jwt-auth-context validates JWTs, applies selected claim checks, and writes trusted claim values to upstream request headers.

It is intended to run before plugins that depend on authenticated user context, such as graph-context-enricher.

cd jwt-auth-context
luarocks make

Or install a built rock:

luarocks install kong-plugin-jwt-auth-context-1.0.0-1.all.rock

Enable it in Kong:

export KONG_PLUGINS=bundled,jwt-auth-context

cd external_plugins
luarocks make kong-plugins-bundle-1.0.0-1.rockspec
export KONG_PLUGINS=bundled,jwt-auth-context

• KongPlugin
• KongClusterPlugin
• Ingress
• HTTPRoute

• Extracts the token from Authorization, cookie, or query based on config order.
• Fetches and caches JWKS from the configured endpoint.
• Verifies signature, expiration, not-before, issuer, and audience.
• Optionally enforces email_verified and a required role.
• Clears the headers it owns and then writes trusted claim values.
• Supports reject, pass, and redirect flows depending on the failure mode.

• jwks_url
• jwks_cache_ttl_seconds
• ssl_verify
• expected_issuer
• expected_audience
• require_email_verified
• required_role
• on_missing_token
• on_invalid_token
• browser_redirect_url
• browser_redirect_only
• token_sources
• cookie_name
• query_param_name
• custom_header_mappings

See schema.lua for the exact schema and defaults.