.../cdn-cgi/access/get-identity ->{"err":"could not retrieve identity"}
As the title says. When i try to get the identity of the current gateway user i get the following response. Does anyone have an idea?
19 Replies
@kian I saw a message from you about it. Do you have maybe the time to help or give me a hint whats wrong here?
When i access teamname.cloudflareaccess.com/cdn-cgi/trace i get
gateway=on
warp=on
So its not the split tunnel
i also tried the jwt from the cf-access-jwt-assertion and cookie headers but neither worked
Are you following https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/application-token/#user-identity ?
Application token · Cloudflare Zero Trust docs
Cloudflare Access includes the application token with all authenticated requests to your origin. A typical JWT looks like this:
You need to use the
identity_nonce part of the JWT payload when making the requestAh so i first have to „decode“ the jwt and take the identity_nonce from the payload?
@Cyb3r-Jok3 i just decoded the JWT payload and i dont have the identity_nonce field on it.
ok after some testing:
It works with applications where i have a allow/block policy.
It doesnt work with Service Auth Policies.
is there anything i have to change to get it working with service auth?
tbh. i just need the email. And i cant use an Allow rule instead of the service auth because its an rest api which is portected with it
Service auth doesn’t have any identity information as it isn’t tied to a user.
so there is no solution?
Yeah if you see are using service auth. What information would you want to get from it anyway?
Email
At least
So currently im using gateway and service auth to allow access to my rest api
Is there an alternative way?
Which gives me the jwt with identity?
Does an allow rule work with service auth? Never done it but it might work
I have a policy in the application with the type service auth
When i change it to allow i need to login and get redirected to the login page when i want to access my api
I’ll have to play around with it after work to see if I can get anything to work. You just want the service auth email right?
i want to use a service auth policy to login users with gateway and in the app i need somehow the email of the user through cloudflare
thank you so much
Wait I’m confused. Service auth isn’t for logging in other people but allowing scripts to use Cloudflare. If you’re calling it from a script you’d probably have to add a field to a JSON body or have a header that has the email.
yeah but there is also the service auth action in policies
like this
with this configuration i completely skip the authentication when im using gateway which is essential to access the rest api
otherwise i get a 302 moved -> login page of access
Here a summary:
I have 2 services:
api.example.com -> Worker/Hono REST API
app.example.com -> Website on Cloudflare Pages
I want to add a security/login layer from cloudflare. I want something like zero trust to stay between these 2 services and the end user and handle authentication. For the App i also need need the E-Mail address of the current user to send emails or something. Just to know whos who.
So i tried Cloudflare Zero trust. I created an Application and added the 2 Domains of the services into the Access Application.
At the beginning I first created a normal Allow Policy for Access Group X. The problem with that is, that I always get redirected to the Login Page and therefor cant access the rest API in my app and get errors because of the non existing Authorization Headers.
Then I tried a policy with the Action "Service Auth" and set as required "Gateway". Now I have the app protected by zero trust with the requirement to have gateway enabled which is perfect beause the user just need to activate the gateway app and connects to access the application/worker. But now I still need the E-Mail of the user. So i checked the JWT in the Header. Didnt contain any identity data because its an service auth. Also the get-identity endpoint didnt help.
When i use a Allow Policy i have the identity of the user in the JWT.
Now I need a new Idea how to protect the app without the problem of the nonexistence of the identity header or the redirect error because cloudflare routes my fetch request to the login page in the app.
So my 2 outgoings are:
A: Allow Policy with identity info but cant access the rest api in my app because im not logged in with the "fetch" client
B: Service Auth Policy which lets me access the API only in gateway (good) but without identity info
@Cyb3r-Jok3 sorry for the spam i just want to give as many details as possible
Thanks for the info. Helps much more than no info.
So you need to rework how you access the API from the application to be able to use access in front of it as well. The way would be enabling CORS with the access application and configuring your website on Pages to forward the authorization cookies as a part of the fetch request. I do have a very basic example here: https://github.com/Cyb3r-Jak3/cf-example-cors-application/tree/main
GitHub
GitHub - Cyb3r-Jak3/cf-example-cors-application: Example for CORs o...
Example for CORs on two sites using Cloudflare access - GitHub - Cyb3r-Jak3/cf-example-cors-application: Example for CORs on two sites using Cloudflare access
yeah the prolem with that is, that im also running the webapp as mobile app. its a flutter app which is deployed on android and web. is there some library or something to handle the zero trust access login on something like that?
Ah I don't use flutter so I'm not aware of any libraries.