Getting started with app registration - Plugin

Using the plugin

You can follow the basic examples to enable your plugin using your preferred method. Or, follow this guide for some specific scenarios.

Prerequisites

Before using this plugin, set an authorization provider strategy in kong.conf.

Enable automatic registration approval

You can enable auto_approve so that application registration requests are automatically approved.

The following example creates an instance of the plugin with auto_approve enabled. Replace <service> with your service name or ID, and <my_service_display_name> with the display_name of your service:

curl -X POST http://localhost:8001/services/<service>/plugins \
    --data "name=application-registration"  \
    --data "config.display_name=<my_service_display_name>" \
    --data "config.auto_approve=true

Or, you can update your current configuration with a PATCH request. Replace <plugin_id> with the id of your plugin.

curl -X PATCH http://localhost:8001/plugins/<plugin_id> \
  --data "config.auto_approve=true"

Allow accessing the service with consumer credentials (optional)

By enabling the Application Registration plugin on a service, access to the service with consumer credentials is disallowed by default. To allow this behavior, you can set enable_proxy_with_consumer_credential to true.

Important: Always use enable_proxy_with_consumer_credential with caution, as this allows accessing the scoped service via consumer credentials other than your application’s client ID (API key).

curl -X POST http://localhost:8001/services/<service>/plugins \
    --data "name=application-registration"  \
    --data "config.display_name=<my_service_display_name>" \
    --data "config.enable_proxy_with_consumer_credential=true"

Or, update your current configuration with a PATCH request. Replace <plugin_id> with the id from the existing application-registration instance:

curl -X PATCH http://localhost:8001/plugins/<plugin_id> \
  --data "config.enable_proxy_with_consumer_credential=true"

Then, enable the Key Auth plugin and a route for the service:

curl -X POST http://localhost:8001/services/<service>/routes \
    --data "path=/test"

curl -X POST http://localhost:8001/services/<service>/plugins \
    --data "name=key-auth" \
    --data "config.key_names=apikey"

Create a consumer and a credential for the consumer. You’ll need this to use key authentication:

curl -X POST http://localhost:8001/consumers \
    --data "username=test"

curl -X POST http://localhost:8001/consumers/<consumer_id>/key-auth \
    --data "key:<apikey>"

When enable_proxy_with_consumer_credential is enabled, constructing a request to the service should yield a 200 response, rather than the 401 response when disabled:

curl http://localhost:8000/test?apikey=<apikey>

The route should still be accessible with the client_id of the application.

curl http://localhost:8000/test?apikey=<client_id>

Enable show issuer URL

Enable show_issuer to expose the Issuer URL in the Service Details dialog.

Note: Exposing the Issuer URL is essential for the Authorization Code Flow configured for third-party identity providers.

Update your current configuration with a PATCH request. Replace <plugin_id> with the id of your plugin.

curl -X PATCH http://localhost:8001/plugins/<plugin_id> \
  --data "config.show_issuer=true"

前へ Basic config examples for Portal Application Registration