Automatically create Dev Portal applications in Okta with Dynamic Client Registration
You can use Dynamic Client Registration to automatically create Dev Portal applications in Okta. First, create scopes and claims in Okta and copy your Issuer URL. Then, create a new DCR provider in your Dev Portal settings and create a new auth strategy for DCR.
Prerequisites
Kong Konnect
This tutorial requires a Konnect Plus account. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
Dev Portal
For this tutorial, you’ll need a Dev Portal and some Dev Portal settings, like a published API, pre-configured. These settings are essential for Dev Portal to function but configuring them isn’t the focus of this guide. If you don’t have these settings already configured, follow these steps to pre-configure them:
- Create a Dev Portal.
- Create an API.
- Register a test developer account with your Dev Portal. You can do this by navigating to your Dev Portal URL and clicking Sign up.
Copy the Okta issuer URL
Using your Okta credentials, log in to the Okta portal and click Security > API in the sidebar. The default Issuer URI should be displayed in the Authorization Servers tab. If you are using an authorization server that you configured, copy the issuer URL for that authorization server.
Create a token in Okta
-
Click Security > API in the sidebar.
-
From the Tokens tab, click the Create token button.
-
Enter a name for your token, and then copy the token value.
Important: Store the token in a secure location you can reference later, as it will only be visible as a hashed value after this step.
Add scopes in Okta
-
Click Security > API in the sidebar.
-
Select the authorization server that you want to configure.
-
Click the Scopes tab, and click Add Scope.
-
Configure the scope as needed.
Add a claim in Okta
To map an application from the Dev Portal to Okta, you have to create a claim.
-
Click Security > API in the sidebar.
-
Select the authorization server that you want to configure.
-
Click the Claims tab, and then click Add Claim.
-
Enter a name for this claim, and enter
app.clientIdfor Value. You can leave the Value type as “Expression”, and include it in any scope.
Configure the Okta Dynamic Client Registration in Dev Portal
After configuring Okta, you can integrate it with the Dev Portal for Dynamic Client Registration (DCR). This process involves two main steps: first, creating the DCR provider, and second, establishing the authentication strategy. DCR providers are designed to be reusable configurations. This means once you’ve configured the Okta DCR provider, it can be used across multiple authentication strategies without needing to be set up again.
This tutorial uses the Konnect UI to configure DCR, but you can also use the Application Registration API.
-
Log in to Konnect and select Dev Portal from the menu.
-
Navigate to Application Auth to see the authentication strategies for your API Products.
-
Click the DCR Providers tab to see all existing DCR providers.
- Click New DCR Provider to create a new Okta configuration:
- Enter a name for internal reference within Konnect. This name and the provider type won’t be visible to developers on the Dev Portal.
- Enter the Issuer URL of your authorization server and the DCR Token that you created in Okta. The Issuer URL and DCR token will be stored in isolated, encrypted storage and will not be readable through any Konnect API.
- Select Okta as the Provider Type.
- Save your DCR provider. You should now see it in the list of DCR providers.
-
Navigate to the Auth Strategy tab, then click New Auth Strategy to create an auth strategy that uses the DCR provider:
- Provide a name for internal use within Konnect and a display name for visibility on your Portal.
- In the Auth Type dropdown menu select DCR.
- In the DCR Provider dropdown, select the name of the DCR provider config you just created. Your Issuer URL will be prepopulated with the Issuer URL you added to the DCR provider.
-
Enter the names of the Scopes and Claims as comma-separated values in their corresponding fields. The values should match the scopes or claims that were created in Okta.
Note: Avoid using the
openidscope with client credentials as it restricts the use. If no scopes are specified,openidwill be the default. - Select the relevant Auth Methods you need (
client_credentials,bearer,session), and click Save.
Apply the Okta DCR auth strategy to an API
Now that the application auth strategy is configured, you can apply it to an API.
-
Navigate to your Dev Portal in Konnect and click Published APIs in the sidebar.
-
Click Publish API, select the API you want to publish, and select your Okta auth strategy for the Authentication strategy.
-
Click Publish API.
Validate
Now that DCR is configured, you can create an application with Dynamic Client Registration by using a developer account.
-
Navigate to your Dev Portal URL and log in with your developer account.
-
Select an API and click Use this API.
-
Complete the Create New Application modal with your application name, authentication strategy, and description.
-
After the application is created, the Client ID and Client Secret will be displayed.
Make sure to store these values, as they will only be shown once. -
After the application is created, it will appear your IdP. From your Okta organization, select Applications from the sidebar. You will see the application created in the Dev Portal, along with its corresponding Client ID.
For developers to authorize requests, they must attach the client ID and secret pair obtained previously in the header. They can do this by using any API product, such as Insomnia, or directly using the command line:
curl "$KONNECT_PROXY_URL/$ROUTE_PATH" \
-H "Authorization: Basic $CLIENT_ID:$CLIENT_SECRET"\
-H "Content-Type: application/json"
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.