CD
Cloudflare Developers3mo ago
owls

'Invalid redirect URL' for Cloudflare Access on custom domain

Hello, I've been struggling using cloudflare access behind a custom domain (cname to pages subdomain), similar to https://discord.com/channels/595317990191398933/1100012325169274960/1100012325169274960. What I am doing is checking if a user is logged in: 
import { getIdentity } from "@cloudflare/pages-plugin-cloudflare-access/api";

...

const identity = await getIdentity({
                jwt: headers().get("Cf-Access-Jwt-Assertion")!,
                domain: "https://<pages subdomain>.cloudflareaccess.com",
        })
import { getIdentity } from "@cloudflare/pages-plugin-cloudflare-access/api";

...

const identity = await getIdentity({
                jwt: headers().get("Cf-Access-Jwt-Assertion")!,
                domain: "https://<pages subdomain>.cloudflareaccess.com",
        })
and if that fails, redirecting them to the access login page: 
import { generateLoginURL } from "@cloudflare/pages-plugin-cloudflare-access/api";

...

const loginURL = generateLoginURL({
            redirectURL: request.url,
            domain: "https://<pages subdomain>.cloudflareaccess.com",
            aud: "<aud>",
        });
        return NextResponse.redirect(loginURL);
import { generateLoginURL } from "@cloudflare/pages-plugin-cloudflare-access/api";

...

const loginURL = generateLoginURL({
            redirectURL: request.url,
            domain: "https://<pages subdomain>.cloudflareaccess.com",
            aud: "<aud>",
        });
        return NextResponse.redirect(loginURL);
This works well on the generated .pages.dev subdomains, but from my custom domain, I get a Invalid redirect URL access error page at the url https://<pages subdomain>.cloudflareaccess.com/cdn-cgi/access/login/<custom domain>?kid=<...>&redirect_url=%2F My Access application configuration does not include the custom domain (there is no way to set it) in the application domain list. I expect this might be related. I can't share the site per the post guidelines unfortunately, but happy to make a reproduction if desired. Appreciate the help debugging this or pointers to any alternatives if Access isn't meant to be used this way.
1 Reply
owls
owlsOP3mo ago
Figured it out. Turned out it had to be added to cloudflare dns. I was using route 53 (and am continuing to do so), but adding it to cloudflare (without nameserver update) lets the custom domain be used in the access application configuration.
Want results from more Discord servers?
Add your server