Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Early Access
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
    • Overview of Konnect
    • Architecture
    • Network Resiliency and Availability
    • Port and Network Requirements
    • Compatibility
    • Stages of Software Availability
    • Release Notes
      • Control Plane Upgrades FAQ
      • Supported Installation Options
    • Overview
    • Access a Konnect Account
    • Set up a Runtime
    • Configure a Service
    • Implement and Test the Service
      • Publish and Consume Services
      • Register Applications
    • Import Kong Gateway Entities into Konnect
    • Overview
      • Overview
      • Dashboard
      • Manage Runtime Groups with UI
      • Manage Runtime Groups with decK
      • Installation Options
      • Install with Docker
      • Install on Kubernetes
      • Install on Linux
      • Install on AWS
      • Install on Azure
      • Upgrade a Runtime Instance to a New Version
      • Renew Certificates
      • Runtime Parameter Reference
      • Overview
      • Runtime Configuration
    • Create Consumer Groups
      • Overview
      • Set Up and Use a Vault in Konnect
    • Plugin Ordering Reference
    • Troubleshoot
    • Overview
      • Konnect Services
      • Service Versions
      • Service Implementations
      • Manage Service Documentation
      • Overview
      • Configure a Plugin on a Service
      • Configure a Plugin on a Route
    • Overview
    • Access the Dev Portal
    • Sign Up for a Dev Portal Account
      • Manage Developer Access
      • Manage Application Registration Requests
      • Manage Application Connections
      • Auto Approve Dev and App Registrations
      • Azure OIDC
      • Application Overview
      • Enable and Disable App Registration
        • Okta
        • Curity
        • Auth0
      • Create, Edit, and Delete an Application
      • Register an Application with a Service
      • Generate Credentials for an Application
    • Customize Dev Portal
    • Troubleshoot
    • Introduction to Analytics
    • Summary Dashboard
    • Analyze Services and Routes
    • Generate Reports
    • Troubleshoot
      • Manage a Konnect Account or Plan
      • Change to a Different Plan
      • Manage Payment Methods and Invoices
      • Overview
        • Overview
        • Manage Teams
        • Teams Reference
        • Roles Reference
      • Manage Users
      • Set up SSO with OIDC
      • Set up SSO with Okta
    • Account and Org Deactivation
    • Troubleshoot
    • Overview
      • API Documentation
      • Identity Integration Guide
      • API Documentation
      • Overview
      • Nodes
      • Data Plane Certificiates
        • Services
        • Routes
        • Consumers
        • Plugins
        • Upstreams
        • Certificates
        • CA Certificates
        • SNIs
        • Targets
        • Vaults
      • API Spec
      • Filtering

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Prerequisites
  • Configure Curity
    • Configure the token issuer
    • Create a client
    • Enable Dynamic Client Registration
  • Configure the Dev Portal
  • Create an application with DCR
  • Make a successful request
Kong Konnect
  • Home
  • Kong Konnect
  • Dev Portal
  • Applications
  • Dynamic Client Registration
  • Curity

Configure Curity for Dynamic Client Registration

Prerequisites

  • Enterprise Konnect account.
  • A Curity account
  • A Curity instance that can be publicly accessed over the internet or from within the network where your gateways are installed.

This feature requires Curity v7.x.

Configure Curity

To use dynamic client registration (DCR) with Curity as the identity provider (IdP), there are three important configurations to prepare in Curity. In the following sections, you will configure the token issuer, create a client, and enable dynamic client registration for the client.

To get started configuring Curity, log in to your Curity dashboard and complete the following:

  1. Select the Profiles tab on the dashboard.

  2. Select an existing Token Service Profile in the Profiles diagram, or create a new one if necessary.

  3. Complete the following sections using the Token Service Profile you selected.

Configure the token issuer

  1. Select Token Service > Token Issuers from the menu.

  2. Enable the Use Access Token as JWT setting.

  3. Add a new token issuer by clicking New Token Issuer.

  4. Fill in the following values for the token issuer, and click create:
    • Name: userinfo
    • Issuer Type: jwt
    • Purpose Type: userinfo
  5. In the “Edit Custom Token Issuer” form, select the desired values for Tokens Data Source ID, Signing Key, and Verification KeyStore.

Create a client

  1. Select Token Service > Clients from the menu.

  2. Click New Client.

  3. Give the client a unique and descriptive name, noting it for later use.

  4. Click Capabilities in the overview diagram to add a capability to the client.

  5. Select Client Credentials and click next.

  6. Set the Authentication Method to secret and generate a secret, copy it for later use, and click next.

    Important: Store the secret in a place you can reference, because it will not be visible after this step.

Enable Dynamic Client Registration

  1. Select Token Service > General > Dynamic Registration from the menu.

  2. Click Enable Dynamic Client Registration.

  3. Ensure Non Templatized and Dynamic Client Management are both enabled, and then click next.

  4. Select the desired client data source and click next.

  5. Select authenticate-client-by for the Authentication Method, add the name of the Client that was created above, and then click next.

  6. Select the nodes you want to enable DCR on and click next.

Configure the Dev Portal

Once you have Curity configured, you can set up the Dev Portal to use Curity for dynamic client registration (DCR).

  1. Sign in to Konnect, then select dev-portal icon Dev Portal from the menu.

  2. Click Settings to open the Dev Portal settings.

  3. Click the Application Setup tab to open the DCR settings for your Dev Portal.

  4. Select Curity as the external identity provider.

  5. Enter the Issuer URL for your authorization server, it will look something like https://CURITY_INSTANCE_DOMAIN/oauth/v2/oauth-anonymous/.well-known/openid-configuration

  6. If you are using the Curity configuration described in the previous sections, enter the sub into the Claims field and leave the Scopes field empty. If you configured Curity differently, then ensure you add the correct Scopes and Claims.

  7. Enter the Client ID of the admin client created in Curity above into the Initial Client ID field.

  8. Enter the value you saved for the Client secret into the Initial Client Secret field.

  9. Click Save.

    If you previously configured any DCR settings, this will overwrite them.

Create an application with DCR

From the My Apps page in the Dev Portal, follow these instructions:

  1. Click New App.

  2. Fill out the Create New Application form with your application name, redirect URI, and a description.

  3. Click Create to save your application.

  4. After your application is created, you will see the Client ID and Client Secret. Store these values, they will only be shown once.

  5. Click Proceed to continue to the application’s details page.

Make a successful request

In the previous steps, you obtained the Client ID and Client Secret. To authorize the request, you must attach this client secret pair in the header. You can do this by using any API product, such as Insomnia, or directly using the command line:

curl example.com/REGISTERED_ROUTE -H "Authorization: Basic CLIENT_ID:CLIENT_SECRET"

Where example.com is the address of the runtime instance you are running.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023