You are viewing the documentation for Blueriq 15. Documentation for other versions is available in our documentation directory.
Case-Modelling has been in beta stage in the Blueriq 15 major. At the latest minor, all Blueriq 16.0 changes have been merged back to Blueriq 15.13. From this point on Case-Modelling is out of beta and can be used.
Please make sure to upgrade to at least Blueriq 15.13 when using Case-Modelling, possibly in a production environment. Earlier minor versions are not supported.
Introduction
The Gateway Service acts as gateway between your front facing applications and your APIs. Instead of directly letting the front facing applications talk to the Blueriq APIs it will first pass through the Gateway Service. The Gateway Service routes the traffic which comes into the service to the appropriate API, by doing so this service is able to enhance requests and response messages from and to the APIs.
Installation
The Gateway Service is a standalone application. The corresponding JAR file can be found in the release zip or in Artifactory: https://artifactory.blueriq.com/artifactory/libs-release/com/blueriq/blueriq-gateway-service/. The JAR file needs to be deployed to a supported application server, see Installing Runtime. The application requires a config location to specify the configuration outlined below. Note that the DCM 2.0 beta installation includes the Gateway Service including configuration.
System requirements
Minimal
2 CPU cores
256 MB Heap
Recommended
2 CPU cores
512 MB Heap
Third party tools
Keycloak
The Gateway Service uses an OpenId Connect Provider such as Keycloak to authenticate requests with. To find out the supported version of Keycloak, please visit the Current platform support page. The Gateway Service should be able to connect to the Keycloak instance.
Ideally, Keycloak runs on its own dedicated server, with sufficient resources. We refer to the website of Keycloak for advice on hardware requirements.
Redis (optional)
The Gateway Service uses a Redis cache to offload session state. This is to guarantee that the Gateway Service keeps working in a multi-node setup. This option is optional. To find out the supported version of Redis, please visit the Current platform support page. The Gateway Service should be able to connect to the Redis instance.
Ideally, Redis runs on its own dedicated server, with sufficient resources. We refer to the website of Redis for advice on hardware requirements.
Features
Routing
The main feature of the Gateway Service is for it to be a gateway between your front facing applications and your APIs. This is done by configuring routes in the Gateway Service. These routes are essentially path mappings between requests and APIs.
Backend For Frontend(BFF)
One of the features of the Gateway Service is to let it act as a Backend For Frontend. By doing so we ensure you that security tokens are not sent to your front facing application, but rather stay behind the Gateway itself. As security tokens in front facing applications tend have a security risk we mitigate that by only sending a Secure Session Cookie to front facing applications. To let the Gateway service act a BFF, additional configuration and an OpenID Connect Identity Provider, such as Keycloak, are required.
The diagram below describes the flow that a user goes through when first accessing the authenticated resources through the Gateway Service.
Auth flow
The diagram above is a simplified version of the actual login flow to illustrate how OAuth is integrated when using the Gateway Service. The "verify token in session" checks whether the current HTTP Session contains a token or not if it does then it will be added to the API request.
The authenticate flow from the gateway to Keycloak is in reality the OAuth Authorization Code Flow, where the intermediate requests for token exchanges are intercepted by the Gateway so that no token information is leaked to outside of the gateway. Once the token is acquired the gateway will send a Secure Session Cookie back to frontend.
Token management
The Blueriq Gateway Service automatically manages access tokens by refreshing them when required. The validity of access tokens and refresh tokens can be configured in the Identity Provider. For Keycloak, this can be done on the Tokens
tab in the Realm Settings
. The access token can be configured using the Access Token Lifespan
setting. The refresh token validity is equal to the smallest value among the SSO Session Idle
, Client Session Idle
, SSO Session Max
, and Client Session Max
settings on the same tab. For more information on these settings, please refer to the Keycloak documentation.
Configuration
Keycloak
Configuration
This guide assumes that you already have admin access to a running Keycloak instance.
The following things should be configured in Keycloak:
- A realm
- A client for the Gateway service
- Valid origins
- Here you should list the urls on which the frontend is accessible
- Valid redirect urls
- Here you should list the urls that can be used to redirect to after successfully logging in with Keycloak
- Roles
- The roles that are used in the application
- RoleMapper
- A mapper that specifies how the roles are translated into the token
- The backend expects the roles to present in the 'roles' claim
- A mapper that specifies how the roles are translated into the token
- Valid origins
- A client for the Gateway service
- Users
- Role mappings for the roles available in the client configured above.
