.../cdn-cgi/access/get-identity ->{"err":"could not retrieve identity"}
As the title says. When i try to get the identity of the current gateway user i get the following response. Does anyone have an idea?
19 Replies
@kian I saw a message from you about it. Do you have maybe the time to help or give me a hint whats wrong here?
When i access teamname.cloudflareaccess.com/cdn-cgi/trace i get
gateway=on
warp=on
So its not the split tunnel
i also tried the jwt from the cf-access-jwt-assertion and cookie headers but neither worked
Are you following https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/application-token/#user-identity ?
Application token · Cloudflare Zero Trust docs
Cloudflare Access includes the application token with all authenticated requests to your origin. A typical JWT looks like this:
You need to use the
identity_nonce
part of the JWT payload when making the requestAh so i first have to „decode“ the jwt and take the identity_nonce from the payload?
@Cyb3r-Jok3 i just decoded the JWT payload and i dont have the identity_nonce field on it.
ok after some testing:
It works with applications where i have a allow/block policy.
It doesnt work with Service Auth Policies.
is there anything i have to change to get it working with service auth?
tbh. i just need the email. And i cant use an Allow rule instead of the service auth because its an rest api which is portected with it
Service auth doesn’t have any identity information as it isn’t tied to a user.
so there is no solution?
Yeah if you see are using service auth. What information would you want to get from it anyway?
Email
At least
So currently im using gateway and service auth to allow access to my rest api
Is there an alternative way?
Which gives me the jwt with identity?
Does an allow rule work with service auth? Never done it but it might work
I have a policy in the application with the type service auth
When i change it to allow i need to login and get redirected to the login page when i want to access my api
I’ll have to play around with it after work to see if I can get anything to work. You just want the service auth email right?
i want to use a service auth policy to login users with gateway and in the app i need somehow the email of the user through cloudflare
thank you so much
Wait I’m confused. Service auth isn’t for logging in other people but allowing scripts to use Cloudflare. If you’re calling it from a script you’d probably have to add a field to a JSON body or have a header that has the email.
yeah but there is also the service auth action in policies