Automatically create and manage Dev Portal applications in Auth0 with Dynamic Client Registration

To use dynamic client registration (DCR) with Auth0 as the identity provider (IdP), there are two important configurations to prepare in Auth0. First, you must authorize an Auth0 application so Konnect can use the Auth0 Management API on your behalf. Next, you will create an API audience that Konnect applications will be granted access to.

Konnect will use a client ID and secret from an Auth0 application that has been authorized to perform specific actions in the Auth0 Management API.

To get started configuring Auth0, log in to your Auth0 dashboard and complete the following:

1. From the sidebar, select Applications > Applications.

2. Click Create Application.

3. Give the application a memorable name, like “Konnect Portal DCR Admin”.

4. Select the application type Machine to Machine Applications and click create.

5. Authorize the application to access the Auth0 Management API by selecting it from the dropdown. Its URL will follow the pattern: https://AUTH0_TENANT_SUBDOMAIN.REGION.auth0.com/api/v2/.

6. In the Permissions section, select the following permissions to grant access, then click Authorize:
   • read:client_grants
   • create:client_grants
   • delete:client_grants
   • update:client_grants
   • read:clients
   • create:clients
   • delete:clients
   • update:clients
   • update:client_keys

   Note: If you’re using Developer Managed Scopes, add read:resource_servers to the permissions for your initial client application.

7. On the application’s Settings tab, locate the values for Client ID and Client Secret, you’ll need them in a later step.

You can use an existing API entity if there is one already defined in Auth0 that represents the audience you are/will be serving with Konnect Dev Portal applications. In most cases, it is a good idea to create a new API that is specific to your Konnect Portal applications.

To create a new API audience in Auth0:

1. In the sidebar, navigate to Applications > APIs.

2. Click Create API.

3. Enter a Name, such as Konnect Portal Applications.

4. Set the Identifier to a value that represents the audience your API will serve.

5. Click Create.

6. Make a note of the Identifier value (also known as the Audience), you’ll need it when configuring the authentication strategy in Konnect.

After configuring Auth0, you can integrate it with the Dev Portal for Dynamic Client Registration (DCR). This process involves two main steps: first, creating the DCR provider, and second, establishing the authentication strategy. DCR providers are designed to be reusable configurations. This means once you’ve configured the Auth0 DCR provider, it can be used across multiple authentication strategies without needing to be set up again.

This tutorial uses the Konnect UI to configure DCR, but you can also use the Application Registration API.

1. Log in to Konnect and select Dev Portal from the menu.

2. Navigate to Application Auth to see the authentication strategies for your API Products.

3. Click the DCR Providers tab to see all existing DCR providers.

4. Click New DCR Provider to create a new Auth0 configuration:
   1. Enter a name for internal reference within Konnect. This name and the provider type won’t be visible to developers on the Dev Portal.

   2. Enter the Issuer URL of your Auth0 tenant, formatted as: https://AUTH0_TENANT_SUBDOMAIN.us.auth0.com. Do not include a trailing slash at the end of the URL.

      Note: You can find the value for your AUTH0_TENANT_SUBDOMAIN by checking the Tenant Name under Settings > General.

   3. Select Auth0 as the Provider Type.
   4. Enter the Client ID of the previously created admin application in Auth0 into the Client ID field. Then, enter the Client Secret of the same application into the Initial Client Secret field.
   5. If you’re using a custom domain for Auth0, enter the audience of the initial client as the Client Audience. Otherwise, leave this field blank.
   6. Optional: If you’re using developer-managed scopes, select the Use Developer Managed Scopes checkbox.
   7. Save your DCR provider. You should now see it in the list of DCR providers.

5. Navigate to the Auth Strategy tab, then click New Auth Strategy to create an auth strategy that uses the DCR provider:

   1. Provide a name for internal use within Konnect and a display name for visibility on your Portal.
   2. In the Auth Type dropdown menu select DCR.
   3. In the DCR Provider dropdown, select the name of the DCR provider config you just created. Your Issuer URL will be prepopulated with the Issuer URL you added to the DCR provider.
   4. Enter the required openid scope in the Scopes field, along with any other scopes your developers may need (e.g., openid, read:account_information, write:account_information). If you are using developer-managed scopes, these will be the scopes your developers can select from in the Dev Portal.
   5. Enter azp in the Credential Claims field. This will match the client ID of each Auth0 application.
   6. Enter the Audience value from your associated Auth0 API in the Audience field. If you’re using developer-managed scopes, the scopes selected by the developer should belong to this audience.
   7. Select the relevant Auth Methods you need (client_credentials, bearer, session), and click Save.

Now that the application auth strategy is configured, you can apply it to an API.

1. Navigate to your Dev Portal in Konnect and click Published APIs in the sidebar.

2. Click Publish API, select the API you want to publish, and select your Auth0 auth strategy for the Authentication strategy.

3. Click Publish API.

Now that DCR is configured, you can create an application with Dynamic Client Registration by using a developer account.

1. Navigate to your Dev Portal URL and log in with your developer account.

2. Select an API and click Use this API.

3. Complete the Create New Application modal with your application name, authentication strategy, and description.

4. After the application is created, the Client ID and Client Secret will be displayed.
   Make sure to store these values, as they will only be shown once.

5. After the application is created, it will appear your IdP. From your Okta organization, select Applications from the sidebar. You will see the application created in the Dev Portal, along with its corresponding Client ID.

For developers to authorize requests, they must attach the client ID and secret pair obtained previously in the header. They can do this by using any API product, such as Insomnia, or directly using the command line:

curl "$KONNECT_PROXY_URL/$ROUTE_PATH" \
     -H "Authorization: Basic $CLIENT_ID:$CLIENT_SECRET"\
     -H "Content-Type: application/json"

Note: When using Auth0 DCR for Dev Portal, each application in Auth0 will have the following metadata. This can be viewed via the auth0 dashboard, or accessed from the Auth0 API.

• konnect_portal_id: ID of the Portal the application belongs to
• konnect_developer_id: ID of the developer in the Dev Portal that this application belongs to
• konnect_org_id: ID of the Konnect Organization the application belongs to
• konnect_application_id: ID of the application in the Dev Portal