BFF API
The BFF (Backend for Frontend) API is the gateway between the Cogrion UI and the services running inside tenant clusters. It runs inside the tenant cluster itself, close to the services it proxies.
What It Does
Services like Superset, Airflow, and JupyterHub run inside the tenant's cluster and are not directly reachable from the internet. The BFF bridges this gap: it exposes these services to the Cogrion UI over a consistent API and handles authentication so the UI does not need to know how each individual service authenticates.
Token Exchange — When the Cogrion UI makes a request through the BFF, the BFF validates the user's Keycloak access token, then exchanges it for a service-specific token scoped to the target backend. Each backend service is registered as a separate Keycloak client. The exchanged token is cached to avoid unnecessary round-trips to Keycloak on every request.
Caching
The BFF uses Valkey (a Redis-compatible cache) for session and token caching. Exchanged tokens are cached to avoid a round-trip to Keycloak on every request from the same user session.
How It Relates to Other Services
| Service | Relationship |
|---|---|
| Keycloak | Validates inbound tokens and performs token exchange for each target service. |
| Valkey | In-cluster cache for exchanged tokens and session state. |
| Superset | Proxies SQL Lab, Queries, and Dashboard requests. |
| Airflow | Proxies Workflow requests. |
| JupyterHub | Proxies Workspace (notebook) requests. |
| MLflow | Proxies Experiments and Models requests. |
| Ranger | Proxies Data Access Management policy grant/revoke requests. |
| Datahub | Proxies Catalog metadata requests. |
Go Deeper
- Security → Token Exchange and Data Access
- Core Platform → Keycloak