I feel like I'm going mental. JWTs are not allowing access despite me following every doc
So I am running a dockerised application with cloudflared + tunnel + access to host this appliction to https://myapp.mywebsite.com
I got everything up and running and it worked - I could access this page fine.
I've then been trying to use Zero Trust with service tokens to access programatically. I've followed the docs here: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/
I send my first request
curl -H "CF-Access-Client-Id: <CLIENT_ID>" -H "CF-Access-Client-Secret: <CLIENT_SECRET>" https://app.example.com and access the page fine so I know it is working.
However, I then try and send subsequent requests and am constantly encountering 401 not authorised errors.
I have tried the following:
1. curl -H "cookie: CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com
2. curl -H "cf-access-token=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com
3. curl --cookie "CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com
I have tried from the command line using the above, from Postman with different variations of JWT auth (including the above and more) and setting the cookie in the browser and visiting the page. I've tried with <CF_AUTHORIZATION_COOKIE> being just the JWT string or mimicking the exact contents of the set-cookie response.
Every single try is met with a 401 unauthorized.
I've checked my JWT on jwt.io and all fields are expected.
I've regularly been checking access using the CLIENT_ID and CLIENT_SECRET and it always works.
In my Zero Trust -> Access -> Applications -> Policies I have the following set up:
1. Service token. Action = SERVICE AUTH
2. JWT. Action = ALLOW. Include Selectors "Service Token" with value my-only-service-token and "Any Access Service Token" with value "Any non expired Service Token will be matched".
What on earth is going on here? I've been trying this for hours and I'm tearing my hair out. It shouldn't be this difficult.3 Replies
That's an interesting one, I can reproduce that if I only have an Allow policy and not a service auth one as well. I'd try changing the Allow one to being the same specificness also allowing all tokens, saving policy, saving application, give it a min to propogate and then try. Doing Service Auth Policy then Allow works fine for me both with the headers and using the cookie.
Could also just go Service Auth and pass the headers each time
Thanks for your resposne. That's strange. If I have just the Allow then the initial request for the JWT doesn't work. It doesn't return the usual page contents (only a 301 Found) and doesn't provide a
set-cookie response.
I am going to recreate these and try again. attached are some pics that show my new setup. Does this look how you would expect?
I just allowed all service tokens rather then a specific but other then that, that looks sane yea