be turned off by setting expose_error_code to false.
OpenID Connect now supports adding scope to the token cache key by setting token_cache_key_include_scope to true.
Changed some log levels from notice to error for better visibility.
Correctly set the right table key on log and message.
If an invalid opaque token is provided but verification fails, the plugin now prints the correct error.
Release date 2023/09/15
Correctly set the right table key on log and message.
If an invalid opaque token is provided but verification fails, print the correct error.
Release date 2023/02/28
These plugins now use lua-resty-session v4.0.0.
This update includes new session functionalities such as configuring audiences to manage multiple sessions in a single cookie, global timeout, and persistent cookies.
Due to this update, there are also a number of deprecated and removed parameters in these plugins. See the invidividual plugin documentation for the full list of changed parameters in each plugin.
Improved Plugin Documentation: Revised docs for the following plugins to include examples:
Improved Plugin Documentation: OpenID Connect
Fixed an issue where it was not possible to specify an anonymous consumer by name.
Fixed an issue where the authorization_cookie_httponly and session_cookie_httponly parameters would always be set to true, even if they were configured as false.
Release date 2022/12/06
The anonymous field can now be configured as the username of the consumer. This field allows you to configure a string to use as an “anonymous” consumer if authentication fails.
Release date 2022/09/09
Fixed an issue with kong_oauth2 consumer mapping.
Updated the priority for some plugins.: openid-connect changed from 1000 to 1050
Release date 2023/11/28
New field unauthorized_destroy_session, which when set to true, we destory the session (delete the user’s session cookie) when the request is unauthorized. Default to true. Set to false to preserve the session.
Fix issue on token revocation on logout where the code was revoking refresh token when it was supposed to revoke access token when using the discovered revocation endpoint.
Release date 2023/09/18
If an invalid opaque token is provided but verified failed, print the correct error.
Release date 2022/10/12
Fixed issues with OIDC role mapping where admins couldn’t be added to more than one workspace, and permissions were not being updated.
Release date 2022/04/07
Provide valid upstream headers e.g. X-Consumer-Id, X-Consumer-Username
Release date 2022/03/02
Added Redis ACL support (Redis v6.0.0+) for storing and retrieving a session. Use the session_redis_username and session_redis_password configuration parameters to configure it.
These parameters replace the
session_redis_authfield, which is now deprecated and planned to be removed in 3.x.x.
Added support for distributed claims. Set the resolve_distributed_claims configuration parameter to true to tell OIDC to explicitly resolve distributed claims.
Distributed claims are represented by the _claim_names and _claim_sources members of the JSON object containing the claims.
Beta feature: The client_id, client_secret, session_secret, session_redis_username, and session_redis_password configuration fields are now marked as referenceable, which means they can be securely stored assecretsin a vault. References must follow a specific format.
Fixed negative caching, which was loading wrong a configuration value.