API Security using Application Gateway
Expertflow CX uses Apache APISIX as an API Gateway of the solution. The API Gateway gets user permissions from the IAM (KeyCloak) for authentication and authorization. CX Ingress Controller forwards incoming traffic to the API Gateway and it integrates with IAM via OpenID Connect (OIDC) plugin (openid-connect) for authentication and the authz-keycloak plugin for authorization, to intercept these requests.
The API Gateway is set up to handle both authentication and authorization to securely access resources:
Authentication: The API Gateway checks the access token in the request header to validate the user's identity. This process involves communicating with IAM to verify the token. If the token is invalid, the request is rejected with a 401 status code (unauthenticated).
Authorization: After authentication, the API Gateway ensures the user has permission to access the requested resource. The API gateway uses token introspection to retrieve the list of authorized resources for the user (the owner of the access token) by communicating with IAM. If the user is not authorized to access a resource, the request is rejected with a 403 response.
Authorization in Expertflow CX is implemented using Role-Based Access Control (RBAC). When a request is made to access a resource, the API gateway checks for the authorized roles and scopes. Regarding roles, Expertflow CX has various roles, such as agent, supervisor, quality manager, etc. Each role has its own set of permissions and access levels for specific resources. These permissions and access levels are configurable and can be adjusted based on the use case. See API Authorization - Configuration/Customization Guide.
This strategy centralizes the authentication and authorization layer, offloading this critical security task from backend services and allowing for full utilization of API Gateway's feature set.
Security Type | Role(s) | Scope(s) | Authorized | Token Embedded | Response (Front-end) | Response (Postman) |
|---|---|---|---|---|---|---|
Authentication | Any | Any | Yes | No | Image 2 |
CODE
|
Authorization | agent | GET | Yes | Yes | Image 1 |
CODE
|
Authorization | agent | POST, PUT, DELETE | No | Yes | Image 2 |
CODE
|
Authorization | supervisor OR admin | GET, POST, PUT, DELETE | Yes | Yes | Image 1 |
CODE
|
Authentication + Authorization | supervisor OR admin | GET, POST, PUT, DELETE | Yes | No | Image 2 (with 401/403) |
CODE
|
Image 1
Image 2
Secured Components
Following components are secured with API gateway:
Agent Manager
Bot framework
Customer Channel Manager
CIM Customer
Conversation Manager
Conversation Monitor
License Manager
Routing Engine
Team Announcement
File Engine
Unified Admin
Quality Management
Campaigns
Surveys
Historical Reports
Business Calendars
Scheduler
The following APIs, belonging to secure components, are unauthenticated.
POST /agent-manager/agent/login
GET /agent-manager/socket.io/
POST /agent-manager/agent/refresh-token
POST /agent-manager/agent/send-sms-otp
POST /agent-manager/agent/register-phone
POST /agent-manager/agent/validate-otp
GET /ccm/widget-configs/{{WidgetIdentifier}}
GET /ccm/agents/{{}}
GET /ccm/channels/service-identifier/{{serviceIdentifier}}
GET /ccm/message
POST /unified-admin/forms/getAllFormTitles
POST /unified-admin/forms/{{formID}}
/unified-admin/keycloakLogin (all routes)
/unified-admin/tiny-url (all routes)
/unified-admin/formValidation (all routes)
/unified-admin/agent-desk-settings (all routes)
/unified-admin/locale-setting(all routes)Documents for Application Gateway configurations:
Document to configure Application Gateway settings in Keycloak
Document to configure the Authentication Token lifespan in Keycloak