API Authentication using APISIX

As an API Gateway, Apache APISIX is deployed behind the CX ingress controller specifically to handle KeyCloak authentication for requests bound for CX services. CX Ingress controller forwards incoming traffic to APISIX, and by configuring APISIX with its OpenID Connect (OIDC) plugin to integrate with KeyCloak, enables it to intercept these requests.

APISIX is set up

• to check for the required authentication token in the request header automatically.

• Reject unauthenticated or improperly tokenized requests with a 401 status code.

• Ensure only successfully validated requests proceed to the CX Services.

This strategy centralizes the authentication layer, offloading this critical security task from backend services and allowing for full utilization of APISIX's feature set.

Limitation

The file engine CX API is not secured.

CX Secured Components

Following components are secure with APISIX:

• Agent Manager

• Bot framework

• Customer Channel Manager

• Cim Customer

• Conversation Manager

• Conversation Monitor

• License Manager

• Routing Engine

• Team Announcement

Following APIs, belonging to secure components, are unauthenticated.

POST /agent-manager/agent/login
GET /agent-manager/socket.io/
GET /ccm/widget-configs/{{WidgetIdentifier}}
GET /ccm/agents/{{varibale}}
GET /ccm/channels/service-identifier/{{serviceIdentifier}}

Documents for APISIX configurations:

• Document to configure APISIX settings in Keycloak

• Document to configure the Authentication Token lifespan in Keycloak

• API authentication integration guide for third-party components

Any third-party using CX APIs from the secure components listed above must follow the API Authentication Integration Guide for third-party components before directly invoking the APIs.