Skip to content
|
search
Kong Konnect

Enable or Disable Application Registration for a Service

To grant developers access to register an application, you must enable application registration for a service version. When you enable application registration, Kong Konnect enables plugins automatically to support the desired mode, either key authentication or OpenID Connect. These plugins run inside the Kong Gateway runtime instances to support application registration for the service and are managed by Kong Konnect.

Support for any runtime group

App registration is fully supported in the default runtime group, using application consumers and the acl plugin. We are rolling out full support in any non-default runtime group, using the konnect-application-auth plugin that was created for Kong Gateway 3.0.

Note: The default runtime group is the one that is first created in each region when you create an organization. Although it can be renamed, it will always be the oldest runtime group in the region. See default runtime group for additional context.

Prerequisites

  • A service that is versioned and published to the Konnect Dev Portal so that it appears in the catalog.

  • The service version can be in any runtime group, as long as the following conditions are met:

    • Service versions not in the default runtime group must be proxied with a version of Kong Gateway >= 3.0

    • Service versions in the default runtime group can be proxied with any version of Kong Gateway

  • The service version must have an implementation.

  • If you are using OpenID Connect for your authorization:

    • Set up your application, claims, and scopes in your OpenID identity provider. Refer to your IdP/OP provider’s documentation for instructions.

    • Edit the Reference ID field in the Dev Portal Update Application dialog to match to your third-party OAuth2 claim.

Note: For instructions on configuring Konnect declaratively, read our declarative guide.

Enable app registration with key authentication

To enable app registration with key authentication, from the Konnect menu, click servicehub icon Service Hub, select a service, and follow these steps:

  1. Click Versions to select a version.

  2. From the Version actions drop-down menu, select Enable app registration.

  3. Select key-auth from the Auth Type list.

  4. Optional: click to enable Auto Approve for application registration requests.

  5. Click Enable.

    This version of the service package now includes a read-only entry for the konnect-application-auth plugin.

Note: If the service version is in the default runtime group, it will instead receive read-only entries for the acl and key-auth plugins to provide support for Kong Gateway versions less than 3.0.

Enable app registration with OpenID Connect

To enable app registration with OpenID Connect, from the Konnect menu, click servicehub icon Service Hub, select a service, and follow these steps:

  1. Click Versions to select a version.

  2. From the Version actions drop-down menu, select Enable app registration.

  3. Select openid-connect from the Auth Type list.

    Refer to the configuration parameters section for information about each field.

  4. Click Enable.

    This versions of this service packages now includes read-only entries for the konnect-application-auth and openid-connect plugins.

Note: If the service version is in the default runtime group, it will instead receive read-only entries for the acl and openid-connect plugins to provide support for Kong Gateway versions less than 3.0.

OpenID Connect configuration parameters

Form Parameter Description Required
Issuer The issuer URL from which the OpenID Connect configuration can be discovered. For example: https://dev-1234567.okta.com/oauth2/default. True
Scopes The scopes to be requested from the OpenID Provider. Enter one or more scopes separated by spaces, for example: open_id myscope1. False
Credential claims Name of the claim that maps to the unique client id in the identity provider. True
Auth method The supported authentication method(s) you want to enable. This field should contain only the authentication methods that you need to use. Individual entries must be separated by commas. Available options: password, client_credentials, authorization_code, bearer, introspection, kong_oauth2, refresh_token, session. True
Hide Credentials Default: disabled
Hide the credential from the upstream service. If enabled, the plugin strips the credential from the request header, query string, or request body, before proxying it.		 False
Auto Approve Default: disabled
Automatically approve developer application requests for an application.		 False

Note: In the default runtime group, Credential claim is used as a Consumer claim which identifies a consumer. In non-default runtime groups, the Credential claim should be mapped to a claim that contains the unique clientId or applicationId in the identity provider.

For more background information about OpenID Connect plugin parameters, see Important Configuration Parameters.

Disable application registration for a service

Disabling application registration removes all plugins that were initially enabled through application registration for this service. To remove a plugin by disabling application registration, follow these steps:

  1. Click a service to open the Service menu.

  2. From the Service menu, select Version to display all of the registered versions.

  3. Click the version you intend to disable.

  4. From the Version actions drop-down menu, select Disable app registration.

  5. Click Disable from the pop-up modal.

You can re-enable application registration at any time.

Differences between runtime groups

The konnect-application-auth plugin manages access control and API key authentication for app registration and replaces the need for the acl and key-auth plugins. It is used in every non-default runtime group.

In the default runtime group, applications are linked to Kong Gateway consumers and use the acl plugin to control access between an application’s consumers and a service version. In all other runtime groups, applications are not linked to Kong Gateway consumers.

Known limitations

The internal konnect-application-auth plugin only supports Kong Gateway 3.0+. If you need to use a version of Kong Gateway before 3.0, you must create your service version in the default runtime group, which still supports consumer mapping with the acl plugin.

The konnect-application-auth plugin does not connect applications to Kong Gateway consumers. Therefore, any applications created through the app registration process in any non-default runtime group currently don’t support rate limiting plugins. This will be addressed in a future release.

If you don’t use any rate limiting plugins, we recommend upgrading your runtime instances to Kong Gateway version 3.0+ to ensure future compatibility with the konnect-application-auth plugin, which has a built-in replacement for the acl plugin.