Applications allow registered developers on Kong Developer Portal to authenticate with OAuth against a Service on Kong. Dev Portal admins can selectively admit access to Services using the Application Registration plugin.
The Application Registration plugin is used in tandem with either the Kong OIDC or Kong OAuth2 plugin, depending on your configured Dev Portal authorization provider. Either Kong or a third-party OAuth provider can be the system of record (SoR) for application credentials. For more information, see Configure an Authorization Provider Strategy.
If you plan to use the external OAuth option, review the supported OAuth workflows.
Configuration Reference
You can configure this plugin using the Kong Admin API or through declarative configuration, which involves directly editing the Kong configuration file.
This plugin is compatible with requests with the following protocols:
httphttpsgrpcgrpcs
This plugin is not compatible with DB-less mode.
Enabling the plugin on a Service
<service> is the id or name of the Service that this plugin
configuration will target.
Enabling the plugin globally
A plugin which is not associated to any Service, Route, or Consumer is considered global, and will be run on every request. Read the Plugin Reference and the Plugin Precedence sections for more information.
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
| Form Parameter | Description |
|---|---|
name
Type: string |
The name of the plugin to use, in this case application-registration. |
service.id
Type: string |
The ID of the Service the plugin targets. |
enabled
Type: boolean Default value: true |
Whether this plugin will be applied. |
config.auto_approve
required Default value: false |
If enabled, all new Service Contracts requests are automatically approved. See Enable automatic registration approval. Otherwise, Dev Portal admins must manually approve requests. |
config.description
optional |
Unique description displayed in information about a Service in the Developer Portal. |
config.display_name
required |
Unique display name used for a Service in the Developer Portal. |
config.show_issuer
optional Default value: false |
Displays the Issuer URL in the Service Details dialog. |
Examples
Replace <DNSorIP> with your host name or IP address, {service} with
your Service name, and <my_service_display_name> with the
display_name of your Service for examples in this section.
Enable automatic registration approval
Enable auto_approve so that application registration requests are
automatically approved.
curl -X POST http://<DNSorIP>:8001/services/{service} \
--data "name=application-registration" \
--data "config.display_name=<my_service_display_name>" \
--data "config.auto_approve=true
Update your current configuration by running a PATCH command. Replace {plugin_id} with the id of your plugin.
curl -X PATCH http://<DNSorIP>:8001/plugins/{plugin_id} \
--data "config.auto_approve=true"
Enable show issuer URL
Enable show_issuer to expose the Issuer URL in the Service Details dialog.
Note: Exposing the Issuer URL is essential for the Authorization Code Flow configured for third-party identity providers.
Update your current configuration by running a PATCH command. Replace {plugin_id} with the id of your plugin.
curl -X PATCH http://<DNSorIP>:8001/plugins/{plugin_id} \
--data "config.show_issuer=true"