The Identity Bridge
Modernizing apps behind an existing reverse-proxy shouldn't mean modifying 10-year-old junctions. Using APISIX + Keycloak as a smart brokering layer, we can bridge existing sessions to modern JWTs with zero user friction and absolute routing stability.
Cloudflare vs Gateway
Cloudflare is the Digital Switch (L7 Routing). APISIX is the Identity Gateway (Contextual Security). They work together to ensure traffic is both routed and trusted.
The Silent Hand-off
If a user is already logged into the existing portal, Keycloak performs a 'Silent OIDC' bounce back to the existing IdP. Fast, invisible, and secure.
RelayState Integrity
Deep links are preserved across the entire auth loop. Users land exactly where they started, even after a full existing login challenge.
What is the Strangler Pattern?
The Strangler Fig Pattern is an architectural approach to migrating legacy systems by gradually replacing specific functionalities with new services.
Instead of a "Big Bang" migration, we place a Smart Proxy (APISIX) at the edge. As we build modernized applications, we "route" traffic away from the existing system to the new one.
The biggest challenge? Identity. If the user has a session in the existing system, they shouldn't have to log in again. That is what this Identity Bridge solves.
- 01 Place APISIX Gateway at the Edge
- 02 Federate Existing IDP into Keycloak
- 03 Route Modernized App via APISIX
- 04 Execute Silent Auth (Scenario A)
Interactive Flow Sandbox
Step through the logic used by modern enterprise architects to strand legacy dependencies.
Architectural Q&A
Q: How does Cloudflare know about the identity context?
A: Cloudflare remains identity-agnostic. It handles Layer 7 routing (the 'Pipe'). APISIX and Keycloak handle the 'Passport Check'. Cloudflare moves the user to the gateway; the gateway identifies the user.
Q: Why use OIDC Federation for an existing system?
A: By treating the existing system as a 'source' for Keycloak, we avoid modifying 10-year-old junctions every time we add a new modernized app. Keycloak handles the 'Identity Translation' layer.
Q: Doesn't centralizing auth lead to a loss of team control?
A: Actually, it's the opposite. Business logic for authorization moves to the edge as policy-as-code (OPA). Teams can define their own security rules while the gateway handles the heavy lifting of enforcement and identity normalization.
Q: Isn't the 'double-hop' (APISIX + Keycloak) too slow?
A: The latency added by the bridge is negligible (single-digit ms) compared to the massive overhead of vendor SDKs and proprietary cookie parsing within every microservice.
Q: How do we handle instant revocation with stateless JWTs?
A: We implement the BFF (Backend for Frontend) Pattern. The browser holds an opaque session ID, but the gateway maintains a stateful reference in Redis. Deleting one key in Redis instantly kills the identity bridge for that user.
Q: Is this actually safer than a consolidated 'Proven Tank' proxy?
A: Yes. The Strangler Pattern provides fault isolation. We modernize one app at a time. If the bridge has an issue, it only affects the modernized stack, not the entire existing enterprise.
Q: What happens if the user logs out of the modernized app?
A: We implement Backchannel Logout. The gateway notifies the existing IdP, ensuring that session termination is synchronized across both 'Existing' and 'Modernized' environments, preventing zombie sessions.
Q: How do we ensure we aren't just trading one vendor lock-in for another?
A: The Bridge uses standard OIDC Discovery and JWKS. Swapping 'Keycloak' for 'Auth0' or 'Okta' is a zero-code configuration change at the APISIX level. The Gateway remains the stable anchor for your architecture.
Q: What happens if the user has no session (Scenario B)?
A: The gateway triggers an OIDC flow. Keycloak detects no session and redirects to the existing login page. The 'state' (RelayState) preserves the user's deep-link destination through the entire dance.
No Junction Modifications. No Downtime.
The APISIX Gateway remains the single source of truth for your modernized stack. Traffic flows through Cloudflare, hits our smart edge, and is brokered back to existing identity — leaving your core business logic untouched.
Back to Dashboard