Enable or Disable Application Registration for a Service
To grant developers access to register an application, you must enable application registration for a service version. When you enable application registration, Kong Konnect enables plugins automatically to support the desired mode, either key authentication or OpenID Connect. These plugins run inside the Kong Gateway runtime instances to support application registration for the service and are managed by Kong Konnect.
Support for any runtime group
App registration is fully supported in the default
runtime group, using application consumers
and the acl
plugin.
We are rolling out full support in any non-default
runtime group, using the konnect-application-auth
plugin that was created for Kong Gateway 3.0.
Note: The
default
runtime group is the one that is first created in each region when you create an organization. Although it can be renamed, it will always be the oldest runtime group in the region. See default runtime group for additional context.
Prerequisites
-
A service that is versioned and published to the Konnect Dev Portal so that it appears in the catalog.
-
The service version can be in any runtime group, as long as the following conditions are met:
-
Service versions not in the
default
runtime group must be proxied with a version of Kong Gateway >= 3.0 -
Service versions in the
default
runtime group can be proxied with any version of Kong Gateway
-
-
The service version must have an implementation.
-
If you are using OpenID Connect for your authorization:
-
Set up your application, claims, and scopes in your OpenID identity provider. Refer to your IdP/OP provider’s documentation for instructions.
-
Edit the Reference ID field in the Dev Portal Update Application dialog to match to your third-party OAuth2 claim.
-
Note: For instructions on configuring Konnect declaratively, read our declarative guide.
Enable app registration with key authentication
To enable app registration with key authentication, from the Konnect menu, click Service Hub, select a
service, and follow these steps:
-
Click Versions to select a version.
-
From the Version actions drop-down menu, select Enable app registration.
-
Select
key-auth
from the Auth Type list. -
Optional: click to enable Auto Approve for application registration requests.
-
Click Enable.
This version of the service package now includes a read-only entry for the
konnect-application-auth
plugin.
Note: If the service version is in the
default
runtime group, it will instead receive read-only entries for theacl
andkey-auth
plugins to provide support for Kong Gateway versions less than 3.0.
Enable app registration with OpenID Connect
To enable app registration with OpenID Connect, from the Konnect menu, click Service Hub, select a
service, and follow these steps:
-
Click Versions to select a version.
-
From the Version actions drop-down menu, select Enable app registration.
-
Select
openid-connect
from the Auth Type list.Refer to the configuration parameters section for information about each field.
-
Click Enable.
This versions of this service packages now includes read-only entries for the
konnect-application-auth
andopenid-connect
plugins.
Note: If the service version is in the
default
runtime group, it will instead receive read-only entries for theacl
andopenid-connect
plugins to provide support for Kong Gateway versions less than 3.0.
OpenID Connect configuration parameters
Form Parameter | Description | Required |
---|---|---|
Issuer |
The issuer URL from which the OpenID Connect configuration can be discovered. For example: https://dev-1234567.okta.com/oauth2/default . |
True |
Scopes |
The scopes to be requested from the OpenID Provider. Enter one or more scopes separated by spaces, for example: open_id myscope1 . |
False |
Credential claims |
Name of the claim that maps to the unique client id in the identity provider. | True |
Auth method |
The supported authentication method(s) you want to enable. This field should contain only the authentication methods that you need to use. Individual entries must be separated by commas. Available options: password , client_credentials , authorization_code , bearer , introspection , kong_oauth2 , refresh_token , session . |
True |
Hide Credentials |
Default: disabled Hide the credential from the upstream service. If enabled, the plugin strips the credential from the request header, query string, or request body, before proxying it. |
False |
Auto Approve |
Default: disabled Automatically approve developer application requests for an application. |
False |
Note: In the
default
runtime group, Credential claim is used as a Consumer claim which identifies a consumer. In non-default
runtime groups, the Credential claim should be mapped to a claim that contains the uniqueclientId
orapplicationId
in the identity provider.
For more background information about OpenID Connect plugin parameters, see Important Configuration Parameters.
Disable application registration for a service
Disabling application registration removes all plugins that were initially enabled through application registration for this service. To remove a plugin by disabling application registration, follow these steps:
-
Click a service to open the Service menu.
-
From the Service menu, select Version to display all of the registered versions.
-
Click the version you intend to disable.
-
From the Version actions drop-down menu, select Disable app registration.
-
Click Disable from the pop-up modal.
You can re-enable application registration at any time.
Differences between runtime groups
The konnect-application-auth
plugin manages access control and API key authentication for app registration and replaces the need for the acl
and key-auth
plugins. It is used in every non-default
runtime group.
In the default
runtime group, applications are linked to Kong Gateway consumers and use the acl
plugin to control access between an application’s consumers and a service version. In all other runtime groups, applications are not linked to Kong Gateway consumers.
Known limitations
The internal konnect-application-auth
plugin only supports Kong Gateway 3.0+. If you need to use a version of Kong Gateway before 3.0, you must create your service version in the default
runtime group, which still supports consumer mapping with the acl
plugin.
The konnect-application-auth
plugin does not connect applications to Kong Gateway consumers. Therefore, any applications created through the app registration process in any non-default runtime group currently don’t support rate limiting plugins. This will be addressed in a future release.
If you don’t use any rate limiting plugins, we recommend upgrading your runtime instances to Kong Gateway version 3.0+ to ensure future compatibility with the konnect-application-auth
plugin, which has a built-in replacement for the acl
plugin.