Cannot restrict routes to specific consumers via auth plugins

[shubhshah01]

Is there an existing issue for this?

• I have searched the existing issues

Kong version ($ kong version)

3.6

Current Behavior

Say I have 2 consumers each with one JWT credential configured. And I have 2 routes, now when i add JWT plugin for the route i cannot specify the consumer ID as it gives schema violation error (since in plugin schema its not allowed).
Hence the route is accessible by both consumers i.e. via both JWT token.

Expected Behavior

I want a route to be scoped to specfic consumer and if token received is not a valid token considering the scoped consumer, then it should block the request.

Steps To Reproduce

No response

Anything else?

No response

[StarlightIbuki]

@oowl This sounds like a bug fixed by you. Do you have any idea?

[shubhshah01]

@oowl do you have any insights or suggestions on how I could address this issue?

[Water-Melon]

Perhaps you could try using it with the ACL plugin to achieve this goal.

[alexzandershevchenko]

Facing the same issue. Any updates on this? If it's possible, either implement consumerRef/konghq.com/plugins support or aud (audience) field support

[thunder-spb]

Just want to add some more.

I have two namespaces: production and staging in one cluster. Even though I deploy 2 different JWT credentials to those namespaces, I can authenticate on prod with staging JWT and vice versa. This is not related to authorization/acl/etc! This is still authentication. So if I deploy creds and JWT plugin on namespace level, it should check creds in that namespace only. But JWT plugin do that globally?