Skip to content
Kong Gateway 2.8 Increases Security and Simplifies API Management.  —Learn More →
|
search
Plugin Hub
header icon

Portal Application Registration

You are browsing documentation for an outdated plugin version. See the latest documentation here.

Applications allow registered developers on Kong Developer Portal to authenticate with OAuth against a Service on Kong. Admins can selectively admit access to Services using this Application Registration plugin.

At least one OAuth2 grant flow (typical use case) must be enabled for the plugin on a Service:

  • Authorization Code
  • Client Credentials
  • Implicit Grant
  • Password Grant

Configuration Reference

This plugin is not compatible with DB-less mode.

Enable the plugin on a service

For example, configure this plugin on a service by making the following request:

curl -X POST http://{HOST}:8001/services/{SERVICE}/plugins \
    --data "name=application-registration"  \
    --data "config.auth_header_name=authorization" \
    --data "config.auto_approve=false" \
    --data "config.display_name=<my_service_display_name>" \
    --data "config.enable_authorization_code=true" \
    --data "config.enable_client_credentials=true" \
    --data "config.enable_implicit_grant=true" \
    --data "config.enable_password_grant=true" \
    --data "config.mandatory_scope=false" \
    --data "config.refresh_token_ttl=1209600" \
    --data "config.token_expiration=7200"

SERVICE is the id or name of the service that this plugin configuration will target.

First, create a KongPlugin resource:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: <application-registration-example>
config: 
  auth_header_name: authorization
  auto_approve: false
  display_name: <my_service_display_name>
  enable_authorization_code: true
  enable_client_credentials: true
  enable_implicit_grant: true
  enable_password_grant: true
  mandatory_scope: false
  refresh_token_ttl: 1209600
  token_expiration: 7200
plugin: application-registration

Next, apply the KongPlugin resource to a Service by annotating the Service as follows:

apiVersion: v1
kind: Service
metadata:
  name: {SERVICE}
  labels:
    app: {SERVICE}
  annotations:
    konghq.com/plugins: <application-registration-example>
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
    name: {SERVICE}
  selector:
    app: {SERVICE}

{SERVICE} is the id or name of the service that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

For example, configure this plugin on a service by adding this section to your declarative configuration file:

plugins:
- name: application-registration
  service: {SERVICE}
  config: 
    auth_header_name: authorization
    auto_approve: false
    display_name: <my_service_display_name>
    enable_authorization_code: true
    enable_client_credentials: true
    enable_implicit_grant: true
    enable_password_grant: true
    mandatory_scope: false
    refresh_token_ttl: 1209600
    token_expiration: 7200

SERVICE is the id or name of the service that this plugin configuration will target.

Configure this plugin on a service:

  1. In Kong Manager, select the workspace.
  2. From the Dashboard, scroll down to Services and click View for the service row.
  3. Scroll down to plugins and click Add Plugin.

  4. Find and select the Portal Application Registration plugin.

    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  5. If the option is available, select Scoped.
  6. Add the service name and ID to the Service field if it is not already prefilled.

  7. Enter the following parameters, updating the default or sample values as needed:

    • Config.Auto Approve: clear checkbox
    • Config.Display Name: <my_service_display_name>
    • Config.Enable Authorization Code: select checkbox
    • Config.Enable Client Credentials: select checkbox
    • Config.Enable Implicit Grant: select checkbox
    • Config.Enable Password Grant: select checkbox
    • Config.Mandatory Scope: clear checkbox
    • Config.Refresh Token Ttl: 1209600
    • Config.Token Expiration: 7200
  8. Click Create.

Enable the plugin globally

A plugin which is not associated to any service, route, or consumer is considered global, and will be run on every request. Read the Plugin Reference and the Plugin Precedence sections for more information.