Tip
In Keycloak, you can see the id-tokens via clients → <client> → clients-scopes → evaluate → <user>. This could be helpful for debugging purposes.
For more information, please refer to: https://openid.net/connect/ and https://www.keycloak.org/.
An example realm export can be found here:
Environment Configuration
Due to that Keycloak will be running behind a proxy it is important that Keycloak is configured to run behind a proxy. To set this up the following environment variable need to be set:
Environment variable | Value |
---|---|
KC_PROXY | passthrough |
KC_HOSTNAME_STRICT | false |
PROXY_ADDRESS_FORWARDING | true |
Gateway Service
In order to configure the Gateway Service, a blueriq-gateway-service
.yml
file needs to be present spring.config.additional-location
. Here, you can specify the routes on which the Blueriq APIs are running and configure your OpenID Connect provider.
Route configuration
Routes are configured by setting a combination of properties: a route consists of an id, uri, predicates and filters. The id, uri an predicates properties are required when configuring a route.
Property | Description | Example |
---|---|---|
id | Identification of the route | Runtime |
uri | URI to which the gateway proxies the request | http://localhost:20000 |
predicates | Predicates which are tested against the request | Path=/runtime/** Matches all requests which start with /runtime |
filters | Filters which can be applied to the request or response | PrefixPath=/dcm-dashboard Adds a /dcm-dashboard path prefix to the downstream requests. This should be the context path where the target is running on. |
Runtime dashboard routing
The Gateway is a mandatory Service when using DCM in fail-over scenario, this is due to that a different Frontend solution is used to separate HTTP Sessions from each other. Each widget in a DCM dashboard gets its own HTTP Session. This is achieved by providing an additional filter to a Runtime or Runtime cluster route: The WidgetSession filter. This filter must contain the context paths on which the route is registered. The value can be a comma separated list when the route contains multiple path predicates.
OpenID Connect Provider configuration
To the use the BFF feature of the Gateway, at least one OpenID Connect Provider needs to be configured.
Route configuration
Routes to an OpenID Connect Provider needs to be configured with two additional filters, the RewriteLocationResponseHeader and BackendForFrontend filter.
OpenID Connect Client configuration
The Gateway Service acts as an OpenID Connect client and therefore it needs to be configured as well. This however comes with some tricky configuration. All of the authentication requests pass through the gateway itself, including requests to gather configuration of the OpenID Connect resource server. This can result in startup failures when not configured properly.
The client provider needs to have the token-uri, authorization-uri, jwk-set-uri properties configured to exchange and validate tokens against. These URIs should point to the host and port where the Gateway is running on; not to Keycloak itself.
The client-id should match the name of the client configured in Keycloak. Make sure the client access type is set to public in Keycloak.
The redirect-uri should point to a redirect location of the registered client, this is built up by a expandable base url and the login path. The base url is split into the scheme, host, port and path, so that we are able to support the Gateway Service running behind a Proxy server. The login path always consists of the following composition: /login/oauth2/code/<registrationId>. In our example, this would become /login/oauth2/keycloak.
building the redirect-uri
Because the Gateway Service might run behind a Proxy server, it uses the X-Forwarded and Host headers when building redirect-uri. If the uri is configured to be expandable by using for example ${baseHost}
in the uri, then the X-Forwarded-Host or Host header will be used as its value.
Running behind a virtual context root
It is possible that you are running the Gateway behind a virtual context path in your proxy.
Typically this context path is removed when moving to your infrastructure behind the proxy. The Gateway Service is required to build URLs which are send back to client. In case you are running behind such context path, you will need to adjust and assign two properties to include that context path:
blueriq.gateway.post-logout-uri-contextPath - needs to be set to the context path, in order to build the correct post logout redirect url.
spring.security.oauth2.client.registration.keycloak.redirect-uri - needs to be altered to include the context path, between the {basePath}
and /login/oauth2/code/keycloak
url.
Since we are not able to use the issuer-uri we need to provide some extensions to our oath2 registration. In order for the Gateway Service to logout and login properly we need to provide the end-session-endpoint in the blueriq.gateway.oauth2.registration-extensions. Each registered spring.security.oauth2.client.registration is expected to also have blueriq.gateway.oauth2.registration-extensions properties mapped. In the registration-extensions the end-session-endpoint need to be provided for the corresponding client.registration.
External Session Configuration
To enable support for session offloading, the Gateway Service needs to be configured to connect to a Redis instance. This can be done via the following example:
By default the Gateway Service stores its session in memory.