Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
  • API Specs
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Konnect
  • Home icon
  • Kong Konnect
  • Dev Portal
  • Applications
  • Dynamic Client Registration Overview
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Authentication Methods
    • Authentication with bearer tokens
    • Authentication with session cookie

Dynamic Client Registration Overview

Dynamic Client Registration (DCR) within Konnect Dev Portal allows applications created in the portal to automatically create a linked application in a third-party Identity Provider (IdP). This outsources the issuer and management of application credentials to a third party, allowing for additional configuration options and compatibility with various OIDC features provided by the IdP.

Authentication Methods

DCR support in Konnect provides multiple methods by which applications can be authenticated using industry-standard protocols. These methods include:

  • Client credentials grant: Authenticate with the client ID and secret provided to the application.
  • Bearer tokens: Authenticate using a token requested from the IdP’s /token endpoint.
  • Session cookie: Allow sessions from either client credentials or bearer tokens to persist via cookie until an expiration.

Each method is available when using Auth0, Curity, Okta, or Azure as the DCR identity provider.

Note: When using DCR, each application will automatically receive a client ID and secret. These can be used to authenticate with services directly if using the client credentials grant, or can be used to obtain an access token from the identity provider if using the bearer token authentication method.

Authentication with bearer tokens

You can obtain a bearer access token by requesting it from the IdP’s /token endpoint:

Token endpoints for IdPs are:

Vendor Endpoint Body
Auth0 POST https://YOUR_AUTH0_SUBDOMAIN.REGION.auth0.com/oauth/token { "grant_type": "client_credentials", "audience": "<your_audience>" }
Curity POST https://YOUR_CURITY_DOMAIN/oauth/v2/oauth-token { "grant_types": "client_credentials" }
Okta POST https://YOUR_OKTA_SUBDOMAIN.okta.com/oauth2/default/v1/token { "grant_types": "client_credentials" }
Azure GET https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/token {"grant_type": "client_credentials", "scope":"https://graph.microsoft.com/.default"}

Authentication with session cookie

After successfully authenticating with either client Credentials or bearer access token, the session cookie authentication method can be used to authenticate subsequent requests without including the original credentials. To use this authentication method, ensure your identity provider is configured to send session cookie response headers.

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023