Automatically create and manage Dev Portal applications in Curity with Dynamic Client Registration

To use Dynamic Client Registration (DCR) with Curity as the identity provider (IdP), you need to prepare three key configurations in Curity: configuring the token issuer, creating a client, and enabling DCR for the client.

To begin configuring Curity, log in to your Curity dashboard and follow these steps:

1. Select the Profiles tab on the dashboard.

2. Select an existing Token Profile in the Profiles diagram, or create a new one if necessary.

Complete the following sections using the Token Profile you selected.

1. In Curity, select Token Service > Token Issuers from the menu.

2. Enable the Use Access Token as JWT setting.

3. Add a new token issuer by clicking New Token Issuer.

4. Fill in the following values for the token issuer, and click create:
   • Name: userinfo
   • Issuer Type: jwt
   • Purpose Type: userinfo
5. In the “Edit Custom Token Issuer” form, select the desired values for Tokens Data Source ID, Signing Key, and Verification KeyStore.

1. In Curity, select Token Service > Clients from the menu.

2. Click New Client.

3. Assign a unique and descriptive name to the client, and make a note of it for future reference.

4. In the overview diagram, click Capabilities to add a capability to the client.

5. Select Client Credentials, then click Next.

6. Set the Authentication Method to secret, generate a secret, copy it for later use, and click Next.

   Important: Store the secret in a secure location, as it will not be visible after this step.

1. In Curity, select Token Service > General > Dynamic Registration from the menu.

2. Click Enable Dynamic Client Registration.

3. Make sure both Non-Templatized and Dynamic Client Management are enabled, then click Next.

4. Choose the desired client data source, then click Next.

5. Select authenticate-client-by as the Authentication Method, enter the name of the client created earlier, and click Next.

6. Select the nodes you want to enable DCR on and click next.

After configuring Curity, you can integrate it with the Dev Portal for Dynamic Client Registration (DCR). This process involves two main steps: first, creating the DCR provider, and second, establishing the authentication strategy. DCR providers are designed to be reusable configurations. This means once you’ve configured the Curity DCR provider, it can be used across multiple authentication strategies without needing to be set up again.

This tutorial uses the Konnect UI to configure DCR, but you can also use the Application Registration API.

1. Log in to Konnect and select Dev Portal from the menu.

2. Navigate to Application Auth to see the authentication strategies for your API Products.

3. Click the DCR Providers tab to see all existing DCR providers.

4. Click New DCR Provider to create a new Curity configuration:
   1. Enter a name for internal reference within Konnect. This name and the provider type won’t be visible to developers on the Dev Portal.
   2. Enter the Issuer URL of your Curity authorization server, formatted as https://CURITY_INSTANCE_DOMAIN/oauth/v2/oauth-anonymous/.well-known/openid-configuration.
   3. Select Curity as the Provider Type.
   4. Enter the Client ID of the admin client created in Curity above into the Initial Client ID field. Then, enter the saved Client Secret into the Initial Client Secret field.

      Note:The Initial Client Secret will be stored in isolated, encrypted storage and will not be accessible through any Konnect API.

   5. Save your DCR provider. You should now see it in the list of DCR providers.

5. Navigate to the Auth Strategy tab, then click New Auth Strategy to create an auth strategy that uses the DCR provider:

   1. Provide a name for internal use within Konnect and a display name for visibility on your Portal.
   2. In the Auth Type dropdown menu select DCR.
   3. In the DCR Provider dropdown, select the name of the DCR provider config you just created. Your Issuer URL will be prepopulated with the Issuer URL you added to the DCR provider.

   4. If you are using the Curity configuration described in the previous sections, enter the sub into the Claims field and leave the Scopes field empty. If you configured Curity differently, then ensure you add the correct Scopes and Claims.

      Note: Avoid using the openid scope with client credentials as it restricts the use. If no scopes are specified, openid will be the default.

   5. Select the relevant Auth Methods you need (client_credentials, bearer, session), and click Save.

Now that the application auth strategy is configured, you can apply it to an API.

1. Navigate to your Dev Portal in Konnect and click Published APIs in the sidebar.

2. Click Publish API, select the API you want to publish, and select your Curity auth strategy for the Authentication strategy.

3. Click Publish API.

Now that DCR is configured, you can create an application with Dynamic Client Registration by using a developer account.

1. Navigate to your Dev Portal URL and log in with your developer account.

2. Select an API and click Use this API.

3. Complete the Create New Application modal with your application name, authentication strategy, and description.

4. After the application is created, the Client ID and Client Secret will be displayed.
   Make sure to store these values, as they will only be shown once.

5. After the application is created, it will appear your IdP. From your Okta organization, select Applications from the sidebar. You will see the application created in the Dev Portal, along with its corresponding Client ID.

For developers to authorize requests, they must attach the client ID and secret pair obtained previously in the header. They can do this by using any API product, such as Insomnia, or directly using the command line:

curl "$KONNECT_PROXY_URL/$ROUTE_PATH" \
     -H "Authorization: Basic $CLIENT_ID:$CLIENT_SECRET"\
     -H "Content-Type: application/json"