Multiple JWT Secrets Causing "Invalid Signature" Due to Incorrect Validation Order in KongConsumer

[yang-wang11]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

I’ve encountered an issue with the JWT plugin when using multiple secrets under a KongConsumer during the JWT signing key rotation. Kong appears to process the secrets in reverse order (from bottom to top in the credentials list). If the first (bottom) secret is close to expiration but still technically valid, Kong will validate it first and ignore newer secrets, leading to an "Invalid signature" error once that secret expires. All these K8s secrets have the same issuer(.data.key).

Expected Behavior

Kong should search for a valid secret for JWT token validation, rather than use the fixed order.

Steps To Reproduce

1. Configure a KongConsumer with multiple JWT secrets:

apiVersion: configuration.konghq.com/v1
credentials:
 - new-jwt-secret
 - old-jwt-secret
kind: KongConsumer
metadata:
  name: kc
username: username

2. Add a JWT plugin to validate requests against the consumer.

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: default-jwt
plugin: jwt

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    konghq.com/plugins: default-jwt
    konghq.com/preserve-host: "false"
    kubernetes.io/ingress.class: kong

3. Once the old-jwt-secret has expired, Kong still attempts to validate it first.

4. Requests return "Invalid signature" errors despite credentials contain new-jwt-secret.

Kong Ingress Controller version

2.9.3

Kubernetes version

Client Version: v1.31.0
Server Version: v1.29.3

Anything else?

No response

[randmonkey]

@yang-wang11 KIC's webhook will validate ALL credentials configured in KongConsumer. If any of the credentials is invalid, KIC will reject this KongConsumer. If you want to rotate JWT key in KongConsumer, please remove the old-jwt-secret when you enable new JWT key in the new secret.