Estimated reading time:
Warning: This feature is released as BETA and should not be deployed in a production environment.
In the 1.5.x beta version of the Application
Registration plugin, the feature was tightly coupled with OAuth2. Kong was the
only available system of record (SoR) for application credentials and the OAuth
configuration was done directly within the Application Registration plugin.
In the 2.1.x beta version, authentication has been decoupled from the
Application Registration plugin. Support has been added for third-party OAuth2
providers. Developers have the flexibility to choose from either
Kong or a third-party identity provider (IdP) as the system of record for
application credentials. With third-party (external) OAuth2 support, developers
can centralize application credential management with the
supported identity provider of their
OAuth2 plugins for use with the Application Registration plugin:
When Kong is the system of record, the Application Registration plugin works
in conjunction with the Kong OAuth2 plugin.
When an external OAuth2 is the system of record, the Application Registration
plugin works in conjunction with the Kong OIDC plugin.
The third-party authorization strategy (
external-oauth2) applies to all
applications across all Workspaces (Dev Portals) in a Kong cluster.
Configure an auth provider strategy for Application Registration
portal_app_auth configuration option must be set in
kong.conf to enable
the Developer Portal Application Registration plugin with your chosen
kong-oauth2: Default. Kong is the system of record. The Application Registration plugin is used in conjunction with the Kong OAuth2 plugin.
external-oauth2: An external IdP is the system of record. The Developer Portal Application Registration plugin is used in conjunction with the Kong OIDC plugin.
kong.conf.default and set the
portal_app_auth option to your chosen strategy. The example configuration below switches from the default (
kong-oauth2) to an external IdP (
portal_app_auth = external-oauth2
# Developer Portal application registration
# auth provider and strategy. Must be set to configure the
# application_registration plugin.
# Currently accepts kong-oauth2 (default) or external-oauth2.
Restart your Kong Enterprise instance.
- If you plan to use external OAuth, review the
Configure the identity provider for your application, configure your
application in Kong, and associate them with each other. See the Okta example.
- Enable the Application Registration plugin on a Service.
- Depending on your configured authentication strategy, configure the Kong
Kong OIDC plugin on the same Service as the
Application Registration plugin.