Configure Dynamic Client Registration (DCR)
Dynamic Client Registration (DCR) allows developers to register OAuth 2.0 clients programmatically through the Developer Portal, without manually creating clients in the identity provider. When a developer creates an OAuth credential, the portal automatically registers a client with the configured DCR provider and returns the client ID and secret.
Prerequisites
Create a token by following Obtain a Token from the Dashboard and export it:
export API_KEY="a7ee-xxxxxxxxxxxxx"
DCR Provider Types
API7 supports two types of DCR providers:
OIDC
The OIDC provider type uses standard RFC 7591 and RFC 7592 protocols. The portal discovers the registration endpoint from the identity provider's .well-known/openid-configuration endpoint.
Supported operations:
| Operation | Protocol | Description |
|---|---|---|
| Register client | RFC 7591 | POST to the registration endpoint. |
| Update client | RFC 7592 | PUT to the registration_client_uri with registration_access_token. |
| Delete client | RFC 7592 | DELETE to the registration_client_uri. |
| Rotate secret | Not supported | OIDC providers do not support secret rotation. |
HTTP Bridge
The HTTP Bridge provider type uses a custom API to communicate with identity providers that do not support standard DCR protocols. You deploy an HTTP bridge service that translates between the portal's API and your identity provider.
Supported operations:
| Operation | Method | Endpoint |
|---|---|---|
| Register client | POST | {base_url}/clients |
| Update client | PUT | {base_url}/clients/{client_id} |
| Delete client | DELETE | {base_url}/clients/{client_id} |
| Rotate secret | POST | {base_url}/clients/{client_id}/rotate-secret |
Create a DCR Provider
OIDC Provider
curl -k "https://localhost:7443/api/dcr_providers" \
-H "X-API-KEY: ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{
"name": "Keycloak Production",
"provider_type": "oidc",
"issuer": "https://keycloak.example.com/realms/my-realm",
"headers": {
"Authorization": "Bearer <initial-access-token>"
},
"desc": "Production Keycloak instance for OAuth client registration"
}'
If you are not running locally, replace localhost with your Dashboard host. The -k flag is required if the Dashboard uses a self-signed TLS certificate.
❶ name is the display name shown for the DCR provider in the Provider Portal.
❷ provider_type selects the integration type. Use oidc for standard OpenID Connect Dynamic Client Registration.
❸ issuer is required for OIDC providers. API7 discovers the registration endpoint from the issuer's /.well-known/openid-configuration document.
❹ headers lets you send custom headers with each DCR request, such as Keycloak's initial access token.
❺ desc is optional and helps operators understand what the provider is used for.
HTTP Bridge Provider
curl -k "https://localhost:7443/api/dcr_providers" \
-H "X-API-KEY: ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{
"name": "Custom OAuth Bridge",
"provider_type": "http_bridge",
"issuer": "https://issuer.example.com",
"provider_config": {
"base_url": "https://oauth-bridge.internal.example.com"
},
"headers": {
"X-API-Key": "<bridge-api-key>"
}
}'
❶ name is the display name shown for the DCR provider in the Provider Portal.
❷ provider_type: "http_bridge" tells API7 to use your bridge service instead of standard OIDC DCR discovery.
❸ issuer identifies the OAuth issuer represented by the bridge.
❹ provider_config.base_url is required for HTTP Bridge providers and points to your bridge service.
❺ headers lets you send authentication material such as an API key to the bridge service.
Configure an API Product with DCR
After creating a DCR provider, reference it in an API product's authentication configuration:
curl -k -X PATCH "https://localhost:7443/api/api_products/{product_id}?portal_id={portal_id}" \
-H "X-API-KEY: ${API_KEY}" \
-H "Content-Type: application/json" \
-d '[
{
"op": "replace",
"path": "/auth",
"value": {
"dcr": {
"dcr_provider_id": "<dcr-provider-id>"
}
}
}
]'
You can enable DCR alongside other authentication types (key auth, basic auth).
Example: Keycloak Integration
The following steps demonstrate integrating Keycloak as a DCR provider:
-
Create an initial access token in Keycloak:
- Log in to the Keycloak Admin Console.
- Navigate to your realm's Clients > Initial Access Tokens.
- Create a token with the desired expiration and maximum client count.
-
Create the DCR provider in API7:
curl -k "https://localhost:7443/api/dcr_providers" \
-H "X-API-KEY: ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{
"name": "Keycloak",
"provider_type": "oidc",
"issuer": "https://keycloak.example.com/realms/my-realm",
"headers": {
"Authorization": "Bearer <keycloak-initial-access-token>"
}
}' -
Create an API product with DCR authentication and publish it.
-
Developers create OAuth credentials in the Developer Portal. Each credential creation registers a new client in Keycloak.
-
Developers request access tokens from Keycloak using the client ID and secret, then use the tokens to call APIs through the gateway.
Deletion Protection
A DCR provider cannot be deleted if:
- Any API product references it in its authentication configuration.
- Any developer credential is associated with it.
Remove all references before deleting the provider.
OIDC Discovery Caching
For OIDC providers, the portal caches the OpenID Connect discovery document (containing the registration endpoint URL). The cache uses an LRU policy with a 24-hour TTL and up to 128 entries. This minimizes the number of discovery requests sent to the identity provider.