Request for Guidance on Securing Kogito BPMN APIs
74 views
Skip to first unread message
Pawan Saha
Jun 6, 2025, 4:15:50 PMJun 6
to Kogito development mailing list
Hello Sir,
I hope you're doing well. Could you please advise on the following queries? I want to secure my Kogito BPMN-generated APIs using SSL and token-based authentication.
How can I enable Oauth token-based authentication for the BPMN-generated endpoints in a Quarkus-based Kogito application?
Once a user sends a valid JWT token, how can I securely invoke a BPMN process from a custom controller and pass input parameters to it?
How can I implement role-based authentication?
Below is the Controller Code:
@SecurityScheme(
securitySchemeName = "bearerAuth",
type = SecuritySchemeType.HTTP,
scheme = "bearer",
bearerFormat = "JWT",
description = "Enter JWT Bearer token"
)
@Path("/v1")
// @Authenticated
@SecurityRequirement(name = "bearerAuth")
// @RolesAllowed("abcNonProdWriter")
public class WorkflowController { ...... }
type = SecuritySchemeType.HTTP,
scheme = "bearer",
bearerFormat = "JWT",
description = "Enter JWT Bearer token"
)
@Path("/v1")
// @Authenticated
@SecurityRequirement(name = "bearerAuth")
// @RolesAllowed("abcNonProdWriter")
public class WorkflowController { ...... }
Rhett S
Jun 6, 2025, 4:45:14 PMJun 6
to kogito-de...@googlegroups.com
Given that the code and endpoints are auto-generated, I suspect securing them in the way you want to will be challenging, problematic, and/or impossible.
I would recommend having a middleware service in between your client and your kogito service. the middleware service does the authn/authz with upstream. and the kogito service can only receive requests from the trusted middleware service. that API call inbetween the mw and kogito services are protected via network/firewall rules.
the middleware service does autha/authz, and then routes the request to the derived kogito endpoint. if the endpoint doesnt exist, throw a 400.
the golang chi router would be a great solution for the middleware service.fast and simple.
Rhett
--
You received this message because you are subscribed to the Google Groups "Kogito development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kogito-developm...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/kogito-development/947dd31b-7c7f-48c4-a0b9-b394526ad5d7n%40googlegroups.com.
Pawan Saha
Jun 12, 2025, 11:51:37 PMJun 12
to Kogito development mailing list
Hello Rhett,
Thank you for your response and helpful suggestions.
As a follow-up, here's the approach I implemented:
-
I created a new controller with an SSL-enabled endpoint.
-
Within the service layer, I integrated token validation using AWS Cognito.
-
Upon successful validation, I invoked the auto-generated BPMN APIs.
I just wanted to confirm if this approach aligns with best practices or if there are any improvements you would recommend. Appreciate your guidance.
Best regards,
Pawan
Rhett S
Jun 13, 2025, 4:15:09 PMJun 13
to kogito-de...@googlegroups.com
yea that works.but I wouldnt do it.
keep in mind that if a service makes an internal HTTP call from one controller to another, the service will consume double the thread usage for requests.
thus, your service architecture has a fundamental scaling problem.
the simplest mitigation is doubling the size of your threadpool.
what you're doing is reasonable for a non-enterprise solution. just submit a tech-debt ticket and know the implications.
To view this discussion visit https://groups.google.com/d/msgid/kogito-development/5e4dee65-6174-4c72-9b02-4334fc0939b4n%40googlegroups.com.
Gulzaib Gondal
Jun 13, 2025, 9:10:19 PMJun 13
to Kogito development mailing list
I had similar kind of requirement and implemented request filter.
Filters become reuseable too you just need to add the dependency to any kogito workflow deployment, and they will automatically be included.
Kunal Kishan
Jun 14, 2025, 9:18:05 AMJun 14
to Kogito development mailing list
- you can explore Keycloak as Authorization server where permissions can be added for the role
- Have a thin server whose only job is to proxy requests to the Rule Engine
- This thin layer ( proxy ) should do audit - it should have connection to the Keycloak Server
- This thin layer should be using Servlert 3.0
- Get your Non-Functional Requirement - 10 TPS , 30 TPS ..... , Operating Hours
Gulzaib Gondal
Jun 14, 2025, 10:49:13 AMJun 14
to kogito-de...@googlegroups.com
For kogito Evaluated proxy it will introduce an other point of failure and have to manage unlike filters which become part of kogito deployment itself
--
You received this message because you are subscribed to the Google Groups "Kogito development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kogito-developm...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/kogito-development/53110578-fe68-4407-a2ae-a9ccb40ca975n%40googlegroups.com.
Dominik Hanak
Jun 16, 2025, 1:47:17 AMJun 16
to kogito-de...@googlegroups.com
Hello everyone,
just wanted to note that Kogito is now in KIE at Apache.
Check out the website[1] and post the question in our zulip[2]
Check out the website[1] and post the question in our zulip[2]
if you want to reach the active contributors.
Dominik
To view this discussion visit https://groups.google.com/d/msgid/kogito-development/CACJPmn%2B44yuAUiY4AYHsBtfZ7j8cD_4HpGNHKq0Tg_yicBcnyQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages