Configuring Azure for Dynamic Client Registration
Prerequisites
Note: Dynamic client registration supports Azure OAuth v1 token endpoints only.
v2 is not supported.
In Azure, create the main application:
-
In Azure Active Directory, click App registrations and then click New registration.
- Enter a name for the application.
-
Ensure Accounts in this organizational directory only is selected for Supported account types.
-
Click Register.
- On the application view, go to API permissions, click Add permissions > Microsoft Graph and select the following:
- Application.Read.All
- Application.ReadWrite.All
- Application.ReadWrite.OwnedBy
- User.Read
-
Once added, click Grant admin consent. An administrator with Global Admin rights is required for this step.
-
Select Certificates & secrets and then create a client secret and save it in a secure location. You can only view the secret once.
- On the Overview view, note your Directory (tenant) ID and Application (client) ID.
Once you have Azure configured, you can set up the Dev Portal to use Azure for Dynamic Client Registration (DCR). This process involves two steps: creating the DCR provider and establishing the authentication strategy. DCR providers are designed to be reusable configurations. This means once you’ve configured the Azure DCR provider, it can be used across multiple authentication strategies without needing to be set up again.
-
Log in to Konnect and select the Dev Portal from the menu.
-
Go to Application Auth to find the authentication settings for your API products.
-
Open the DCR Providers to review existing DCR Providers.
-
Select New DCR Provider button to create an Azure configuration. Enter a name for internal reference in Konnect. This name, along with the provider type, will remain internal and not be visible to developers on the Dev Portal.
-
Provide the Issuer URL for your Azure tenant, using the format https://sts.windows.net/YOUR_TENANT_ID
.
-
For Provider Type, select AzureAD.
-
Enter your Application (Client) ID from Azure into the Initial Client ID field and the Azure admin application’s client secret into the Initial Client Secret field. The Initial Client Secret will be stored in isolated, encrypted storage and will not be readable through any Konnect API.
-
After saving, your new DCR Provider will appear in the list.
-
Click the Auth Strategy tab, then select New Auth Strategy to create an auth strategy that uses the DCR Provider you just added.
-
Name it for internal reference in Konnect and provide a display name for visibility in the Portal. Select DCR as the Auth Type and choose your newly created DCR provider from the dropdown. The Issuer URL entered earlier will be will be prepopulated.
-
In the Credential Claims field, enter appid
.
-
Select the relevant Auth Methods you need (client_credentials
, bearer
, session
), and save.
- Start by creating the DCR provider. Send a
POST
request to the dcr-providers
endpoint with your DCR configuration details:
curl --request POST \
--url https://us.api.konghq.com/v2/dcr-providers \
--header 'Authorization: $KPAT' \
--header 'content-type: application/json' \
--data '{
"name": "Azure DCR Provider",
"provider_type": "Azure",
"issuer": "https://sts.windows.net/YOUR_TENANT_ID",
"dcr_config": {
"initial_client_id": "abc123",
"initial_client_secret": "abc123xyz098!",
"initial_client_audience": "https://my-custom-domain.com/api/v2/"
}
}'
You will receive a response that includes a dcr_provider
object similar to the following:
{
"created_at": "2024-02-29T23:38:00.861Z",
"updated_at": "2024-02-29T23:38:00.861Z",
"id": "93f8380e-7798-4566-99e3-2edf2b57d289",
"name": "Azure DCR Provider",
"provider_type": "Azure",
"issuer": "https://sts.windows.net/YOUR_TENANT_ID",
"dcr_config": {
"initial_client_id": "abc123",
"initial_client_audience": "https://my-custom-domain.com/api/v2/"
},
"active": false
}
Save the id
value for creating the authentication strategy.
-
With the dcr_id
obtained from the first step, create an authentication strategy. Send a POST
request to the create-auth-strategies
endpoint describing an authentication strategy:
curl --request POST \
--url https://us.api.konghq.com/v2/application-auth-strategies \
--header 'Authorization: $KPAT' \
--header 'content-type: application/json' \
--data '{
"name": "Azure Auth",
"display_name": "Azure Auth",
"strategy_type": "openid_connect",
"configs": {
"openid-connect": {
"issuer": "https://sts.windows.net/YOUR_TENANT_ID",
"credential_claim": [
"client_id"
],
"scopes": [
"openid",
"email"
],
"auth_methods": [
"client_credentials",
"bearer"
]
}
},
"dcr_provider_id": "93f8380e-7798-4566-99e3-2edf2b57d289"
}
Create an application with DCR
From the My Apps page in the Dev Portal, follow these instructions:
-
Click the New App button.
-
Fill out the Create New Application form with your application name, authentication strategy, and description.
-
Click Create to save your application.
-
After your application has been created, you will see the Client ID and Client Secret.
Store these values, they will only be shown once.
-
Click Proceed to continue to the application’s details page.
Once your application is created, you will see it in Azure. From your Azure homepage select App registrations > All applications. You will see your application that was created in the Dev Portal.
Make a successful request
In the previous steps, you obtained the Client ID and Client Secret. To authorize the request, you must attach this client secret pair in the header. You can do this by using any API product, such as Insomnia, or directly using the command line:
curl example.com/REGISTERED_ROUTE -H "Authorization: Basic CLIENT_ID:CLIENT_SECRET"
Where example.com
is the address of the data plane node.
You can also request a bearer token from Azure using this command,
using an OAuth2 v1 token endpoint:
curl --request GET \
--url https://login.microsoftonline.com/TENANT_ID/oauth2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=CLIENT_ID \
--data 'scope=https://graph.microsoft.com/.default' \
--data 'client_secret=CLIENT_SECRET'