Configure Curity for Dynamic Client Registration - Kong Konnect

Once you have Curity configured, you can set up the Dev Portal to use Curity for dynamic client registration (DCR).

Sign in to Konnect, then select Dev Portal from the menu.
Navigate to Application Auth to access the authentication settings for your API Products.
Open the DCR Providers to view all configured DCR Providers
Select New DCR Provider button to create a Curity configuration. Provide a name for internal use within Konnect. The name and provider type information will not be exposed to Dev Portal developers.
Input the Issuer URL of your Curity authorization server, formatted as https://CURITY_INSTANCE_DOMAIN/oauth/v2/oauth-anonymous/.well-known/openid-configuration
Select Curity as the Provider Type.
Enter the Client ID of the admin client created in Curity above into the Initial Client ID field. Enter the value you saved for the Client secret into the Initial Client Secret field. Note: The Initial Client Secret will be stored in isolated, encrypted storage and will not be readable through any Konnect API.
Save your DCR Provider. You should now see it in the list of DCR providers.
Click the Auth Strategy tab to see all your Auth Strategies. Select New Auth Strategy to create an auth strategy that uses the DCR Provider you created.
Enter a name for internal use in Konnect and a display name that will be displayed the portal. In the Auth Type dropdown menu select DCR. In the DCR Provider dropdown, select the name of the DCR Provider config you created. Your Issuer URL will be prepopulated with the issuer URL you added to the DCR Provider.
If you are using the Curity configuration described in the previous sections, enter the sub into the Claims field and leave the Scopes field empty. If you configured Curity differently, then ensure you add the correct Scopes and Claims.
Select the relevant Auth Methods you need (client_credentials, bearer, session) and Save.

After configuring Curity, you can integrate it with the Dev Portal for dynamic client registration (DCR). This process involves two steps: creating the DCR provider and establishing the authentication strategy. DCR providers are designed to be reusable configurations. This means once you’ve configured the Curity DCR provider, it can be used across multiple authentication strategies without needing to be set up again.

Start by creating the DCR provider. Send a POST request to the dcr-providers endpoint with your DCR configuration details:

curl --request POST \
  --url https://us.api.konghq.com/v2/dcr-providers \
  --header 'Authorization: $KPAT' \
  --header 'content-type: application/json' \
  --data '{
  "name": "DCR Curity",
  "provider_type": "Curity",
  "issuer": "https://CURITY_INSTANCE_DOMAIN/oauth/v2/oauth-anonymous/.well-known/openid-configuration",
  "dcr_config": {
 "dcr_token": "my_dcr_token"
  }'

You will receive a response that includes a dcr_provider object similar to the following:

"dcr_provider": {
"id": "33f8380e-7798-4566-99e3-2edf2b57d289",
"name": "DCR Curity",
"display_name": "Credentials",
"provider_type": "Curity"
}

Save the id value for creating the authentication strategy.

With the dcr_id obtained from the first step, create an authentication strategy. Sen a POST request to the create-auth-strategies endpoint describing an authentication strategy:

curl --request POST \
--url https://us.api.konghq.com/v2/application-auth-strategies \
--header 'Authorization: $KPAT' \
--header 'content-type: application/json' \
--data '{
"name": "Curity auth strategy",
"display_name": "Curity",
"strategy_type": "Curity",
"configs": {
   "openid-connect": {
      "issuer": "https://my-issuer.auth0.com/api/v2/",
      "credential_claim": [
      "client_id"
      ],
      "scopes": [
      "openid",
      "email"
      ],
      "auth_methods": [
      "client_credentials",
      "bearer"
      ]
   }
},
"dcr_provider_id": "93f8380e-7798-4566-99e3-2edf2b57d289"
}'