Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Early Access
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
    • Overview of Konnect
    • Architecture
    • Network Resiliency and Availability
    • Port and Network Requirements
    • Compatibility
    • Stages of Software Availability
    • Release Notes
      • Control Plane Upgrades FAQ
      • Supported Installation Options
    • Overview
    • Access a Konnect Account
    • Set up a Runtime
    • Configure a Service
    • Implement and Test the Service
      • Publish and Consume Services
      • Register Applications
    • Import Kong Gateway Entities into Konnect
    • Overview
      • Overview
      • Dashboard
      • Manage Runtime Groups with UI
      • Manage Runtime Groups with decK
      • Installation Options
      • Install with Docker
      • Install on Kubernetes
      • Install on Linux
      • Install on AWS
      • Install on Azure
      • Upgrade a Runtime Instance to a New Version
      • Renew Certificates
      • Runtime Parameter Reference
      • Overview
      • Runtime Configuration
    • Create Consumer Groups
      • Overview
      • Set Up and Use a Vault in Konnect
    • Plugin Ordering Reference
    • Troubleshoot
    • Overview
      • Konnect Services
      • Service Versions
      • Service Implementations
      • Manage Service Documentation
      • Overview
      • Configure a Plugin on a Service
      • Configure a Plugin on a Route
    • Overview
    • Access the Dev Portal
    • Sign Up for a Dev Portal Account
      • Manage Developer Access
      • Manage Application Registration Requests
      • Manage Application Connections
      • Auto Approve Dev and App Registrations
      • Azure OIDC
      • Application Overview
      • Enable and Disable App Registration
        • Okta
        • Curity
        • Auth0
      • Create, Edit, and Delete an Application
      • Register an Application with a Service
      • Generate Credentials for an Application
    • Customize Dev Portal
    • Troubleshoot
    • Introduction to Analytics
    • Summary Dashboard
    • Analyze Services and Routes
    • Generate Reports
    • Troubleshoot
      • Manage a Konnect Account or Plan
      • Change to a Different Plan
      • Manage Payment Methods and Invoices
      • Overview
        • Overview
        • Manage Teams
        • Teams Reference
        • Roles Reference
      • Manage Users
      • Set up SSO with OIDC
      • Set up SSO with Okta
    • Account and Org Deactivation
    • Troubleshoot
    • Overview
      • API Documentation
      • Identity Integration Guide
      • API Documentation
      • Overview
      • Nodes
      • Data Plane Certificiates
        • Services
        • Routes
        • Consumers
        • Plugins
        • Upstreams
        • Certificates
        • CA Certificates
        • SNIs
        • Targets
        • Vaults
      • API Spec
      • Filtering

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Prerequisites
  • Configure Auth0
    • Configure access to the Auth0 Management API
    • Configure the API audience
  • Configure the Dev Portal
  • Create an application with DCR
  • Make a successful request
Kong Konnect
  • Home
  • Kong Konnect
  • Dev Portal
  • Applications
  • Dynamic Client Registration
  • Auth0

Configure Auth0 for Dynamic Client Registration

Prerequisites

  • Enterprise Konnect account.
  • An Auth0 account

Configure Auth0

To use dynamic client registration (DCR) with Auth0 as the identity provider (IdP), there are two important configurations to prepare in Auth0. First, you must authorize an Auth0 application so Konnect can use the Auth0 Management API on your behalf. Next, you will create an API audience that Konnect applications will be granted access to.

To get started configuring Auth0, log in to your Auth0 dashboard and complete the following:

Configure access to the Auth0 Management API

Konnect will use a client ID and secret from an Auth0 application that has been authorized to perform specific actions in the Auth0 Management API.

  1. From the sidebar, select Applications > Applications

  2. Click the Create Application button

  3. Give the application a memorable name, like “Konnect Portal DCR Admin”

  4. Select the application type Machine to Machine Applications and click create

  5. Authorize the application to access the Auth0 Management API by selecting it from the dropdown. It will have a URL of the pattern https://AUTH0_TENANT_SUBDOMAIN.REGION.auth0.com/api/v2/

  6. In the Permissions section, ensure you have selected the following permissions to be granted and click authorize:
    • read:client_grants
    • create:client_grants
    • delete:client_grants
    • update:client_grants
    • read:clients
    • create:clients
    • delete:clients
    • update:clients
    • update:client_keys
  7. On the application’s page, visit the Settings tab and note where you can view the values for Client ID and Client Secret, which you will use in a later step.

Configure the API audience

Note: You can use an existing API entity if there is one already defined in Auth0 that represents the audience you are/will be serving with Konnect Portal applications. In most cases, it is a good idea to create a new API that is specific to your Konnect Portal applications.

To create a new API audience:

  1. From the sidebar, select Applications > APIs

  2. Click the Create API button

  3. Give the API a memorable name, like “Konnect Portal Applications”

  4. Set the identifier to a value that represents the audience the API is serving

  5. Click create

  6. Note the identifier value used above, which is also known as the audience, as it will be used as the Client Token Audience value in Konnect

Configure the Dev Portal

Once you have Auth0 configured, you can set up the Dev Portal to use Auth0 for dynamic client registration (DCR).

  1. Sign in to Konnect, then select dev-portal icon Dev Portal from the menu.

  2. Click Settings to open the Dev Portal settings.

  3. Click the Application Setup tab to open the DCR settings for your Dev Portal.

  4. Select Auth0 as the external identity provider.

  5. Enter the Issuer for your Auth0 tenant, it will look something like https://AUTH0_TENANT_SUBDOMAIN.us.auth0.com

    Note: You can find the value for your AUTH0_TENANT_SUBDOMAIN by visiting Settings from the Auth0 sidebar and finding the Tenant Name in the General tab.

  6. Enter the Client Token Audience as the identifier value you set when configuring the API entity above

  7. Enter openid into the Scopes field

  8. Enter azp into the Consumer Claims field, which will match the client ID of each Auth0 application

  9. Enter the Client ID from the admin application created in Auth0 above into the Initial Client ID field.

  10. Enter the Client secret from the admin application created in Auth0 above into the Initial Client Secret field.

  11. Click Save.

If you previously configured any DCR settings, this will overwrite them.

Create an application with DCR

From the My Apps page in the Dev Portal, follow these instructions:

  1. Click New App.

  2. Fill out the Create New Application form with your application name, redirect URI, and a description.

  3. Click Create to save your application.

  4. After your application is created, you will see the Client ID and Client Secret. Store these values, they will only be shown once.

  5. Click Proceed to continue to the application’s details page.

Make a successful request

In the previous steps, you obtained the Client ID and Client Secret. To authorize the request, you must attach this client secret pair in the header. You can do this by using any API product, such as Insomnia, or directly using the command line:

curl example.com/REGISTERED_ROUTE -H "Authorization: Basic CLIENT_ID:CLIENT_SECRET"

Where example.com is the address of the runtime instance you are running.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023