Applications allow registered developers on Kong Developer Portal to authenticate against a Gateway Service. Dev Portal admins can selectively admit access to Services using the Application Registration plugin.
Note: This plugin is for application registration in self-managed Kong Gateway instances.
In Konnect, the functionality is built into the Service Hub, so you don’t need this plugin. See the following documentation:
The Application Registration plugin is used in tandem with supported Kong Gateway authorization
plugins, depending on your configured Dev
Portal authorization provider. Either Kong Gateway (kong-oauth2
) or a third-party OAuth provider
(external-oauth2
) can be the system of record (SoR) for application credentials. For more
information, see
Configure an Authorization Provider Strategy.
To learn how to set up key authentication, see Enable Key Authentication for Application Registration.
Supported authorization plugins for use with application registration:
Kong Gateway Plugin | Portal authorization strategy |
---|---|
OAuth2 | kong-oauth2 |
Key Auth | kong-oauth2 |
OIDC | external-oauth2 |
If you plan to use the external OAuth option with OIDC, review the supported OAuth workflows.
Configuration Reference
This plugin is not compatible with DB-less mode.
Example plugin configuration
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
Form Parameter | Description |
---|---|
name
required Type: string |
The name of the plugin, in this case application-registration . |
service.name or service.id
required Type: string |
The name or ID of the service the plugin targets.
Set one of these parameters if adding the plugin to a service through the top-level /plugins endpoint.
Not required if using /services/SERVICE_NAME|SERVICE_ID/plugins . |
enabled
Type: boolean Default value: true |
Whether this plugin will be applied. |
config.auto_approve
required Type: boolean Default value: false
|
If enabled, all new Service Contracts requests are automatically approved. See Enable automatic registration approval. Otherwise, Dev Portal admins must manually approve requests. |
config.description
optional Type: string |
Unique description displayed in information about a Service in the Developer Portal. |
config.display_name
required Type: string |
Unique display name used for a Service in the Developer Portal. |
config.show_issuer
required Type: boolean Default value: false
|
Displays the Issuer URL in the Service Details dialog. |
Examples
Replace <DNSorIP>
with your host name or IP address, {service}
with
your Service name, and <my_service_display_name>
with the
display_name
of your Service for examples in this section.
Enable automatic registration approval
Enable auto_approve
so that application registration requests are
automatically approved.
curl -X POST http://<DNSorIP>:8001/services/{service} \
--data "name=application-registration" \
--data "config.display_name=<my_service_display_name>" \
--data "config.auto_approve=true
Update your current configuration by running a PATCH command. Replace {plugin_id}
with the id
of your plugin.
curl -X PATCH http://<DNSorIP>:8001/plugins/{plugin_id} \
--data "config.auto_approve=true"
Enable show issuer URL
Enable show_issuer
to expose the Issuer URL in the Service Details dialog.
Note: Exposing the Issuer URL is essential for the Authorization Code Flow configured for third-party identity providers.
Update your current configuration by running a PATCH command. Replace {plugin_id}
with the id
of your plugin.
curl -X PATCH http://<DNSorIP>:8001/plugins/{plugin_id} \
--data "config.show_issuer=true"