Can I authenticate users for applications behind CF's Zero Trust with CF's Warp
When one is using Cloudflare Zero Trust with authentication and so on, can one use Cloudflare's warp to authenticate a user? I am asking as I seem to be prompted to authenticate even so Cloudflare's WARP is running
The problem that I actually want to solve is a REST API behind Cloudflare Zero Trust, that is consumed by Apps, Browser Extensions and Web Clients that use Service workers. None of those seem to be compatible with Zero Trust. Any hint how to solve that without the requirement for that web authentication part would be much appreciated!
13 Replies
For authentication with WARP, check out https://developers.cloudflare.com/cloudflare-one/identity/devices/warp-client-checks/require-gateway/
you will need to set the action for the Policy as "Service Auth"
Require Gateway · Cloudflare Zero Trust docs
With Require Gateway, you can allow access to your applications only to devices enrolled in your organization’s instance of Gateway. Unlike Require …
Thanks @Erisa | Support Engineer for your reply, yet I seem to miss something. So I added that Gateway Check to the warp client checks. Then I created a new policy, And added there under "Create additional rules" the "Gateway" as Include rule. (didnt assign any groups so)
The type of the policy is an "Allow" Action
But whenever I try to access the application I always see the webinterface for the authentication / redirect
Ahh "you will need to set the action for the Policy as "Service Auth""
missed that. Ill try that
HM no, no change. Even with "Service Auth" now as Action i still see the regular web login
This is the config thats working on mine:
I also recommend checking if your warp client is setup correctly by using https://help.teams.cloudflare.com/
It should display the right Team name
Thats exactly how my config looks too.
Thanks for that help page!
Could this Gateway proxy be the problem?
Sorry to take so much of your time.
YOur help is much appreciated!
Likely, I think that means that you dont have Proxy enabled on https://one.dash.cloudflare.com/?to=/:account/settings/network
Give it a try and see. After changing the setting you may need to restart the warp client on the machine
Cloudflare One
Cloudflare One replaces legacy security perimeters with our global edge, making the Internet faster and safer for teams around the world.
Thanks Ill take a look!
Worth noting I think the priority here might matter and the service auth should be on top
The checkbox did the trick
the priority doesn't matter as far as I can say
(its second in my settings and works liek that)
As always amazing. Thansk alot Erisa for your help, much appreciated!
Thanks for confirming about the priority and glad you got it working