Skip to main content
Skip table of contents

API Security using Application Gateway

Expertflow CX uses Apache APISIX as an API Gateway of the solution. The API Gateway gets user permissions from the IAM (KeyCloak) for authentication and authorization. CX Ingress Controller forwards incoming traffic to the API Gateway and it integrates with IAM via OpenID Connect (OIDC) plugin (openid-connect) for authentication and the authz-keycloak plugin for authorization, to intercept these requests.

The API Gateway is set up to handle both authentication and authorization to securely access resources:

  • Authentication: The API Gateway checks the access token in the request header to validate the user's identity. This process involves communicating with IAM to verify the token. If the token is invalid, the request is rejected with a 401 status code (unauthenticated).

  • Authorization: After authentication, the API Gateway ensures the user has permission to access the requested resource. The API gateway uses token introspection to retrieve the list of authorized resources for the user (the owner of the access token) by communicating with IAM. If the user is not authorized to access a resource, the request is rejected with a 403 response.

    • Authorization in Expertflow CX is implemented using Role-Based Access Control (RBAC). When a request is made to access a resource, the API gateway checks for the authorized roles and scopes. Regarding roles, Expertflow CX has various roles, such as agent, supervisor, quality manager, etc. Each role has its own set of permissions and access levels for specific resources. These permissions and access levels are configurable and can be adjusted based on the use case. See API Authorization - Configuration/Customization Guide.

This strategy centralizes the authentication and authorization layer, offloading this critical security task from backend services and allowing for full utilization of API Gateway's feature set.

Examples

Security Type

Role(s)

Scope(s)

Authorized

Token Embedded

Response (Front-end)

Response (Postman)

Authentication

Any

Any

Yes

No

Image 2

CODE
HTTP/1.1 401 Unauthorized
401 Authorization Required

Authorization

agent

GET

Yes

Yes

Image 1

CODE
HTTP/1.1 200
<expected-response>

Authorization

agent

POST, PUT, DELETE

No

Yes

Image 2

CODE
HTTP/1.1 403 Forbidden
{"error":"access_denied","error_description":"not_authorized"}

Authorization

supervisor OR admin

GET, POST, PUT, DELETE

Yes

Yes

Image 1

CODE
HTTP/1.1 200
<expected-response>

Authentication + Authorization

supervisor OR admin

GET, POST, PUT, DELETE

Yes

No

Image 2

(with 401/403)

CODE
HTTP/1.1 401 Unauthorized
401 Authorization Required
Image 1-20250818-143107.png

Image 1

Image 2-20250818-143155.png

Image 2

Secured Components

Following components are secured with API gateway:

  • Agent Manager

  • Bot framework

  • Customer Channel Manager

  • CIM Customer

  • Conversation Manager

  • Conversation Monitor

  • License Manager

  • Routing Engine

  • Team Announcement

  • File Engine

  • Unified Admin

  • Quality Management

  • Campaigns

  • Surveys

  • Historical Reports

  • Business Calendars

  • Scheduler

The following APIs, belonging to secure components, are unauthenticated.

CODE
POST /agent-manager/agent/login
GET /agent-manager/socket.io/
POST /agent-manager/agent/refresh-token
POST /agent-manager/agent/send-sms-otp
POST /agent-manager/agent/register-phone
POST /agent-manager/agent/validate-otp
GET /ccm/widget-configs/{{WidgetIdentifier}}
GET /ccm/agents/{{}}
GET /ccm/channels/service-identifier/{{serviceIdentifier}}
GET /ccm/message
POST /unified-admin/forms/getAllFormTitles
POST /unified-admin/forms/{{formID}}

/unified-admin/keycloakLogin (all routes)
/unified-admin/tiny-url (all routes)
/unified-admin/formValidation (all routes)
/unified-admin/agent-desk-settings (all routes)
/unified-admin/locale-setting(all routes)

Documents for Application Gateway configurations:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.