Is there something like Cf-Access-Authenticated-User-Email for Gateway?
Im building an app which is only accessable via Gateway. Now the question in the title so i dont have to implement some 2nd level login system
11 Replies
You can get the user identity from the endpoint described here: https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/application-token/
In any case, it's highly recommended that you validate the JWT received, so in the same location you can fetch the user details
Application token · Cloudflare Zero Trust docs
Cloudflare Access includes the application token with all authenticated requests to your origin. A typical JWT looks like this:
thank you
@PurpleBlob quick question. I installed Cloudflare One Agent on my android phone but when i go to help.teams.cloudflare.com it says im not connected. same on /cdn/cgi/trace
when i connect to warp on my macbook both pages work
Hmm, I'm not sure I can help too much with that as I've never used it on Android myself, and I've never heard a similar issue from anyone on our team, sorry
i got it
when i tried cloudflare.com/cdn-cgi/trace it didnt work but after i changed cloudflare.com to one of my domians it worked
weird
Where do i find the CF_Authorization JWT?
That JWT only exists for "Access" to my understanding? and will not be applied if you use a bypass rule
From the doco its self "Cloudflare Access includes the application token with all authenticated requests to your origin"
You mentioned you are using Gateway, can you confirm how you have published the app? (eg. you can do the tunnel, but then you would create in the access section, unless you are just routing directly via gateway)
@semaja2 its deployed via Workers
and then i set a domain and added the domain to the application in cloudflare zero trust access
i checked the jwt which i get in the service auth but it doesnt contain any information about the identity of the user.
is there a other way to get the user info of the gatway user?
tbh. i just need the email. And i cant use an Allow rule instead of the service auth because its an rest api which is portected with it
Out of interest have you checked for the "cf-access-user" header? curious if it makes it to the worker, but that will just be the users email address
looks like there may also be the
“Cf-Access-Authenticated-User-Email”: headerno but when i dont use service auth i would get it
Ah i understand what you have going on, I have similar issues with REST APIs, so use the WARP/Gateway to restrict access without the auth prompts
Sounds like this may need to be a feature request, I really wish Gateway/Access were more integrated, would be useful for gateway to permit "allow" rules but detect WARP/Gateway and inherit the user details without prompting for auth, would also avoid doubling up on the rules between Gateway/Access to control who can access it
exactly
Was just adding a new application and saw this pop up....