For example, configure this plugin globally with:

$ curl -X POST http://{HOST}:8001/plugins/ \
    --data "name=application-registration"  \
    --data "config.auth_header_name=authorization" \
    --data "config.auto_approve=false" \
    --data "config.display_name=<my_service_display_name>" \
    --data "config.enable_authorization_code=true" \
    --data "config.enable_client_credentials=true" \
    --data "config.enable_implicit_grant=true" \
    --data "config.enable_password_grant=true" \
    --data "config.mandatory_scope=false" \
    --data "config.refresh_token_ttl=1209600" \
    --data "config.token_expiration=7200"

Create a KongClusterPlugin resource and label it as global:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: <global-application-registration>
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: \"true\"
config: 
  auth_header_name: authorization
  auto_approve: false
  display_name: <my_service_display_name>
  enable_authorization_code: true
  enable_client_credentials: true
  enable_implicit_grant: true
  enable_password_grant: true
  mandatory_scope: false
  refresh_token_ttl: 1209600
  token_expiration: 7200
plugin: application-registration

For example, configure this plugin using the plugins: entry in the declarative configuration file:

plugins:
- name: application-registration
  config: 
    auth_header_name: authorization
    auto_approve: false
    display_name: <my_service_display_name>
    enable_authorization_code: true
    enable_client_credentials: true
    enable_implicit_grant: true
    enable_password_grant: true
    mandatory_scope: false
    refresh_token_ttl: 1209600
    token_expiration: 7200

Configure this plugin globally:

  1. In Kong Manager, select the workspace.
  2. From the Dashboard, select Plugins in the left navigation.
  3. Click New Plugin.

  4. Find and select the Portal Application Registration plugin.

    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  5. If the option is available, set the plugin scope to Global.

  6. Enter the following parameters, updating the default/sample values as needed:

    • Config.Auto Approve: clear checkbox
    • Config.Display Name: <my_service_display_name>
    • Config.Enable Authorization Code: select checkbox
    • Config.Enable Client Credentials: select checkbox
    • Config.Enable Implicit Grant: select checkbox
    • Config.Enable Password Grant: select checkbox
    • Config.Mandatory Scope: clear checkbox
    • Config.Refresh Token Ttl: 1209600
    • Config.Token Expiration: 7200
  7. Click Create.

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

Form Parameter Description
name
required

Type: string		 The name of the plugin, in this case application-registration.
service.id

Type: string		 The ID of the Service the plugin targets.
enabled
required

Type: boolean

Default value: true		 Whether this plugin will be applied.
config.auth_header_name
optional

Default value: authorization

The name of the header that is supposed to carry the access token (RFC 6750 Section 2.1).
config.auto_approve
required

Default value: false

If enabled, all new Service Contracts requests are automatically approved. See Enable automatic registration approval. Otherwise, Dev Portal admins must manually approve requests.
config.description
optional

Unique description displayed in information about a Service in the Developer Portal.
config.display_name
required

Unique display name used for a Service in the Developer Portal.
config.enable_authorization_code
required

Default value: false

An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1). At least one flow must be enabled for the plugin.
config.enable_client_credentials
required

Default value: false

An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4). At least one flow must be enabled for the plugin.
config.enable_implicit_grant
required

Default value: false

An optional boolean value to enable the Implicit Grant flow, which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2). At least one flow must be enabled for the plugin.
config.enable_password_grant
required

Default value: false

An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3). At least one flow must be enabled for the plugin.
config.mandatory_scope
required

Default value: false

An optional boolean value telling the plugin to require at least one scope to be authorized by the end user. See Set mandatory scopes.
config.provision_key
optional

The Provision Key is automatically generated on creation. No input is required. Used by the Resource Owner Password Credentials Grant (Password Grant) flow.
config.refresh_token_ttl
required

Default value: 1209600

An integer value that indicates the Time To Live (TTL) in seconds for a refresh token. Default value is 1209600 seconds (two weeks). The refresh token is used to acquire a new access token. Set to 0 to disable expiring the refresh token, which keeps the refresh token valid. To keep the access and refresh tokens valid indefinitely, see Set tokens to never expire. Refresh tokens are typically issued with the Authorization Code Grant flow, and are not applicable to the Implicit Grant flow.
config.scopes
semi-optional

A string array of scope names that will be available to the end user. See Set mandatory scopes.
config.token_expiration
required

Default value: 7200

An integer value that indicates when an access token expires, after which the client will need to refresh the token. Default value is 7200 seconds (two hours). Set to 0 to disable the token expiration. To keep the access and refresh tokens valid indefinitely, see Set tokens to never expire.

