Cloudflare Developers•3y ago

No, I mean that it can consume OAuth/OiDC, but it can’t be a server

No, I mean that it can consume OAuth/OiDC, but it can’t be a server

Hello, I’m Allie!OP•7/4/23, 3:32 PM

Whether in a Worker or not

HHello, I’m Allie!No, I mean that it can **consume** OAuth/OiDC, but it can’t be a server

dave•7/4/23, 3:33 PM

Ahhhh yes, sorry. I started to implement my own OAuth 2.0 server for Google Assistant, but temporarily abandoned it after realizing Google sunset the functionality we wanted.

F0rce•7/4/23, 4:43 PM

can I ask a question about Cloudflare Zero Trust (especially Access) in here ?

Erisa•7/4/23, 4:44 PM

yes: here, #general-help or https://community.cloudflare.com all are fine

F0rce•7/4/23, 4:45 PM

ok I want to secure our staging API with Cloudflare Access. I thought that the Service Token is the exact correct way to do so. Only if the Client-ID & Client-Secret are present (and valid) the API request should go through. But I always get redirected to the Login Page, where the API calls are not doing anything...

Erisa•7/4/23, 4:53 PM

you need to set the action for the policy to Service Token rather than Allow

Erisa•7/4/23, 4:53 PM

if you haven't already

Smarter•7/4/23, 5:10 PM

Is there a Discord channel for Cloudflared/Tunnels where discussions would be appropriate?

James•7/4/23, 5:11 PM

There's not, but you're free to ask here, #general-help, or https://community.cloudflare.com/. The ZT team hang out more directly on the forum rather than Discord, but there's a tonne of smart community folks here who'd be happy to help

dave•7/4/23, 5:11 PM

Is it possible to use CF email routing/forwarding with DMARC management?

EErisa you need to set the action for the policy to Service Token rather than Allow

F0rce•7/4/23, 5:14 PM

ahhhh thats what I completely missed. I had it on allow. Thank you very much

Ddave Is it possible to use CF email routing/forwarding with DMARC management?

dave•7/4/23, 5:15 PM

Doesn’t seem like I can verify the destination address.

SShayan Question about caching, say I have a subdomain on my domain (a.example.com) prox...

Unsmart•7/4/23, 9:44 PM

You can use cache rules on the a.example.com zone that target b.domain.com but you wouldn’t be able to create the cache rules on the b.domain.com zone unless you turned on the proxy

dave•7/4/23, 11:46 PM

What API token permissions do I need for this? https://developers.cloudflare.com/api/operations/email-routing-settings-enable-email-routing

Cloudflare API Documentation

Interact with Cloudflare's products and services via the Cloudflare API

dave•7/4/23, 11:47 PM

Zone SettingsZone Settings = EditEdit?

Ddave What API token permissions do I need for this? https://developers.cloudflare.com...

Cyb3r-Jak3•7/4/23, 11:57 PM

Account:Email Routing:EditAccount:Email Routing:Edit

CCyb3r-Jak3 `Account:Email Routing:Edit`

dave•7/4/23, 11:58 PM

isn't that even more permission than zone settings?

Ddave isn't that even more permission than zone settings?

Cyb3r-Jak3•7/5/23, 12:01 AM

Oh sorry you are using routing rules not addresses. Zone:Email Routing Rules:EditZone:Email Routing Rules:Edit

CCyb3r-Jak3 Oh sorry you are using routing rules not addresses. `Zone:Email Routing Rules:Ed...

dave•7/5/23, 12:12 AM

yeah that's what I had initially, not enough to enable it oddly

dave•7/5/23, 12:13 AM

you can add rules with just that permission, but not enable it

dave•7/5/23, 1:50 AM

Is there a proper team to ask bout API token permissions?

dave•7/5/23, 1:50 AM

the docs seem.. wrong?

dave•7/5/23, 1:50 AM

https://developers.cloudflare.com/rules/url-forwarding/single-redirects/create-api/

dave•7/5/23, 1:59 AM

figured it out by brute force, you need the transform permission too at the zone level

NothingBad•7/5/23, 5:24 AM

I'm building a Saas app that use Spectrum(tcp), worker for platform. These requires enterprise so I contact sales. Holy, I need pay 3000$-5000$ in order to use that two feature. The sales say with enterprise plan you get bla bla bla, but I don't need a lot other stuff. Should I just look up other alternatives?

NNothingBad I'm building a Saas app that use Spectrum(tcp), worker for platform. These requi...

