Dynamic Client Registration Overview
Dynamic Client Registration (DCR) within Konnect Dev Portal allows applications created in the portal to automatically create a linked application in a third-party Identity Provider (IdP).
This outsources the issuer and management of application credentials to a third party, allowing for additional configuration options and compatibility with various OIDC features provided by the IdP. Konnect offers the flexibility to create multiple DCR configurations.
Authentication Methods
DCR support in Konnect provides multiple methods by which applications can be authenticated using industry-standard protocols. These methods include:
- Client credentials grant: Authenticate with the client ID and secret provided to the application.
-
Bearer tokens: Authenticate using a token requested from the IdP’s
/token
endpoint. - Session cookie: Allow sessions from either client credentials or bearer tokens to persist via cookie until an expiration.
Each method is available when using Auth0, Curity, Okta, or Azure as the DCR identity provider.
Note: When using DCR, each application will automatically receive a client ID and secret. These can be used to authenticate with services directly if using the client credentials grant, or can be used to obtain an access token from the identity provider if using the bearer token authentication method.
Authentication with bearer tokens
You can obtain a bearer access token by requesting it from the IdP’s /token
endpoint:
Token endpoints for IdPs are:
Vendor | Endpoint | Body |
---|---|---|
Auth0 | POST https://{region}.auth0.com/oauth/token
|
{ "grant_type": "client_credentials", "audience": "<your_audience>" } |
Curity | POST https://{your_curity_domain}/oauth/v2/oauth-token
|
{ "grant_type": "client_credentials" } |
Okta | POST https://{okta-subdomain}.okta.com/oauth2/default/v1/token
|
{ "grant_type": "client_credentials" } |
Azure | POST https://login.microsoftonline.com/{your_tenant_id}/oauth2/v2.0/token
|
{"grant_type": "client_credentials", "scope":"https://graph.microsoft.com/.default"} |
Authentication with session cookie
After successfully authenticating with either client Credentials or bearer access token, the session cookie authentication method can be used to authenticate subsequent requests without including the original credentials. To use this authentication method, ensure your identity provider is configured to send session cookie response headers.