Important: When configuring the plugin, at least one of the following OAuth2 auth flows must be enabled:

  • Authorization Code
  • Client Credentials
  • Implicit Grant
  • Password Grant

Examples

Replace <DNSorIP> with your host name or IP address, {service} with your Service name, and <my_service_display_name> with the display_name of your Service for all examples in this section.

Enable the plugin with Client Credentials

Command:

curl -X POST http://<DNSorIP>:8001/services/{service} \
    --data "name=application-registration"  \
    --data "config.display_name=<my_service_display_name>" \
    --data "config.enable_client_credentials=true"

Result:

{
   "created_at":1589485602,
   "config":{
      "refresh_token_ttl":1209600,
      "auto_approve":false,
      "provision_key":"D7gc8R1vGD5lkod2wUrSRdpBPpte73kF",
      "mandatory_scope":false,
      "scopes":null,
      "enable_implicit_grant":false,
      "display_name":"my_service_display_name",
      "enable_client_credentials":true,
      "description":null,
      "enable_password_grant":false,
      "enable_authorization_code":false,
      "token_expiration":7200,
      "auth_header_name":"authorization"
   },
   "id":"7696f657-00f9-462e-9d63-96d27140d2f8",
   "service":{
      "id":"c2a45fd2-e753-46a0-955d-2ac7b4a18ce0"
   },
   "name":"application-registration",
   "protocols":[
      "grpc",
      "grpcs",
      "http",
      "https"
   ],
   "enabled":true,
   "run_on":null,
   "consumer":null,
   "route":null,
   "tags":null
}

Note that the provision_key was autogenerated.

Enable the plugin with Authorization Code

curl -X POST http://<DNSorIP>:8001/services/{service} \
    --data "name=application-registration"  \
    --data "config.display_name=<my_service_display_name>" \
    --data "config.enable_authorization_code=true"

Enable the plugin with Password Grant

curl -X POST http://<DNSorIP>:8001/services/{service} \
    --data "name=application-registration"  \
    --data "config.display_name=<my_service_display_name>" \
    --data "config.enable_password_grant=true"

Enable the plugin with Implicit Grant

curl -X POST http://<DNSorIP>:8001/services/{service} \
    --data "name=application-registration"  \
    --data "config.display_name=<my_service_display_name>" \
    --data "config.enable_implicit_grant=true"

Set tokens to never expire

Set the config.refresh_token_ttl and config.token_expiration values to 0.

curl -X  POST http://<DNSorIP>:8001/services/{service} \
    --data "name=application-registration"  \
    --data "config.display_name=<my_service_display_name>" \
    --data "config.enable_authorization_code=true"
    --data "config.refresh_token_ttl=0" \
    --data "config.token_expiration=0"

Set mandatory scopes

Replace <read> and <write> with the name of your scopes.

curl -X  POST http://<DNSorIP>:8001/services/{service} \
    --data "name=application-registration"  \
    --data "config.display_name=<my_service_display_name>" \
    --data "config.enable_authorization_code=true" \
    --data "config.mandatory_scope=true" \
    --data "config.scopes[]=<read>"

Multiple scopes:

  ...
    --data "config.scopes[]=<read> <write>"

The scopes string array is space delimited.

Enable automatic registration approval

Enable auto_approve so that application registration requests are automatically approved. Update your current configuration by running a PATCH command. Replace {plugin_id} with the id of your plugin.

curl -X PATCH http://<DNSorIP>:8001/plugins/{plugin_id} \
  --data "config.auto_approve=true"