Home / How-to Guides
Edit
Report

Automatically create and manage Dev Portal applications in Azure AD with Dynamic Client Registration

Beta and uses: Kong Gateway Dev Portal
Related Documentation
All Gateway Documentation
Incompatible with
on-prem
Tags
#dynamic-client-registration #application-registration #openid-connect #authentication #azure-ad
Related Resources
Application registration
About Dev Portal Dynamic Client Registration
About Dev Portal OIDC authentication
Application authentication strategies
Dev Portal developer sign-up
Minimum Version
Kong Gateway - 3.4
TL;DR

You can use Dynamic Client Registration to automatically create Dev Portal applications in Azure AD. First, create an application in Azure and configure the Application.ReadWrite.OwnedBy and User.Read API permissions, select Accounts in this organizational directory only for the supported account types, and create a client secret. Then, create a new DCR provider in your Dev Portal settings and create a new auth strategy for DCR.

Prerequisites

Kong Konnect

This tutorial requires a Konnect Plus account. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

Dev Portal

For this tutorial, you’ll need a Dev Portal and some Dev Portal settings, like a published API, pre-configured. These settings are essential for Dev Portal to function but configuring them isn’t the focus of this guide. If you don’t have these settings already configured, follow these steps to pre-configure them:

  1. Create a Dev Portal.
  2. Create an API.
  3. Register a test developer account with your Dev Portal. You can do this by navigating to your Dev Portal URL and clicking Sign up.

Azure AD

You’ll need an Azure AD account for this tutorial.

Note: Dynamic client registration supports Azure OAuth v1 token endpoints only. v2 is not supported.

Configure Azure

In Azure, create the main application:

  1. In Azure Active Directory, click App registrations and then click New registration.

  2. Enter a name for the application.

  3. Ensure Accounts in this organizational directory only is selected for Supported account types.

  4. Click Register.

  5. On the application view, go to API permissions, click Add permissions > Microsoft Graph and select the following:
    • Application.ReadWrite.OwnedBy
    • User.Read

  6. Once added, click Grant admin consent. An administrator with Global Admin rights is required for this step.

  7. Select Certificates & secrets and then create a client secret and save it in a secure location. You can only view the secret once.

  8. In the Overview view, make a note of your Directory (tenant) ID and Application (client) ID.

Configure the Dev Portal

After configuring Azure, you can integrate it with the Dev Portal for Dynamic Client Registration (DCR). This process involves two main steps: first, creating the DCR provider, and second, establishing the authentication strategy. DCR providers are designed to be reusable configurations. This means once you’ve configured the Auth0 DCR provider, it can be used across multiple authentication strategies without needing to be set up again.

This tutorial uses the Konnect UI to configure DCR, but you can also use the Application Registration API.

  1. Log in to Konnect and select Dev Portal from the menu.

  2. Navigate to Application Auth to see the authentication strategies for your API Products.

  3. Click the DCR Providers tab to see all existing DCR providers.

  4. Click New DCR Provider to create a new Azure configuration:
    1. Enter a name for internal reference within Konnect. This name and the provider type won’t be visible to developers on the Dev Portal.
    2. Enter the Issuer URL of your Azure tenant, formatted as: https://sts.windows.net/YOUR_TENANT_ID. Do not include a trailing slash at the end of the URL.
    3. Select Azure as the Provider Type.

    4. Enter your Application (Client) ID from Azure into the Initial Client ID field, and the client secret of the Azure admin application into the Initial Client Secret field.

      Note: The Initial Client Secret will be stored in isolated, encrypted storage and will not be accessible through any Konnect API.

    5. Save your DCR provider. You should now see it in the list of DCR providers.

  5. Navigate to the Auth Strategy tab, then click New Auth Strategy to create an auth strategy that uses the DCR provider:

    1. Provide a name for internal use within Konnect and a display name for visibility on your Portal.
    2. In the Auth Type dropdown menu select DCR.
    3. In the DCR Provider dropdown, select the name of the DCR provider config you just created. Your Issuer URL will be prepopulated with the Issuer URL you added to the DCR provider.
    4. In the Credential Claims field, enter appid.
    5. Select the relevant Auth Methods you need (client_credentials, bearer, session), and click Save.

Apply the Azure DCR auth strategy to an API

Now that the application auth strategy is configured, you can apply it to an API.

  1. Navigate to your Dev Portal in Konnect and click Published APIs in the sidebar.

  2. Click Publish API, select the API you want to publish, and select your Azure auth strategy for the Authentication strategy.

  3. Click Publish API.

Validate

Now that DCR is configured, you can create an application with Dynamic Client Registration by using a developer account.

  1. Navigate to your Dev Portal URL and log in with your developer account.

  2. Select an API and click Use this API.

  3. Complete the Create New Application modal with your application name, authentication strategy, and description.

  4. After the application is created, the Client ID and Client Secret will be displayed.
    Make sure to store these values, as they will only be shown once.

  5. After the application is created, it will appear your IdP. From your Okta organization, select Applications from the sidebar. You will see the application created in the Dev Portal, along with its corresponding Client ID.

For developers to authorize requests, they must attach the client ID and secret pair obtained previously in the header. They can do this by using any API product, such as Insomnia, or directly using the command line:

curl "$KONNECT_PROXY_URL/$ROUTE_PATH" \
     -H "Authorization: Basic $CLIENT_ID:$CLIENT_SECRET"\
     -H "Content-Type: application/json"

You can also request a bearer token from Azure using the following command, targeting the OAuth 2.0 v1 token endpoint:

curl --request GET \
  --url https://login.microsoftonline.com/TENANT_ID/oauth2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=CLIENT_ID \
  --data 'scope=https://graph.microsoft.com/.default' \
  --data 'client_secret=CLIENT_SECRET'

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Next Steps

Learn how to manage application registration requests
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support