Configure Auth0 for Dynamic Client Registration
Prerequisites
- Enterprise Konnect account.
- An Auth0 account
Note: When using Auth0 DCR for Dev Portal, each application in Auth0 will have the following metadata. This can be viewed via the auth0 dashboard, or accessed from the Auth0 API.
konnect_portal_id
: ID of the Portal the application belongs tokonnect_developer_id
: ID of the developer in the Dev Portal that this application belongs tokonnect_org_id
: ID of the Konnect Organization the application belongs tokonnect_application_id
: ID of the application in the Dev Portal
Configure Auth0
To use dynamic client registration (DCR) with Auth0 as the identity provider (IdP), there are two important configurations to prepare in Auth0. First, you must authorize an Auth0 application so Konnect can use the Auth0 Management API on your behalf. Next, you will create an API audience that Konnect applications will be granted access to.
To get started configuring Auth0, log in to your Auth0 dashboard and complete the following:
Configure access to the Auth0 Management API
Konnect will use a client ID and secret from an Auth0 application that has been authorized to perform specific actions in the Auth0 Management API.
-
From the sidebar, select Applications > Applications
-
Click the Create Application button
-
Give the application a memorable name, like “Konnect Portal DCR Admin”
-
Select the application type Machine to Machine Applications and click create
-
Authorize the application to access the Auth0 Management API by selecting it from the dropdown. It will have a URL of the pattern
https://AUTH0_TENANT_SUBDOMAIN.REGION.auth0.com/api/v2/
- In the Permissions section, ensure you have selected the following permissions to be granted and click authorize:
read:client_grants
create:client_grants
delete:client_grants
update:client_grants
read:clients
create:clients
delete:clients
update:clients
update:client_keys
Note: If you’re using Developer Managed Scopes, add
read:resource_servers
to the permissions for your initial client application. - On the application’s page, visit the Settings tab and note where you can view the values for Client ID and Client Secret, which you will use in a later step.
Configure the API audience
Note: You can use an existing API entity if there is one already defined in Auth0 that represents the audience you are/will be serving with Konnect Dev Portal applications. In most cases, it is a good idea to create a new API that is specific to your Konnect Portal applications.
To create a new API audience:
-
From the sidebar, select Applications > APIs
-
Click the Create API button
-
Give the API a name, like “Konnect Portal Applications”
-
Set the identifier to a value that represents the audience the API is serving
-
Click create
-
Note the identifier value used above, which is also known as the audience, as it will be used as the Audience value when configuring the auth strategy in Konnect
Configure the Dev Portal
Once you have Auth0 configured, you can configure the Dev Portal to use Auth0 for Dynamic Client Registration (DCR). This process involves two steps: creating the DCR provider and establishing the authentication strategy. DCR providers are designed to be reusable configurations. This means once you’ve configured the Auth0 DCR provider, it can be utilized across multiple authentication strategies without needing to be set up again.
Create an application with DCR
From the My Apps page in the Dev Portal, follow these instructions:
-
Click New App.
-
Fill out the Create New Application form with your application name, authentication strategy, and description.
-
Click Create to save your application.
-
After your application is created, you will see the Client ID and Client Secret. Store the Client Secret, it will only be shown once.
-
Click Proceed to continue to the application’s details page.
Make a successful request
In the previous steps, you obtained the Client ID and Client Secret. To authorize the request, you must attach this client secret pair in the header. You can do this by using any API product, such as Insomnia, or directly using the command line:
curl example.com/REGISTERED_ROUTE -H "Authorization: Basic CLIENT_ID:CLIENT_SECRET"
Where example.com
is the address of the runtime instance you are running.
Using Auth0 actions
Auth0 actions can be used to customize the application in Auth0. Using Auth0 actions, you can configure the application name in Auth0 to be something custom, instead of the default name set by the developer in the Dev Portal. Here’s an example that sets the application name to be konnect_portal_id+konnect_developer_id+konnect_application_id
. For some other actions it is possible to make changes directly via the api object passed to the onExecuteCredentialsExchange
.
-
Follow the Auth0 documentation to create a custom action on the “Machine to Machine” flow.
-
Use the following code as an example for what your action could look like. Update the initial
const
variables with the values from the when you configured DCR.const axios = require("axios"); const INITIAL_CLIENT_AUDIENCE = const INITIAL_CLIENT_ISSUER = const INITIAL_CLIENT_ID = const INITIAL_CLIENT_SECRET = exports.onExecuteCredentialsExchange = async (event, api) => { const metadata = event.client.metadata if (!metadata.konnect_portal_id) { return } const newClientName = `${metadata.konnect_portal_id}+${metadata.konnect_developer_id}+${metadata.konnect_application_id}` await updateApplication(event.client.client_id, { name: newClientName }) }; async function getShortLivedToken() { const tokenEndpoint = new URL('/oauth/token', INITIAL_CLIENT_ISSUER).href const headers = { 'Content-Type': 'application/json', } const payload = { client_id: INITIAL_CLIENT_ID, client_secret: INITIAL_CLIENT_SECRET, audience: INITIAL_CLIENT_AUDIENCE, grant_type: 'client_credentials' } const result = await axios.post(`${tokenEndpoint}`, payload, { headers }) .then(x => x.data) .catch(e => { const msg = 'Unable to create one time access token' throw new Error(msg) }) if (!result.access_token) { const msg = 'Unable to find one time access token from result' throw new Error(msg) } return result.access_token } async function updateApplication(clientId, update) { const shortLivedToken = await getShortLivedToken() const getApplicationEndpoint = new URL(`/api/v2/clients/${clientId}`, INITIAL_CLIENT_ISSUER).href const headers = makeHeaders(shortLivedToken) return await axios.patch(getApplicationEndpoint, update, { headers }) .catch(e => { const msg = `Unable to update Application from auth0 ${e}` throw new Error(msg) }) } function makeHeaders(token) { return { Authorization: `Bearer ${token}`, accept: 'application/json', 'Content-Type': 'application/json' } }
-
Be sure to apply this action on “Machine to Machine” flow, it will then run each time a
client_credentials
request is made. After a request with is made you can see the updated application name in the Auth0 dashboard.