Skip to main content
Skip table of contents

API Authentication - Configuration Guide

This document contains all the configurations required for the setup of application gateway for API Authentication in CX. Following configurations are the prerequisite before enabling the authentication.

Application gateway configurations

In the case of an on-prem or single tenant deployment, instead of using the FQDN, the Keycloak service name should be used.

Use your realm name or tenant ID instead of “expertflow“. For example: http://keycloak.ef-external.svc/auth/realms/tenantID/authz/....

To enable API authentication on specific routes, add the following openid-connect plugin snippet under the plugins section of the route definition:

YAML 
openid-connect:
  enable: true
  discovery: "http://keycloak.ef-external.svc/auth/realms/expertflow/.well-known/openid-configuration"
  realm: "expertflow" # this should be updated with the tanent
  client_id: "cim"   # keycloak client-id
  client_secret: "ef61df80-061c-*******-387e6bf67052" # keycloak client-secret
  bearer_only: true
  token_signing_alg_values_expected: "RS256"
  set_access_token_header: false
  set_userinfo_header: false
  audience: ["cim", "account", "realm-management"]
  required_scopes: ["email", "profile"]

To disable authentication, simply remove or comment the above lines from the route definition.

Keycloak Configurations

  • First go to your Keycloak instance and login, then go to the expertflow realm.

    Screenshot from 2025-04-10 13-17-06.png

  • Then click on clients option in left panel and then select cim.

    Screenshot from 2025-04-10 13-19-50.png

  • Now, go to the client scopes and click on cim-dedicated under Assigned client scope.

    Screenshot from 2025-04-10 13-20-02.png

  • Click on Add Mapper and then select By configuration.

    Screenshot from 2025-04-10 13-20-12.png

  • Click on Audience.

    Screenshot from 2025-04-10 13-20-20.png

  • Provide Name as “fix-audience”, select cim in Included Client Audience. Check “Add to ID Token” toggle as On and Save.

    Screenshot from 2025-04-10 13-21-00.png

Create a Customer User:

This user is responsible for creation of Access Token for each customer in Customer Widget.

  • Go to the Users tab in left Control Panel.

    Screenshot from 2025-04-10 13-21-09.png

  • Click on Add User and provide username as “customer” and enable Email Verified toggle to On and click save.

    Screenshot from 2025-04-10 13-21-26.png

  • Once user is created, go to Credentials and click on Set Password, provide credentials as customer and toggle temporary to false. Click save

    Screenshot from 2025-04-10 13-21-56.png

  • (Included steps after 4.10.1 onwards) After creating customer, assign it a customer role. Click on the Realm roles and check if the customer role exists. If it exists then skip the creation process, else create a customer role.

    Screenshot from 2025-08-13 16-14-57-1.png

  • Go to the customer user and the click on Role mapping.

    Screenshot from 2025-08-13 16-15-28.png

  • Assign customer role to user along with offline_access and uma_authorization.

    Screenshot from 2025-08-13 16-16-30.png
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close