Integrating Reverse Proxy with Auth Server for Token Verification

In different scenarios, the API authentication method varies slightly:

1. When using only the reverse proxy, API requests require only the id_token.

2. When the reverse proxy is used in conjunction with APIs registered in digiRunner, both the id_token and access_token must be provided to ensure compliance with digiRunner's authorization mechanism.

This chapter demonstrates the second scenario, reverse proxy with API registered in digiRunner, as the primary use case.

Configuring Reverse Proxy in digiRunner

1. Log in to digiRunner with your user account, and go to System Configs > Static Webpage Reverse Proxy to access the management page for static webpage reverse proxy.

2. On this page, you will see a list of all reverse proxy configurations set up in digiRunner. These configurations define how incoming external requests are routed to designated static webpage targets.

3. Click Create to access the creation page.

1. Fill in the fields as instructed below:

• Name*: Enter a meaningful name to be used as the URL path after reverse proxying.

• Status*: Select Active to enable the configuration.

• Enabled Items: Check the Auth option to enable authentication via the Auth Server.

• Target URL*: Enter the actual destination URL that will receive the proxied requests.

• Ignore API: Specify any API paths under the Target URL that should be excluded from API Gateway handling. These paths will be routed directly to the original backend or frontend service, bypassing digiRunner.

5. Click Create to save and activate the reverse proxy configuration.

Enhancing API Monitoring by Registering APIs in digiRunner

Registering reverse-proxied APIs into digiRunner allows you to leverage its built-in monitoring and access control capabilities—features that are not available through reverse proxy alone.

1. Go to API Management > API Registry to access the API registration page.

2. Click CUSTOMIZE to customize the API configuration.

3. Fill in the fields as instructed below:

• Target URL*: Enter the full URL of the reverse-proxied API to be registered.

• API Name*: Enter a meaningful name to easily identify the API.

• digiRunner Proxy Path*: Define the URL path mapped to the API after it is proxied by digiRunner.

• HTTP Methods*: Select the HTTP methods supported by the API.

• Click Registry to complete the registration process.

1. Once the necessary APIs are registered, return to the API List page to view the newly added proxy API entries available for monitoring and management.

Verifying Reverse Proxy and Auth Server Integration via Browser

1. Open a browser and navigate to the configured proxy URL. If configured properly, the proxy should redirect to the GreenSwift login page, indicating the reverse proxy is functioning.

1. Open the browser’s Developer Tools (F12), and log in to the GreenSwift system.

2. Monitor the network activity for the following behaviors:

• A successful request to the token API, returning both an ID Token and an Access Token.

• The proxy API calls are successfully processed, allowing access to the main system dashboard.

1. During authentication validation, note that APIs defined in the Ignore API field are excluded from Gateway-level authentication. As shown in the figure below, if /api/version is included in the Ignore API field, the API version information can be accessed directly from the browser without requiring authentication.

1. If /api/version is removed from the Ignore API field, it will be routed through the API Gateway. As shown in the figure below, when accessed via browser, the request is validated by the Auth Server, and a "401 Unauthorized " error is returned if authentication fails.