Cloudflare Developers•9mo ago

.../cdn-cgi/access/get-identity ->{"err":"could not retrieve identity"}

As the title says. When i try to get the identity of the current gateway user i get the following response. Does anyone have an idea?

19 Replies

Louis•9mo ago

@kian I saw a message from you about it. Do you have maybe the time to help or give me a hint whats wrong here? When i access teamname.cloudflareaccess.com/cdn-cgi/trace i get gateway=on warp=on So its not the split tunnel i also tried the jwt from the cf-access-jwt-assertion and cookie headers but neither worked

Cyb3r-Jak3•9mo ago

Are you following https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/application-token/#user-identity ?

Application token · Cloudflare Zero Trust docs

Cloudflare Access includes the application token with all authenticated requests to your origin. A typical JWT looks like this:

Cyb3r-Jak3•9mo ago

You need to use the identity_nonce part of the JWT payload when making the request

Louis•9mo ago

Ah so i first have to „decode“ the jwt and take the identity_nonce from the payload? @Cyb3r-Jok3 i just decoded the JWT payload and i dont have the identity_nonce field on it.

{
  "type": "app",
  "aud": "*****************",
  "exp": 1705126723,
  "iss": "https://teamname.cloudflareaccess.com",
  "iat": 1705040323,
  "sub": ""
}

{
  "type": "app",
  "aud": "*****************",
  "exp": 1705126723,
  "iss": "https://teamname.cloudflareaccess.com",
  "iat": 1705040323,
  "sub": ""
}

ok after some testing: It works with applications where i have a allow/block policy. It doesnt work with Service Auth Policies. is there anything i have to change to get it working with service auth? tbh. i just need the email. And i cant use an Allow rule instead of the service auth because its an rest api which is portected with it

Cyb3r-Jak3•9mo ago

Service auth doesn’t have any identity information as it isn’t tied to a user.

Louis•9mo ago

so there is no solution?

Cyb3r-Jak3•9mo ago

Yeah if you see are using service auth. What information would you want to get from it anyway?

Louis•9mo ago

Email At least So currently im using gateway and service auth to allow access to my rest api Is there an alternative way? Which gives me the jwt with identity?

Cyb3r-Jak3•9mo ago

Does an allow rule work with service auth? Never done it but it might work

Louis•9mo ago

I have a policy in the application with the type service auth When i change it to allow i need to login and get redirected to the login page when i want to access my api

Cyb3r-Jak3•9mo ago

I’ll have to play around with it after work to see if I can get anything to work. You just want the service auth email right?

Louis•9mo ago

i want to use a service auth policy to login users with gateway and in the app i need somehow the email of the user through cloudflare thank you so much

Cyb3r-Jak3•9mo ago

Wait I’m confused. Service auth isn’t for logging in other people but allowing scripts to use Cloudflare. If you’re calling it from a script you’d probably have to add a field to a JSON body or have a header that has the email.

Louis•9mo ago

yeah but there is also the service auth action in policies

Louis•9mo ago

Gaming

Programming

.../cdn-cgi/access/get-identity ->{"err":"could not retrieve identity"}