Hello, I’m Allie!OP•7/5/23, 5:26 AM

IIRC, the team is working on opening WfP to non-Ent at some point, so that's something

Hello, I’m Allie!OP•7/5/23, 5:26 AM

Though I wouldn't expect that Spectrum will go non-Ent for a more reasonable price in the near future

Hello, I’m Allie!OP•7/5/23, 5:26 AM

So if that is a hard requirement, then might want to look somewhere else, at least for that

HHello, I’m Allie!So if that is a hard requirement, then might want to look somewhere else, at lea...

NothingBad•7/5/23, 5:31 AM

DDos protection and layer4 balance(with anycast ip) is the hard requirement, but I feel it doesn't worth pay 3000$ just for use the service

NNothingBad I'm building a Saas app that use Spectrum(tcp), worker for platform. These requi...

jb•7/5/23, 5:32 AM

there is no such thing as "just spectrum" (for better or worse). it's a part of an offering that requires a bunch of other products/services to work as well.

jb•7/5/23, 5:32 AM

the model isn't great for one off usage, as you've found here, but there are alot of other factors that come into play with it.

NNothingBad DDos protection and layer4 balance(with anycast ip) is the hard requirement, but...

Hello, I’m Allie!OP•7/5/23, 5:36 AM

I'm wondering, would it be possible for you to do it at the DC level? As an example, Hetzner has pretty good DDoS protection, and they provide load balancers which are substantially cheaper.

HHello, I’m Allie!I'm wondering, would it be possible for you to do it at the DC level? As an exam...

NothingBad•7/5/23, 5:42 AM

well... cloudflare have the advantage of larget networks(the saas app is latency sensitive). The spectrum price is ok for me, the pain is enterprise only

lokiwind•7/5/23, 7:03 AM

Hello, I have 10+ domains on openprovider and I want to add these domains to my cloudflare account, but the openprovider administration panel is very complicated. How do I change NS information

lokiwind•7/5/23, 7:05 AM

lokiwind•7/5/23, 7:07 AM

when I click on the open dns zone button this page opens but I cannot edit the ns information, I can only add new dns records

lokiwind•7/5/23, 7:07 AM

lokiwind•7/5/23, 7:09 AM

I wonder if I will do cloudflare ns redirection from here?

Llokiwind I wonder if I will do cloudflare ns redirection from here?

aaaaaaaaaaaaaaaaa•7/5/23, 9:36 AM

That looks like the location you might add Cloudflare’s nameservers. Some providers make you add NS records to your DNS then delete the other ones.

Tristan•7/5/23, 10:45 AM

Hey, when is the Carbon report is going to be available for 2022 ? we're mid 2023

Aaaaaaaaaaaaaaaaaa Pre-warning Microsoft are merging Azure AD B2C with another product at the momen...

Old Man Maker•7/5/23, 11:46 AM

All a bit of a mess over there.... Cheers @Josh

Ddave figured it out by brute force, you need the transform permission too at the zone...

digitalpoint•7/5/23, 3:30 PM

There's a lot of weird stuff with the API permissions. Like managing the Crawl Hints setting requires Zone.Zone Settings: ReadZone.Zone Settings: Read to read it, but then a completely different permission to write... Zone.Zone: EditZone.Zone: Edit. Not even sure what Zone.ZoneZone.Zone means considering there's already a different Zone.Zone SettingsZone.Zone Settings permission.

To make it more fun, the API docs don't tell you what permission is required for calls, authentication errors don't tell you which permission is needed either. Figuring out the right permission scope for a token is sometimes a trial and error process that takes longer than making the underlying code to do whatever you are trying to do.

Token permissions are not Cloudflare's strongpoint.

dave•7/5/23, 4:12 PM

How can I find out which Worker triggered a edgeWorkerFetch?

dave•7/5/23, 4:13 PM

  "WorkerCPUTime": 0,
  "WorkerStatus": "unknown",
  "WorkerSubrequest": true,
  "WorkerSubrequestCount": 0,
  "WorkerWallTimeUs": 0,

  "WorkerCPUTime": 0,
  "WorkerStatus": "unknown",
  "WorkerSubrequest": true,
  "WorkerSubrequestCount": 0,
  "WorkerWallTimeUs": 0,

Erisa•7/5/23, 4:25 PM

Good question

Erisa•7/5/23, 4:25 PM

I know theres ParentRayIDParentRayID which points you to the request that triggered it

No, I mean that it can consume OAuth/OiDC, but it can’t be a server

Similar Threads

Similar Threads

Similar Threads