Enable Application Registration for a Service

When application registration is enabled for a Service, developers must register an application in order to access a Service.

All versions of a Service share the same authentication strategy. When you add another version to a Service, it inherits the automatically enabled plugins for that strategy.

Supported authentication flows are based on the following plugins:

Key Authentication
OpenID Connect

The ACL plugin is also automatically enabled in conjunction with the key-auth or OIDC plugins. After app registration is enabled for a Service, the key-auth or OIDC and ACL plugins are no longer available on the Plugins page because they have already been enabled.

Important: Developers registered through app registration appear as consumers on the Shared Config page. Do not delete the ACLs associated with a consumer managed by app registration.

Plugins enabled by app registration cannot be disabled using the toggle in the Plugins pane on the Services Version page. The only way to disable or delete them is to disable app registration, which deletes all plugins that were initially enabled with application registration for a Service. Any other plugins that were enabled manually, such as rate-limiting, remain enabled.

Konnect Enable App Registration with OIDC

You can disable application registration any time at your discretion.

Prerequisites

Organization Admin or Service Admin permissions.
The Services have been created, versioned, and published to the Konnect Dev Portal so that they appear in the Catalog.
If you are using OpenID Connect for your authorization:
- Set up your application, claims, and scopes in your OpenID identity provider as appropriate for your requirements. Refer to your IdP/OP documentation for instructions.
- Be sure to edit the Reference ID field in the Dev Portal Update Application dialog to match to your third-party OAuth2 claim.

Enable App Registration for the Key Authentication Flow

From the Konnect menu, click Services.
Depending on your view, click the tile for the Service in cards view or the row for the Service in table view.
From the Actions menu, click Enable app registration.
Select key-auth from the Auth Type list.
(Optional) Click to enable Auto Approve for application registrations for the selected Service.

Any developer registration requests for an application are automatically approved. A Konnect Cloud admin does not need to manually approve application registration requests for developers.

You can also enable Auto Approve portal-wide using the Settings page for the Dev Portal. If Auto Approve is enabled portal-wide, it overrides the per-Service Auto Approve setting.
Click Enable.

With app registration enabled, all versions of this service now include read-only entries for the acl and key-auth plugins.

Enable App Registration for the OpenID Connect Flow

From the Konnect menu, click Services.
Depending on your view, click the tile for the Service in cards view or the row for the Service in table view.
From the Actions menu, click Enable app registration.
Select openid-connect (default) from the Auth Type list.

Refer to the descriptions in the next section for more information about each field.
1. (Required) Enter your issuer URL in the Issuer field.
2. (Required) Enter one or more scopes in the Scopes field.
3. (Required) Enter the claim in the Consumer claims field.
4. (Required) Enter one or more auth methods in the Auth method field.
5. (Optional) Click to enable Hide Credentials from the upstream service.
6. (Optional) Click to enable Auto Approve.
  
  Any developer registration requests for an application are automatically approved. A Konnect cloud admin does not need to manually approve application registration requests for developers.
  
  You can also enable Auto Approve portal-wide using the Portal Settings. If Auto Approve is enabled or disabled portal-wide, it overrides the per Service Auto Approve setting.
Click Enable.

With app registration enabled, all versions of this service now include read-only entries for the acl and oidc plugins.

OpenID Connect Configuration Parameters

Form Parameter	Description
`Issuer`	The issuer URL from which the OpenID Connect configuration can be discovered. For example: `https://dev-1234567.okta.com/oauth2/default`. Required.
`Scopes`	The scopes to be requested from your OP (OpenID Provider). Enter one or more scopes separated by spaces, such as `open_id` `myscope1`. Optional.
`Consumer claims`	Name of the claim that is used to find a consumer. Required.
`Auth method`	The supported authentication method or methods you want to enable. This field should contain only the authentication methods that you need to use; otherwise, you unnecessarily widen the attack surface. Separate multiple entries with a comma. Available options: `password`, `client_credentials`, `authorization_code`, `bearer`, `introspection`, `kong_oauth2`, `refresh_token`, `session`. Required.
`Hide Credentials`	Whether to show or hide the credential from the Upstream service. If enabled, the plugin strips the credential from the request (in the header, query string, or request body that contains the key) before proxying it. Default: disabled. Optional.
`Auto Approve`	Automatically approve developer registration requests for an application. A Konnect admin does not need to manually approve application registration requests. Default: disabled. Optional.

For more background information about OpenID Connect plugin parameters, see Important Configuration Parameters.

Troubleshooting

If you encounter any of the errors below that can appear in the Enable App Registration dialog, follow the recommended solution.

Error Message	Solution
No Service implementation in the Service package.	Create a Service implementation. See the example in the Quickstart Guide, and the ServiceHub documentation.
Schema violation, config.issuer: missing host in url (openid-connect)	Be sure to include the host in the Issuer URL of your identity provider. For example: `https://dev-1234567.okta.com/oauth2/default`.