Automatically authorize all Zero trust domains in an Application when one of them was authorized
Hi guys, currently my web and my R2 bucket domain are protected by the same zero trust Application and that web frontend is using assets stored in the R2 bucket. But when the Zero Trust credential timed out and users need to relogin, they always login into the web. When it calls R2 bucket domain, an error returned. Users have to manually go to the R2 bucket domain to authorize access, until then my web can get assets from R2 normally again. Is there any way to simplify this step?
11 Replies
Combine the public hostnames for the application and the custom r2 domain to use the same access application.
Access applications share the same auth so if you are signed into a hostname that is in it then it will work on other hostnames in the application.
Thanks, I'm currently configuring my app and custom R2 domain to be in the same access application, but the inconvenience is, when I accessed into my application, all assets served via custom R2 domain cannot be access. I have to open another browser tab and manually go to the custom R2 domain to let CF verifies my access (which only a few second and a redirect because I've been authorized before), until then the assets on the my app can be fetched normally. It's kinda annoying to have more than 1 domain behind zero trust, since I have to manually go to each domain to verify the access.
Eg:
I have web page on domain A, which has asset served by domain B (a custom R2 domain). When I go to domain A (after I finished Zero Trust authorization), all assets served by domain B is still
forbidden. I have to go to domain B on another tab to manually authorize access on domain B (which is just a redirect), until then, all assets on domain B could be see on domain A's web page.If both domain A and domain B are under the same access application then I don’t believe that should happen
mine is having that issue...
did i misconfigured anything?
It seems like CF_authorization cookies cannot be shared between domains
the point is the access verification is OK, i only need to enter OTP once when I visit domain A
Oh like example1.com and example2.com?
yeah... domain B is the sub domain of domain A
if domain A is "example.com" then domain B is "video.example.com"
I think that should work. I’ll test it out later to see if I can get it to work.
Are you by chance getting CORS errors?
I have https://github.com/Cyb3r-Jak3/cf-example-cors-application which does work
thank you, i will try it out
I've tried on Chrome and Safari, it seems like it's safari problem. Safari has followed redirects and but finally returns a login page, which is the first page in the redirect chain
Oh I’m wondering if it’s Safari’s cross site cookie protection
In front end it shows like this
:NotLikeThis: Maybe it's adguard problem
nvm, i turned it off
oh yeah, it's safari's cross site cookie protection
turned it off and it works correctly now
thanks