The error:
no credentials found for given iss
in the Kong OIDC plugin means:
Kong received a token or request with an issuer (
iss) claim, but it cannot find a matching configuration for that issuer.
🔍 Why This Happens
This usually occurs in one of these scenarios:
1. Missing or Incorrect config.issuer in the OIDC plugin
- You did not set the exact
issuerURL from Ping Identity in the plugin config. - Or you set it, but it’s spelled or formatted differently than what’s in the JWT’s
issclaim.
Example:
If the token contains:
"iss": "https://auth.pingone.com/12345/as"
Then your OIDC plugin must be configured with:
config.issuer=https://auth.pingone.com/12345/as
2. Wrong Discovery Document
Kong uses the issuer to retrieve:
<issuer>/.well-known/openid-configuration
If the URL is incorrect or inaccessible, it can’t discover metadata and fails.
3. Token Issuer Doesn’t Match Plugin Config
- You’re sending a JWT token manually (e.g., in
Authorization: Bearer) and it’s not issued by the issuer you configured. - Kong expects the
issclaim to match theconfig.issuer.
✅ Fix Steps
Step 1: Extract the Token’s Issuer
Run:
jwt decode <your-token>
Or paste the JWT into jwt.io and check the iss field.
Step 2: Update Plugin Config
Ensure the OIDC plugin config matches the exact iss value:
curl -X PATCH http://localhost:8001/plugins/<plugin-id> \
--data "config.issuer=https://auth.pingone.com/12345/as"
Or if creating fresh:
curl -X POST http://localhost:8001/services/my-service/plugins \
--data "name=openid-connect" \
--data "config.issuer=https://auth.pingone.com/12345/as" \
...
🧪 Test Again
Once updated:
- Clear browser session or test in Postman
- Trigger the login flow again
- Ensure Kong receives a token from Ping with matching
iss
Would you like help decoding the token or verifying your current plugin setup? You can paste the token header (without the signature) and I’ll check it.
Infra Cloud Solutions 