How are Access Service Token JWTs supposed to be used?
In the Zero Trust dashboard, each request using a Service Token shows up as a "Login". I assumed this was because perhaps I was using them wrong, so I tried just using the cookie (from an initial request) for subsequent requests and omitting the
cf-access-client-id
and cf-access-client-secret
headers... but this returns a 401/403 (I don't recall, because this was a week ago). I tried extracting the JWT from the cookie and using it in place of the cf-access-client-secret
header, and a bunch of other things I thought might be the "correct way", but nothing worked. The documentation is pretty light on this topic, so I was wondering if I'm missing something. Its obviously not the end of the world having each request showing up as a login... although I'd rather it didn't. But I'm just so confused because the docs (https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/#connect-your-service-to-access) literally say: "If the service token is valid, Access generates a JWT scoped to the application. All subsequent requests with that JWT will succeed until the expiration of that JWT." But what does that even mean if there's no way of using the JWT for subsequent requests? I've scoured the web for answers, and found several posts/questions from people with the exact same question... and they never have any answer below them ðŸ˜Cloudflare Docs
Service tokens · Cloudflare Zero Trust docs
You can provide automated systems with service tokens to authenticate against your Zero Trust policies. Cloudflare Access will generate service tokens …
28 Replies
the JWT token is sent to you via CF_Authorization cookie, so any browser can automatically store that token and seamlessly use this feature. But in server we don't have a cookie jar to automatically store the cookie, so you will have to manually extract and store it
assume that you have domain
example.com
protected by zerotrust, my approach is:
1. Make a GET request to example.com
with CF-Access-Client-Id
and CF-Access-Client-Secret
2. Extract cookies via Set-Cookie
header responded by CF Access and get the CF_Authorization
cookie. It will look like this:
(result maybe different according to setting in Zero Trust Application)
3. Store that cookie somewhere else, in my case I store it in CF KV. Everytime I request any resource in example.com
, I append the cookie value acquired like above to the Cookies
header, even when you are sending request from server.
in the document it said that CF_Authorization
header can work too, but for some reason it does not work as expected, so I use the cookie header approach, which simulate cookie sending like a browserThats the thing... I implemented a cookie-jar, which is sending the cookie back to the endpoint... but it fails (401/403) 🙈
what's the error message?
I'll have to grab that code again and get back to you. This was a week ago, and reached out on Twitter about it, and nobody responded 😛
I'm wondering if there's maybe some other config on the access app to make this work.
unless you are a big enterprise or you are on your own XD. At least CF are kind enough to have this discord server and response to our request on their help forum
we dont have such luxury when we use AWS
you have to add a policy whose action set to Service Auth
Yeah I have that setup. Ran into that issue a while back when first using Service Tokens haha 😛
then under the
Assign a group
section, you have to choose a group which has your access tokenI'm just gonna try replicate on my personal Cloudflare account now 🙂
You will need an access group which reference a service token like this:
It has to be an access group? I can't just add it under "Create additional rules"?
then attach that group to a policy like this
I haven't tried that approach tho
OK so I've replicated it now. 1 second while I take some screenshots 😛
if you've added that token to an existing policy and it does not work then I'm afraid that you will need to create a separate
Service Auth
policy