owls
owls
PostsComments
CDCloudflare Developers
Created by owls on 9/9/2024 in #pages-help
'Invalid redirect URL' for Cloudflare Access on custom domain
Hello, I've been struggling using cloudflare access behind a custom domain (cname to pages subdomain), similar to https://discord.com/channels/595317990191398933/1100012325169274960/1100012325169274960. What I am doing is checking if a user is logged in: 
import { getIdentity } from "@cloudflare/pages-plugin-cloudflare-access/api";

...

const identity = await getIdentity({
                jwt: headers().get("Cf-Access-Jwt-Assertion")!,
                domain: "https://<pages subdomain>.cloudflareaccess.com",
        })
import { getIdentity } from "@cloudflare/pages-plugin-cloudflare-access/api";

...

const identity = await getIdentity({
                jwt: headers().get("Cf-Access-Jwt-Assertion")!,
                domain: "https://<pages subdomain>.cloudflareaccess.com",
        })
and if that fails, redirecting them to the access login page: 
import { generateLoginURL } from "@cloudflare/pages-plugin-cloudflare-access/api";

...

const loginURL = generateLoginURL({
            redirectURL: request.url,
            domain: "https://<pages subdomain>.cloudflareaccess.com",
            aud: "<aud>",
        });
        return NextResponse.redirect(loginURL);
import { generateLoginURL } from "@cloudflare/pages-plugin-cloudflare-access/api";

...

const loginURL = generateLoginURL({
            redirectURL: request.url,
            domain: "https://<pages subdomain>.cloudflareaccess.com",
            aud: "<aud>",
        });
        return NextResponse.redirect(loginURL);
This works well on the generated .pages.dev subdomains, but from my custom domain, I get a Invalid redirect URL access error page at the url https://<pages subdomain>.cloudflareaccess.com/cdn-cgi/access/login/<custom domain>?kid=<...>&redirect_url=%2F My Access application configuration does not include the custom domain (there is no way to set it) in the application domain list. I expect this might be related. I can't share the site per the post guidelines unfortunately, but happy to make a reproduction if desired. Appreciate the help debugging this or pointers to any alternatives if Access isn't meant to be used this way.
2 replies