BFF API
The BFF (Backend for Frontend) API is the gateway between the Cogrion UI and the services running inside tenant clusters. It runs inside the tenant cluster itself, close to the services it proxies.
What It Does
Services like Superset, Airflow, and JupyterHub run inside the tenant's cluster and are not directly reachable from the internet. The BFF bridges this gap: it exposes these services to the Cogrion UI over a consistent API and handles authentication so the UI does not need to know how each individual service authenticates.
Token Exchange — When the Cogrion UI makes a request through the BFF, the BFF validates the user's Keycloak access token, then exchanges it for a service-specific token scoped to the target backend. Each backend service is registered as a separate Keycloak client. The exchanged token is cached to avoid unnecessary round-trips to Keycloak on every request.
How It Relates to Other Services
| Service | Relationship |
|---|---|
| Keycloak | Validates inbound tokens and performs token exchange for each target service. |
| Superset | Proxies SQL Lab, Queries, and Dashboard requests. |
| Airflow | Proxies Workflow requests. |
| JupyterHub | Proxies Workspace (notebook) requests. |
| MLflow | Proxies Experiments and Models requests. |
Go Deeper
- Security → Token Exchange and Data Access
- Core Platform → Keycloak