Enable Application Registration for a Service
When application registration is enabled for a Service, developers must register an application in order to access a Service.
All versions of a Service share the same authentication strategy. When you add another version to a Service, it inherits the automatically enabled plugins for that strategy.
Supported authentication flows are based on the following plugins:
When you enable application registration, the ACL plugin and your chosen authentication plugin (Key Auth or OIDC) are enabled automatically. You can see them in a Service version’s plugin list, but can’t edit or delete them directly. See the Application Overview section on Konnect-managed plugins for more information.
Important: Developers registered through app registration appear as consumers on the
Shared Config page. Do not delete the ACLs associated with a consumer managed by app registration.
You can disable application registration any time at your discretion.
Prerequisites
-
Organization Admin or Service Admin permissions.
-
The Services have been created, versioned, and published to the Konnect Dev Portal so that they appear in the Catalog.
-
If you are using OpenID Connect for your authorization:
-
Set up your application, claims, and scopes in your OpenID identity provider as appropriate for your requirements. Refer to your IdP/OP documentation for instructions.
-
Be sure to edit the Reference ID field in the Dev Portal Update Application dialog to match to your third-party OAuth2 claim.
-
Enable App Registration for the Key Authentication Flow
-
From the Konnect menu, click Services and select a Service.
-
From the Actions dropdown menu, select Enable app registration.
-
Select
key-auth
from the Auth Type list. -
(Optional) Click to enable Auto Approve for application registrations for the selected Service.
Any developer registration requests for an application are automatically approved. A Konnect Cloud admin does not need to manually approve application registration requests for developers.
You can also enable Auto Approve portal-wide using the Settings page for the Dev Portal. If Auto Approve is enabled portal-wide, it overrides the per-Service Auto Approve setting.
-
Click Enable.
With app registration enabled, all versions of this service now include read-only entries for the
acl
andkey-auth
plugins.
Enable App Registration for the OpenID Connect Flow
-
From the Konnect menu, click Services and select a Service.
-
From the Actions menu, click Enable app registration.
-
Select
openid-connect
(default) from the Auth Type list.Refer to the descriptions in the next section for more information about each field.
-
(Required) Enter your issuer URL in the Issuer field.
-
(Required) Enter one or more scopes in the Scopes field.
-
(Required) Enter the claim in the Consumer claims field.
-
(Required) Enter one or more auth methods in the Auth method field.
-
(Optional) Click to enable Hide Credentials from the upstream service.
-
(Optional) Click to enable Auto Approve.
Any developer registration requests for an application are automatically approved. A Konnect cloud admin does not need to manually approve application registration requests for developers.
You can also enable Auto Approve portal-wide using the Portal Settings. If Auto Approve is enabled or disabled portal-wide, it overrides the per Service Auto Approve setting.
-
-
Click Enable.
With app registration enabled, all versions of this service now include read-only entries for the
acl
andoidc
plugins.
OpenID Connect Configuration Parameters
Form Parameter | Description |
---|---|
Issuer |
The issuer URL from which the OpenID Connect configuration can be discovered. For example: https://dev-1234567.okta.com/oauth2/default . Required. |
Scopes |
The scopes to be requested from your OP (OpenID Provider). Enter one or more scopes separated by spaces, such as open_id myscope1 . Optional. |
Consumer claims |
Name of the claim that is used to find a consumer. Required. |
Auth method |
The supported authentication method or methods you want to enable. This field should contain only the authentication methods that you need to use; otherwise, you unnecessarily widen the attack surface. Separate multiple entries with a comma. Available options: password , client_credentials , authorization_code , bearer , introspection , kong_oauth2 , refresh_token , session . Required. |
Hide Credentials |
Whether to show or hide the credential from the Upstream service. If enabled, the plugin strips the credential from the request (in the header, query string, or request body that contains the key) before proxying it. Default: disabled. Optional. |
Auto Approve |
Automatically approve developer registration requests for an application. A Konnect admin does not need to manually approve application registration requests. Default: disabled. Optional. |
For more background information about OpenID Connect plugin parameters, see Important Configuration Parameters.
Troubleshooting
If you encounter any of the errors below that can appear in the Enable App Registration dialog, follow the recommended solution.
Error Message | Solution |
---|---|
No Service implementation in the Service package. | Create a Service implementation. See the example in the Quickstart Guide, and the ServiceHub documentation. |
Schema violation, config.issuer: missing host in url (openid-connect) | Be sure to include the host in the Issuer URL of your identity provider. For example: https://dev-1234567.okta.com/oauth2/default . |