Undefined behavior when multiple JWTs are provided using different methods

[mikeholler]

Is there an existing issue for this?

• I have searched the existing issues

Kong version ($ kong version)

3.4.2

Current Behavior

The behavior of supplying two JWTs in one request is completely undefined in documentation.

Expected Behavior

There should be well-defined and deterministic behavior around requests that include more than one JWT.

Steps To Reproduce

The Kong JWT plugin describes three ways to provide JWTs: a cookie, a query string parameter, or a header. Unfortunately, it doesn't describe what happens when multiple are provided.

Take the following config:

config:
  uri_param_names:
    - token1
    - token2
  header_names:
    - token3
    - token4
  cookie_names:
    - token5
    - token6

What happens when all locations are populated by a valid (but different) token? What is the priority on the order they are resolved and tested? What if an invalid token is found? Does it go through invalid tokens until it finds one invalid token (or runs out) or does it fail fast on the first invalid token?

We'd like to include this documentation in our product, but as it isn't documented in Kong, this is challenging, and the contract may change at any point in time as it is not documented.

Anything else?

No response

[Atharva1723]

Can I work on this?

[nowNick]

Hi @mikeholler, Thank you for reporting this!

Indeed the documentation could be a little bit clearer when it comes to how multiple JWTs are handled. We should probably pull all of this info into one place but just to quickly answer your question: Kong rejects requests with multiple different JWT tokens. Sending a request with more than one (but different) JWTs will results in: 401 with error message: Multiple tokens provided.

This is desired behaviour since otherwise it introduces a security issue known as JWT smuggling. If kong proxies a request with multiple tokens when only some of them are valid the upstream can assume that all of the passed tokens are correct and grant undeserved privileges.
This change was introduces in 3.2 (and backported to earlier versions): https://github.com/Kong/kong/blob/master/CHANGELOG.md#breaking-changes-2

When it comes to the order of lookup it goes like this:

1. query parameter
2. cookie
3. header

It's documented but in the code: https://github.com/Kong/kong/blob/master/kong/plugins/jwt/handler.lua#L22

---

Saying all this I think we could bring all of this info together and explicitly state the order of jwt lookup places in the docs as well as mention what happens when multiple tokens are provided (i.e. error is returned: 401, { "message": "Multiple tokens provided" }).

I'll notify the docs team to make appropriate changes.

Please let me know if there's anything else you need help with :)

[nowNick]

Also @Atharva1723 Thank you so much for your interest but I don't think this needs fixing - other than improving the docs

[mikeholler]

Thanks @nowNick, this is exactly the information I was looking for. Token smuggling as a concern makes a lot of sense to me, and I'll be glad to add that information to our documentation.

[nowNick]

That's great to hear @mikeholler . I'm going to close this issue then but feel free to reopen it if you need anything else related to it.