Kong incident

OIDC tls_client_auth_ssl_verify field defaulted to `false` for new updates not explicitly setting the property

Notice Resolved View vendor source →

Kong experienced a notice incident on April 9, 2026 affecting Kong Konnect Cloud, lasting —. The incident has been resolved; the full update timeline is below.

Started
Apr 09, 2026, 06:06 PM UTC
Resolved
Apr 09, 2026, 06:06 PM UTC
Duration
Detected by Pingoru
Apr 09, 2026, 06:06 PM UTC

Affected components

Kong Konnect Cloud

Update timeline

  1. resolved Apr 09, 2026, 06:06 PM UTC

    Customers running 3.13 and below who use the OIDC plugin with `tls_client_auth_ssl_verify` unset would have seen this value change to `false` if they updated the config after the rollback of new defaults following the 3.14 release. The rollback incorrectly flipped the oidc plugin tls_client_auth_ssl_verify to false as a default, which was not one of the items recently switched to default true and has instead been defaulted true for some time. We have rolled out a fix to prod to change this default back to true. Updates to the OIDC plugin should once again keep this value set to true if not specifically defined.