mutatedllama
mutatedllama
PostsComments
CDCloudflare Developers
Created by mutatedllama on 10/6/2024 in #general-help
I feel like I'm going mental. JWTs are not allowing access despite me following every doc
So I am running a dockerised application with cloudflared + tunnel + access to host this appliction to https://myapp.mywebsite.com I got everything up and running and it worked - I could access this page fine. I've then been trying to use Zero Trust with service tokens to access programatically. I've followed the docs here: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/ I send my first request curl -H "CF-Access-Client-Id: <CLIENT_ID>" -H "CF-Access-Client-Secret: <CLIENT_SECRET>" https://app.example.com and access the page fine so I know it is working. However, I then try and send subsequent requests and am constantly encountering 401 not authorised errors. I have tried the following: 1. curl -H "cookie: CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com 2. curl -H "cf-access-token=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com 3. curl --cookie "CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com I have tried from the command line using the above, from Postman with different variations of JWT auth (including the above and more) and setting the cookie in the browser and visiting the page. I've tried with <CF_AUTHORIZATION_COOKIE> being just the JWT string or mimicking the exact contents of the set-cookie response. Every single try is met with a 401 unauthorized. I've checked my JWT on jwt.io and all fields are expected. I've regularly been checking access using the CLIENT_ID and CLIENT_SECRET and it always works. In my Zero Trust -> Access -> Applications -> Policies I have the following set up: 1. Service token. Action = SERVICE AUTH 2. JWT. Action = ALLOW. Include Selectors "Service Token" with value my-only-service-token and "Any Access Service Token" with value "Any non expired Service Token will be matched". What on earth is going on here? I've been trying this for hours and I'm tearing my hair out. It shouldn't be this difficult.
4 replies