Automatically create Dev Portal applications in Kong Identity with Dynamic Client Registration
You can use Dynamic Client Registration to automatically create Dev Portal applications in Kong Identity. First, create an auth server for Kong Identity and copy your Issuer URL. Then, create a new DCR provider in your Dev Portal settings and create a new auth strategy for DCR. Apply the auth strategy to published APIs.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'Copied! -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-outputCopied!This sets up a Konnect Control Plane named
quickstart, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'Copied!Copy and paste these into your terminal to configure your session.
decK v1.43+
decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.
This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance.
We recommend upgrading your decK installation to take advantage of this tool.
You can check your current decK version with deck version.
Required entities
For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:
-
Run the following command:
echo ' _format_version: "3.0" services: - name: example-service url: http://httpbin.konghq.com/anything routes: - name: example-route paths: - "/anything" service: name: example-service ' | deck gateway apply -Copied!
To learn more about entities, you can read our entities documentation.
Dev Portal
For this tutorial, you’ll need a Dev Portal and some Dev Portal settings, like a published API, pre-configured. These settings are essential for Dev Portal to function but configuring them isn’t the focus of this guide. If you don’t have these settings already configured, follow these steps to pre-configure them:
- In the Konnect sidebar, navigate to Dev Portal.
- Click New portal.
- Click Private portal.
- In the Portal name field, enter
Test Kong Identity DCR. - Click Create and continue.
- Click Save.
- Copy and export your Dev Portal URL in your terminal:
export PORTAL_URL=' https://your-domain.us.kongportals.com'Copied! - In your Dev Portal sidebar, click Settings.
- Click the Security tab.
- Enable Auto approve applications. This auto approves developer applications in your Dev Portal and makes it easier to test.
- Click Save changes.
- Click Dev Portal in the sidebar.
- In the Dev Portal sidebar, click APIs.
- Click New API.
- In the API name field, enter
test-kong-identity-dcr. - Click Create.
- Click Gateway Service tab.
- Click Link Gateway Service.
- From the Control plane dropdown menu, select “quickstart”.
- From the Gateway Service dropdown menu, select “example-service”.
- Click Submit.
- Navigate to your Dev Portal URL:
open $PORTAL_URLCopied! - Click Sign up. We’ll create a test developer account that we can use to create a DCR app.
- Enter your name and email.
- Click Create account.
- If you haven’t set developers to auto approval in Dev Portal, in the Konnect sidebar, navigate to Dev Portal.
- Click Test Kong Identity DCR.
- In the Dev Portal sidebar, click Access and approvals.
- Click your test developer.
- From the Actions dropdown menu, select “Approve”.
Create an auth server in Kong Identity
Before you can configure DCR, you must first create an auth server in Kong Identity. We recommend creating different auth servers for different environments or subsidiaries. The auth server name is unique per each organization and each Konnect region.
Create an auth server using the /v1/auth-servers endpoint:
curl -X POST "https://us.api.konghq.com/v1/auth-servers" \
-H "Authorization: Bearer $KONNECT_TOKEN"\
-H "Content-Type: application/json" \
--json '{
"name": "Appointments Dev",
"audience": "http://myhttpbin.dev",
"description": "Auth server for the Appointment dev environment"
}'
Export the issuer URL:
export ISSUER_URL='YOUR-ISSUER-URL'
Configure the Kong Identity Dynamic Client Registration in Dev Portal
After configuring Kong Identity, you can integrate it with the Dev Portal for Dynamic Client Registration (DCR). This process involves two main steps: first, creating the DCR provider, and second, establishing the authentication strategy. DCR providers are designed to be reusable configurations. This means once you’ve configured the Kong Identity DCR provider, it can be used across multiple authentication strategies without needing to be set up again.
This tutorial uses the Konnect UI to configure DCR, but you can also use the Application Registration API.
- In the Konnect sidebar, click Dev Portal.
- In the Dev Portal sidebar, click Application Auth.
- Click the DCR provider tab.
- Click New provider.
- In the Name field, enter
Kong Identity. - In the Provider Type dropdown menu, select “Kong Identity”.
- In the Auth Server field, select “Appointments Dev”.
- Click Save.
- Click the Authentication strategy tab.
- Click New authentication strategy.
- In the Name field, enter
Kong Identity. - In the Display name field, enter
Kong Identity. - In the Authentication Type dropdown menu, select “DCR”.
- In the DCR Provider dropdown menu, select “Kong Identity”.
- In the Scopes field, enter
openid. - In the Credential Claims field, enter
sub. - In the Auth Methods dropdown menu, select “client_credentials” and “bearer”.
- Click Create.
Apply the Kong Identity DCR auth strategy to an API
Now that the application auth strategy is configured, you can apply it to an API.
- In the Konnect sidebar, click Dev Portal.
- Click your Dev Portal.
- In the Dev Portal sidebar, click Published APIs.
- Click Publish API.
- From the API dropdown menu, select “test-kong-identity-dcr”. This is the API you created in the prerequisites
- In the Authentication strategy dropdown menu, select “Kong Identity”.
- Click Private.
- Click Publish API.
Validate
Now that DCR is configured, you can create an application with Dynamic Client Registration by using a developer account.
- Navigate to your Dev Portal URL:
open $PORTAL_URLCopied! - Log in with your developer account.
- Click APIs.
- For the test-kong-identity-dcr API, click View APIs.
- Click Use this API.
- In the Application name field, enter
test-dcr. - Click Create and use API.
- Copy and export your client ID and secret:
export CLIENT_ID='YOUR-CLIENT-ID' export CLIENT_SECRET='YOUR-CLIENT-SECRET'Copied!Make sure to store these values, as they will only be shown once.
- Click Copy secret and close.
- Create an access token with your client ID and secret:
export ACCESS_TOKEN="$(curl -sS -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=client_credentials' \ -d "client_id=$CLIENT_ID" \ -d "client_secret=$CLIENT_SECRET" \ -d 'scope=openid' \ "$ISSUER_URL/oauth/token" | jq -r '.access_token')"Copied! -
Make an authorized request to the API:
curl "$KONNECT_PROXY_URL/anything" \ -H "Authorization: Bearer $ACCESS_TOKEN"Copied!
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.