-
Added consumer_claims to support mapping consumers from multiple claim paths, while retaining and supporting the existing consumer_claim as a shorthand configuration.
-
Marked issuers_allowed as a referenceable field.
-
Added jwks_endpoint configuration to override the discovered jwks_uri when a custom JWKS endpoint is required.
-
Marked fields issuer, extra_jwks_uris, and introspection_endpoint are now supported as vault references.
-
The authenticated token is now stored in the request context via kong.client.set_token.
-
Added upstream_headers and downstream_headers schema fields that support nested claims.
The previous upstream_headers_claims, upstream_headers_names, downstream_headers_claims,
and downstream_headers_names schema fields are now deprecated.
-
the ssl_verify(for verifying identity provider server certificate) and the session_memcached_ssl_verify(for verifying session storing memcached server certificate) option
are now enabled by default as well.
-
Added support for token exchange from multiple IdPs based on RFC8693.
-
Added WebSocket protocol support. This authentication plugin can now protect WebSocket connections (ws and wss protocols) in addition to HTTP/HTTPS. In hybrid mode, WebSocket protocol support for this plugin requires data planes running Kong Gateway 3.14 or later; for older data planes, ensure routes do not use ws/wss protocols, as their propagation will be blocked.