Skip to content
|
Kong Konnect
github-edit-pageEdit this page
report-issueReport an issue
Looking for the new Developer Portal beta docs? Try the beta now.

Dynamic Client Registration Overview

Dynamic Client Registration (DCR) within Konnect Dev Portal allows applications created in the portal to automatically create a linked application in a third-party Identity Provider (IdP).

This outsources the issuer and management of application credentials to a third party, allowing for additional configuration options and compatibility with various OIDC features provided by the IdP. Konnect offers the flexibility to create multiple DCR configurations.

Authentication Methods

DCR support in Konnect provides multiple methods by which applications can be authenticated using industry-standard protocols. These methods include:

  • Client credentials grant: Authenticate with the client ID and secret provided to the application.
  • Bearer tokens: Authenticate using a token requested from the IdP’s /token endpoint.
  • Session cookie: Allow sessions from either client credentials or bearer tokens to persist via cookie until an expiration.

Each method is available when using Auth0, Curity, Okta, or Azure as the DCR identity provider.

Note: When using DCR, each application will automatically receive a client ID and secret. These can be used to authenticate with services directly if using the client credentials grant, or can be used to obtain an access token from the identity provider if using the bearer token authentication method.

Authentication with bearer tokens

You can obtain a bearer access token by requesting it from the IdP’s /token endpoint:

Token endpoints for IdPs are:

Vendor Endpoint Body
Auth0 POST https://{region}.auth0.com/oauth/token { "grant_type": "client_credentials", "audience": "<your_audience>" }
Curity POST https://{your_curity_domain}/oauth/v2/oauth-token { "grant_type": "client_credentials" }
Okta POST https://{okta-subdomain}.okta.com/oauth2/default/v1/token { "grant_type": "client_credentials" }
Azure POST https://login.microsoftonline.com/{your_tenant_id}/oauth2/v2.0/token {"grant_type": "client_credentials", "scope":"https://graph.microsoft.com/.default"}

After successfully authenticating with either client Credentials or bearer access token, the session cookie authentication method can be used to authenticate subsequent requests without including the original credentials. To use this authentication method, ensure your identity provider is configured to send session cookie response headers.